Hi,
I am running OH2 for some time and gradually with the automation I added integration to home alarm system which made me a bit uneasy about the security of setup.
I understand that OH requires 755 rights for the configuration files, which makes them world readable. In the items and rules you may find passwords for the connecting to alarm and DSC pin codes. is this safe in general?
Any advise how hardened configuration should look like?
regards,
rimantas
Actually, I do think that OH will run with the permissions set to 700, but that will make editing and maintaining the files a bit difficult.
If I assume that you are only concerned about your OH config files and you are not keeping copies of these files off of your local network, what would it take to access those files?
If 1 is the case then your alarm system has already proved ineffective so we can safely ignore that case.
What are the ways 2 can happen? The attacker must gain access to your network somehow, either through an implant (i.e. they managed to trick you into installing something) or they have hacked your network (e.g cracked your wifi).
OK, lets assume that the attacker has access to your network. Do you have to enter a password to access your OH server (e.g. ssh)? Do you have to enter a password to bring up the files over samba? If so, then the attacker will not only have to be on your network, they will either have to already know your password or have to hack into your OH server.
Assuming you have a reasonably configured server running OH this is not exactly an easy task. So the attacker will have to:
What is the likelihood of this happening? Unless you have a motivated enemy it’s probably pretty low. So, as long as you are being farily reasonable in protecting your LAN the risks are probably pretty low. But you can lower that risk by taking some or all of these additional steps: