cross-posted from: https://reddthat.com/post/39309359
I’ve been running Home Assistant for three years. It’s port forwarded on default port 8123 via a reverse proxy in a dedicated VM serving it over HTTPS and is accessible over ipv4 and ipv6. All user accounts have MFA enabled.
I see a notification every time there’s a failed login attempt, but every single one is either me or someone in my house. I’ve never seen a notification for any other attempts from the internet. Not a single one.
Is this normal? Or am I missing something? I expected it to be hammered with random failed logins.
Might need more info about your setup. The reverse proxy probably has some logs you aren’t looking at. Most bots from what I’ve seen do ip:port scans hitting every ip and every port. Nginx reverse proxy manager or something similar isn’t going to forward ip:8123 to home assistant. A straight router port forward will, but the reverse proxy manager will look at the domain GET request for https://ha.hit_the_rails.net to your LAN ip:port. It’s a little security through obscurity as they have to know your sub+domain.
For a time I had port 22 open and forwarded directly to a server. Constant bot traffic. Changed the port, put an ssh honeypot on 22, and it almost completely went away. Sure the bots could be smart enough to scan and find another open ssh port, but they rarely did. I assume because anyone savvy enough to change the ssh port is savvy enough to not allow default logins like ubnt:ubnt and root:1234 which were by far the most common logins I got in the honeypot.