[solved] Log entry shows unknown user?

poertner · January 13, 2016, 1:43am

Hi all,

in my logs this line appeared today:

2016-01-12 19:50:41.892 [WARN ] [.io.net.http.SecureHttpContext] - authentication of user ‘elizabeth bennet’ failed

what does that mean? i don’t know a elizabeth…
how can this happen?

d0t · January 13, 2016, 3:35am

A few thoughts:

Did you open external access through your firewall to your (internally hosted) openhab box? DONT! I would highly recommend using a VPN client/server instead of opening ports to the wild.
Do these messages repeat with many user names? That username is obviously not common, but I’d keep an eye out for brute force attacks.
MAKE SURE your passwords are complex; randomly generated, for increased security.
Use high (20,000+) non-standard ports which makes it more difficult to identify available services on your servers.

More detail on how/where you are running OpenHAB would help too…

All the best,
.

belovictor · January 13, 2016, 10:46am

my.openHAB does not send any usernames in it’s requests back to openHAB - they are explicitly deleted from the request. Moreover, a request will not pass through my.openHAB if user was not authenticated. So this requests should have come directly to your openHAB somehow, either from local network, or from a hole in your router/firewall, if you have one…

poertner · January 13, 2016, 1:17pm

thx for your answers, whoa ok!

only one log entry, no brute force i guess.

i had several ports (8080, 9090, 8443) forwarded to my Raspberry Pi 2… including port 22 for SSH…
although i have unique and really strong passwords that security hole never really came to my mind.

now i deleted all forwardings (except 1883 for mqtt, without it it won’t work) and everything else still works as expected.
i’ll try to change the mqtt port.

remotely accessing my Pi is really convenient, now i have to think about more secure way to do so.

cheers,
stefan

d0t · January 13, 2016, 7:53pm

Opening 8080/8443 may allow anyone on the internet to initiate a connection to your OH instance. I would suggest looking into setting up an OpenVPN or IPSEC VPN server on your internal network, and use secure VPN clients to connect to it.

Best regards,
.

poertner · January 13, 2016, 8:17pm

ok, good to know, thx!
my router (a Fritz!Box) can create a IPSEC VPN, so I created that just right now.
I can connect to it and then SSH into the RPi from “within” my network… perfect.

setting this up was so simple that I feel a little bit ashamed I didn’t do it earlier

thx for your valuable input!
stefan