Security issue?

I’ve been having strange events in my openhab environment for a few weeks and maybe you guys can help me.
My HIFI system keeps turning on at night and the volume is turned up to the max. Sometimes the TV turns on or the vacuum cleaner starts cleaning.
I have deactivated the Openhab Cloud Connector Addon. Access should only be possible from my internal network, right? Does this look like a security issue for you or a wrong configuration.
I am enclosing the log with the relevant entries with Yamaha and TV from last night. Can you guys help me please.

Openhab 3.42, Docker container on my QNAP NAS


2023-03-19 23:58:17.542 [WARN ] [ernal.handler.YamahaZoneThingHandler] - Channel tuner_band not working with HDMI1 input!
2023-03-19 23:58:17.592 [WARN ] [ernal.handler.YamahaZoneThingHandler] - Channel tuner_band not working with HDMI1 input!
2023-03-19 23:58:17.626 [WARN ] [ernal.handler.YamahaZoneThingHandler] - Channel tuner_band not working with HDMI1 input!
2023-03-20 00:01:06.763 [WARN ] [ernal.handler.YamahaZoneThingHandler] - Channel playback not working with TUNER input!
2023-03-20 00:01:47.746 [WARN ] [d4j.internal.RRD4jPersistenceService] - Failed to open rrd4j database 'YamahaRXS602MainZone_Volume' to store data (java.lang.IllegalStateException: request interrupted for file:///openhab/userdata/persistence/rrd4j/YamahaRXS602MainZone_Volume.rrd)

events copy.log (85.0 KB)

Do you have any ports open in your router which point to your QNAP?

Yes, the one port I use to access the NAS externally. But this is not a standard port. Also, this port is routed to the NAS IP, not the OpenHAB IP

It doesn’t matter if it is a standard port or ANY other port. If it is open it is open and WILL be found earlier or later.
Go to use their scanner and search for your IP address. You will find your IP there especially in case you have a fixed one.
You HAVE to make sure that all your software that is reachable via internet is always up to date - in your case that means QNAP in case that is the port that is reachable via internet.
But even that may not be enough in case of a zero day exploit.

Use best practices in case you would like to have access from the internet this e.g. means VPN but it definitely means security by obscurity like opening standard services non standard ports.

Thank you for your quick response.
I already use VPN for remote access. All software is up to date, that’s important to me and I check it regularly.
I have now deleted all port forwarding, but the Openhab server still appears under my IP. What else can I do?

Unless you’ve enabled port forwarding on your firewall. And it doesn’t have to be OH exposed. Any port could be a gateway for a threat to enter your LAN.

My default is if this is the only weirdness you are seeing the problem is most likely not an external threat but something going wrong in OH.

QNAP has a really poor reputation for security. To paraphrase Steve Gibson (professional with a name in computer security) you’d have to want to be hacked to expose one of these boxes to the Internet.

Doesn’t matter. Once they are on one machine on your LAN, they can reach any machine on your LAN.

One reason QNAP has a bad security reputation is they simply refuse to fix really big vulnerabilities and when they do fix it, it’s half assed and doesn’t really solve the problem. Keeping it up to date isn’t enough in this case.

Shodan only scans the Internet once every day or so. Give it time and that open port should disappear on Shodan.

If this is indeed a hacker, they are already in your LAN. They only need access to the port forward for a few seconds or so to install their own tunnel into your LAN which doesn’t require a port forward. So that doesn’t mean they are necessarily gone.

But we also don’t know that they necessarily are there in the first place yet. So definitely monitor you other machines. Are they running hot? There might be crypto miners installed. Are files being created, deleted, modified, etc unexpectedly?

If the only weirdness is coming from OH, enable the loggers for rule events in log4j2.xml. This will let you see rules starting and stopping inline with the Item events in events.log. That might point to one or more rules running amock.

Beef up the logging level on the bindings in question. There might be hints on where these events are coming from there.

Thank you for your extensive explanations.

For me, QNAP was the easiest way to get started - it works anyway and doesn’t need any extra power.

I haven’t noticed anything like this before

I found the file but don’t know how to increase these logs on the 3 affected bindings

Great community with such quick help - thank you very much.

You need to find the name of the logger for the binding. Often the readme for the binding will tell you. They usually follow the pattern org.openhab.binding.<binding name>. Add a logger and set the level using the format you see for other loggers in the bottom half of the file.

While regularly scans the internet for open ports there are other services that do that on your request. You can try that or use a port scanner like nmap on your own.

Thanks very much. I’ll see what happens first. Hopefully there are no nasty surprises in the next few nights

Hi, did you find out something? I have similar problem with 3.42. Two times already happened that all lights in the house switched on in the middle of the night. :grinning:


Hi, since I deleted Port-Forwarding in my router I had no bad surprises. I hope, the problem is gone but I’m not quite sure.