Thousands of OH installations accessible from everywhere

I didn’t know where to fit this topic or wether it has been discussed already. Comming from another community where this was discussed lately, I also found it worth to share it here as well.
Even though I think there is much information available on the security topic, a lot of users don’t seem to care about securing their OH installation. If you have a look at scanners like shodan.io, you find hundreds and thousands of OH instances where you can easily access the user interface. Inspired from the discussion in the other forum I also tried, and within two minutes I was able to (but did not do) switch on and of the kitchen and livingroom lights of someone exposing his/her OH to everyone. The next five tries were successful either. It’s also interesting to see how other users name their items and which bindings they use

Maybe just take this as a reminder to check which ports you opened to the world

My personal opinion: users that open ports to the internet should ( means: have to be aware of that in case a port is opened it will be detected by the internet earlier or earlier ( :0) ). There are tools available and also the web page you mentioned which makes it even easier.

yes, I would say it has - more often and also a few cases when people were wondering why did this or that happen ( lights went into blinking mode ).
I once had a case where I remotely put a text message on a VDR like box every minute via at job, or so, telling the person that the box is exposed to the internet and uses the standard root and normal user password. And guess what the person did change the password ? No just rebooted the machine to get rid of the anoying message.

The docs tell what needs to be done to secure the openhab instance with different ways on how to do it: Securing Communication and Access | openHAB

I searched for “openHAB” and saw the 2,652 results, and when I searched for the IP address of one of them I saw multiple ports exposed. I then searched for my modem’s IP address and didn’t get any results, since I have no ports exposed.

One thing to note is that any exposed ports show up in the Shodan search, even if someone has properly protected it. So, a subset of the 2,652 results are likely not in any danger. It’s still a high number, though.

I’m surprised that this many people have intentionally exposed ports for openHAB. It makes me wonder if the users or telecoms aren’t configuring their routers properly for other reasons.

The only reason that I have in mind that telecoms could open the port could be for remote maintenance but then it shouldn’t be possible to use that port for the OH instance.
With regard if the users may have done that for a different reason: then I would expect to see other ports as well but the majority is that I saw is related to OH + Samba ‘only’.

I think it is a good idea to state here that openHAB is by default secure or brings no additional security risks. That being said, yes some telecom providers (still in 2021!) have modems that are open by default on the WAN side. I recently stumbled upon a Draytek modem connecting a kindergarten to the world wide web! Fully configurable and wide open without any the need of any credentials.

If it’s properly secured behind a reverse proxy with username and password than the spider used by Shodan wouldn’t be able to tell that it’s openHAB running. If username and password is not in use then there’s no point to have the reverse proxy.

Thus, if Shodan shows openHAB then that means openHAB is directly exposed to the Internet and that’s not a good thing.

I think that statement needs some expansion. What’s “by default”? openHAB is secure when installed behind a firewall and not directly exposed to the Internet. Even with the new authentication and authorization built into openHAB I would not say it’s safe to expose it directly.

The levels of exposure are as follows from least to most:

• openHAB installed and accessible on the LAN only, remote access through a VPN (I highly recommend Tailscale)
• openHAB installed and accessible on the LAN only, remote access through myopenhab.org
• openHAB installed and accessible on the LAN only, remote access through a self hosted openHAB Cloud instance on a Virtual Private Server from some provider (e.g. Azure, Amazon AWS, etc.).

Beyond this point here be dragons. Proceed with extreme caution. For any of these it requires exposing part of your LAN to the Internet and it will be under attack. Only proceed if you know how to monitor for these attacks and how to tell when you’ve been successfully attacked and how to mitigate the attack when it happens and are willing to do all this. Most professional computer security engineers tend not to be willing to do this. I cannot recommend amateurs do so.

• openHAB installed and accessible on the LAN only. A self hosted myopenhab.org running locally is exposed to the network using port forwarding through your firewall.
• Alternatively openHAB installed and accessible on the LAN only. A self hosted Apache, nginx, HAProxy, etc runs as a reverse proxy and implements at least basic authorization.
• Finally, only if the implicit user role is turned off which should require authentication to access any part of OH is required even consider putting openHAB directly on the internet. But even though this is safer than was possible in OH 2, the authorization in OH 3 is relatively new and not tested by time.

