If it’s properly secured behind a reverse proxy with username and password than the spider used by Shodan wouldn’t be able to tell that it’s openHAB running. If username and password is not in use then there’s no point to have the reverse proxy.
Thus, if Shodan shows openHAB then that means openHAB is directly exposed to the Internet and that’s not a good thing.
I think that statement needs some expansion. What’s “by default”? openHAB is secure when installed behind a firewall and not directly exposed to the Internet. Even with the new authentication and authorization built into openHAB I would not say it’s safe to expose it directly.
The levels of exposure are as follows from least to most:
- openHAB installed and accessible on the LAN only, remote access through a VPN (I highly recommend Tailscale)
- openHAB installed and accessible on the LAN only, remote access through myopenhab.org
- openHAB installed and accessible on the LAN only, remote access through a self hosted openHAB Cloud instance on a Virtual Private Server from some provider (e.g. Azure, Amazon AWS, etc.).
Beyond this point here be dragons. Proceed with extreme caution. For any of these it requires exposing part of your LAN to the Internet and it will be under attack. Only proceed if you know how to monitor for these attacks and how to tell when you’ve been successfully attacked and how to mitigate the attack when it happens and are willing to do all this. Most professional computer security engineers tend not to be willing to do this. I cannot recommend amateurs do so.
- openHAB installed and accessible on the LAN only. A self hosted myopenhab.org running locally is exposed to the network using port forwarding through your firewall.
- Alternatively openHAB installed and accessible on the LAN only. A self hosted Apache, nginx, HAProxy, etc runs as a reverse proxy and implements at least basic authorization.
- Finally, only if the implicit user role is turned off which should require authentication to access any part of OH is required even consider putting openHAB directly on the internet. But even though this is safer than was possible in OH 2, the authorization in OH 3 is relatively new and not tested by time.
Personally I would not consider the bottom three. Probably the easiest thing to deploy here is something like Tailscale.
For all those 2000+ users out there with openHAB exposed, please please please do something else. Your ignorance of the dangers or carelessness means that when you get hacked because you made yourself a target, openHAB is the one whose going to look bad. Just see the articles and hacks concerning unsecured MQTT brokers, Elasticsearch servers (cough T-Mobile cough), MongoDB servers, RDP admin servers exposed with default passwords (e.g. the recent water treatment plant hacks) etc. exposed to the internet. There is always a call from the press for developers to make it harder for user to do dumb things like this.
But we can’t prevent that.
I recommend everyone do the following. Use your search engine of choice to find your publicly exposed IP address by searching for “what’s my IP”.
Then go to shodan.io and search for your IP address (like Russ suggests). If anything shows up you need to take action.
Personally I now have just two ports exposed, 80 and 443, and going to 80 redirects you to port 443. Since I’ve retired OpenVPN in favor of Tailscale and closed down my ssh tunnels all I have left is my HAProxy which lets me expose a self hosted Vaultwarden instance that my family can use. And this machine is isolated from all the rest of my network and monitored like crazy. And I use a subdomain akin to foo.mydomain.com. So you have to know what my subdomain is to get anything beyond an error if you try to navigate to my machine from the internet.
Security by obscurity is not the best, but it does cut down on the script kiddies and automated hacking bots out there.