We can look at this as a good thing. It means that openHAB has enough users overall that the tiny percentage of those who are ignorant or foolish still runs into the thousands.
One reason why I brought up the openHAB blog is it doesn’t require people to sign up, has a lot less going on so posts cannot be missed, and new posts to the blogs also get announced to Twitter. That provides a few more avenues for communication.
However, this is a forever issue. If we write a blog post or pinned announcement now it will work for a few months perhaps. Then it will fade back into history and become lost and ignored again. It’s a hard problem to solve.
Well, there are those rare few who run IP6 on their LAN (not me but we have enough users that there is bound to be a few). But those users will probably be knowledgable enough to know what’s not working and why.
It’s an intriguing idea but I think it leads to a chicken-and-egg problem. How can you tell OH what the site local IP4 subnet is without connecting to OH in the first place (I’m assuming this sort of setting would be wanted in the UI like all other settings are or are getting support for too). You can’t necessarily base it on the local machine’s IP address because:
- might be running in Docker containers where they have their own 172 subnet
- might have more than one IP address, which one to choose?
I’m sure these could potentially be overcome, I just want to explore the implications and how it would work from the user’s perspective.
I tried really hard to make that work. I eventually gave up. I know it’s possible but I couldn’t manage it (also with pfSense and HAProxy, I’ve recently moved to OPNsense for a number of reasons but support for Tailscale was one of them). Compared to OpenVPN or even messing with “raw” Wireguard Tailscale is super easy and super fast. It was really shocking how much easier and seamless the experience was and it doesn’t require any open ports.
I see this advice all the time but frankly it is completely out of the range of possibilities for the vast majority of our users. When your “server” is an RPi 3 and your ISP provided gateway doesn’t even let you assign static DHCP IP leases this is a complete non-starter. Even I, who has the equipment and the skills to do so don’t really do that except for my vault warden machine. I just can’t justify the effort/complexity costs for the risk. But that’s my personal calculation, others will have different concerns.
Instead I try to avoid wifi type IOT devices unless they are from “trusted” vendors or DIY. The degree of mitigation for the cost ends up being about the same for me. YMMV.
Yep, they are lovingly called bogons. But not all users will have a bogon address on their machine. Some ISPs put their users right on the Internet without a gateway. A lot of those users might be the same ones that show up in shodan. It’s rare and I don’t know why but some users run OH in a VSP and they won’t have a bogon address either.
All of that could be overcome I’m sure but we have to consider all the potential use cases and make sure they are all covered. And even then there will be a few dozen users who show up and say “hey! why do you break my openHAB!”
I believe that is already implemented.
@mstormi, would Fail2Ban be something that could be easily added to openHABian? It’s been on my list to experiment with that on my own but haven’t got to it yet. It seems like it would be a good thing to run for both Mosquitto and openHAB, maybe other services openHABian supports as well.
But the overall problem is by default, there are parts of OH that can be accessed without any authentication what-so-ever. And those are parts that you wouldn’t want to expose to the Internet but might indeed want to have accessible without authentication on the LAN. For example, I want remote access but also have a QR code that house guests can use to bring up a sitemap to control the house when on my wifi.
I can’t (today) have my cake and eat it too. I need to have something between OH and the Internet. I choose and recommend myopenhab.org though have explored and experimented with HAProxy, and nginx in the past.
That one already only accepts connections from localhost by default. I don’t know if openHABian changes that default or not. It seems reasonable that it might.