Personally I would not consider the bottom three. Probably the easiest thing to deploy here is something like Tailscale.

For all those 2000+ users out there with openHAB exposed, please please please do something else. Your ignorance of the dangers or carelessness means that when you get hacked because you made yourself a target, openHAB is the one whose going to look bad. Just see the articles and hacks concerning unsecured MQTT brokers, Elasticsearch servers (cough T-Mobile cough), MongoDB servers, RDP admin servers exposed with default passwords (e.g. the recent water treatment plant hacks) etc. exposed to the internet. There is always a call from the press for developers to make it harder for user to do dumb things like this.

But we can’t prevent that.

I recommend everyone do the following. Use your search engine of choice to find your publicly exposed IP address by searching for “what’s my IP”.

Then go to shodan.io and search for your IP address (like Russ suggests). If anything shows up you need to take action.

Personally I now have just two ports exposed, 80 and 443, and going to 80 redirects you to port 443. Since I’ve retired OpenVPN in favor of Tailscale and closed down my ssh tunnels all I have left is my HAProxy which lets me expose a self hosted Vaultwarden instance that my family can use. And this machine is isolated from all the rest of my network and monitored like crazy. And I use a subdomain akin to foo.mydomain.com. So you have to know what my subdomain is to get anything beyond an error if you try to navigate to my machine from the internet.

Security by obscurity is not the best, but it does cut down on the script kiddies and automated hacking bots out there.

The sixth result in the Shodan list shows up as a 401 Authorization Required, but the SSL certificate includes:

WWW-Authenticate: Basic realm=“OpenHAB”

So you can see it, but you can’t access it. Is that abnormal for the SSL certificate to say that? If so, then I made an incorrect assumption.

A LetsEncrypt certificate wouldn’t include anything like that as far as I can tell. I’m not sure why any certificate would include something like that. WWW-Authenticate is an HTTP header and doesn’t have anything to do with SSL/TLS. Are you sure that’s in the certificate or is that part of the HTTP response that included the certificate?

I don’t think I’m getting the results in the same order as I’m not seeing the same in the sixth entry in my search.

But I can say that is something the user configured because anything that is officially OH is going to use the lower case ‘o’. So that is something that user configured to expose the fact that they are running openHAB. But the 401 does also show that they have some authentication set up and are using some sort of reverse proxy so that’s better than most of the entries in that list. The WWW-Authenticate is probably part of the response their reverse proxy returned.

Looks like the results have changed, so I’m not seeing it anymore. I think you’re right that it was part of the HTTP response, and I just didn’t know how to read it.

This would be a good reason to have some sort of opt-in mailing list for major announcements from the Foundation/maintainers. We have no way of communicating this information to anyone who doesn’t visit the community regularly.

I think the existing blog would be a better choice. I’m not sure who controls the blog but that could be a place to write something. I don’t know if @kai would be amenable to a post like that.

We already say it’s a bad idea in the docs. We say it’s a bad idea here on the forum. We jump on just about everyone who is proposing to do it and asking for help doing that. I’m not sure a mailing list would be any better. People would need to know to sign up for a mailing list too so it’s no better than the forum on that front. It’d just be one more communications channel that most people ignore.

Ultimately I think it’s just one of those things that can’t be solved. Make something fool proof and the universe makes better fools. It never ceases to amaze me the lengths people will go to in order to avoid doing something the proper way. And I suspect many of those out there with exposed OH instances don’t want to hear about it anyway. They think they know better and there isn’t much we could do to convince them.

Yeah, I agree that it’s said often enough–it’s shocking to me that there are this many insecure systems. And I agree that people often think they’re the exception to the rule.

That being said, the public-relations person in me prefers to get out ahead and have some say over the narrative, instead of allowing one of those exceptional people to blame openHAB for their home being hacked.

In a more general sense, my concern is the people who don’t want to be part of the community. I know this is open-source and the onus is on users, but there are times when our inability to notify users directly impacts the community. Bintray is a good example. Since there was no way to announce it outside of the community, we’re still getting confused people who weren’t aware of the announcements made months ago (and have no idea what Bintray is/was).

I’d probably build a screen into the setup wizard telling people how to opt in, and make it clear that we’ll only email them about critical issues (e.g. Bintray) and major OH releases. That’s all I’m suggesting.

I agree with Rich, the forum is the better medium. Moderators can also pin posts of major interest.
FWIW, openHABian also has a news page.

Those “outside” the community I agree you will not reach with these channels, but then again no other medium will. It’s just more work to operate those.
Most who didn’t hear about Bintray didn’t want to hear about anything actually, let alone security “duties” of theirs. They have not been caring about/for their OH installation for months then when there was a problem they signed up to the forum, again ignored the rules there (such as to search before ask) then it turned out it was Bintray or rather because they have not been caring. So what ?
You get your (time, dedication) investment returned (sometimes), but if people don’t get invested at least a tiny bit, they don’t deserve being helped like those who do such as active community members.

Is there ever a valid use case to accept a non site local IP4 address? Why don’t we simply refuse connections and instead serve a link to the docs on how to safely expose an instance.

Local IP = works
non local external IP = only a link or redirect telling users how to do it properly.

Just FYI, you can also run OpenVPN over Port 443 or 80
In my case I also only got 80 and 443 open (using pfSense and HAProxy), with another port open for router (internet provider modem) maintenance it seems (can’t close that one ).

All the rest, totally agreed. Maybe another point to take note of is to put the OH instance into an IOT subnet (with limited access to other parts of the network), and any other service for that matter into a DMZ which has zero access to other parts of the network.

I’m somewhat undecided here.
Unfortunately there is a point in the default setting.
My guess is devs are afraid such a default setting could chase some newbies away.

Hence it’s a valid use case. Or I should rather say: there’s people that consider “valid” or even “necessary” what you (and I) would call “invalid”.
And who’s to decide what’s valid ?

The redirection thing would not work short-term, jetty AFAIK does not allow for that.

Also please note that “local” is by no means a clear, undoubted definition. Is it RFC1918 ?
And do you want to explain that to non IT users ?

I will not be surprised if some rare corner cases exists
So, it could be a sensible default.
Basically, force the user to read the documentation if the need arises.
More important; someone has to implement and document it.

I could implement it as this is something simple and probably just a few hours to do. The hard part is getting people to agree that it is worth doing even if it is a temporary feature until replaced by something better. The documentation is already done. Just serve a webpage saying why it does not connect and offer the link to the current docs on how to setup reverse proxy, VPN or use the openhab cloud. Yes it forces the user to read the docs and that is the point, the alternative is that we have people running around the web saying openHAB can be hacked giving us a bad name.

My networking knowledge is lacking compared to some others on this forum, so I am genuinely asking if there is a valid use case that would cause anyone to suffer from such a feature being added and it can always get removed at any point if a better way forward is produced.

In IPv4 there are 3 network address ranges that are site-local addresses: 10/8, 172.16/12 and 192.168/16.

In Java Inet4Address.isSiteLocalAddress() from exactly those 3 networks will return true.

IPv6 also has something similar Unique local address - Wikipedia

There are other ways forward like password throttling and IP bans when brute force attacks are detected but if we prefer people don’t do it in the first place, that is a lot of work as you would have to remove guest access when accessed from a non site-local address.

Do not forget the ssh port for openhab-console.
If one should do this, any conections should be rejected/ignored/dropped as soon as possible for all ports openhab uses. And doing so implies that no web content is served at all.
It will prevent openHAB showing up in the statistics
Of course the rest of the machine can still be exposed to the internet.

That would be another good approach, however that would then result in them posting in the forum not knowing why it fails, or moving onto another HA project.

You would have to allow the http connection to be made to work out if it local or not, so a port scan would detect an open port, the choice would be to either refuse to reply further, or reply with a 401 or 404 error that can contain custom text that does not mention openhab by name. A link to the openhab docs would put us back on the list, so that is not an option.

There appears to be a number of reasons why they show up in the list.

• The html page has openhab as the title which is the main reason most are in the list.
• SSL cert mentions openhab
• Reverse proxy mentions openhab when asking for a BASIC user/pass as the realm in the HTTP header for basic auth.

That is not the SSL cert. That is how BASIC authentication works and someone entered in openhab when setting up the reverse proxy with BASIC auth as the protection.