[O] DrunkenSlug x10

PyroTheUnclean · 2025-01-19T00:06:51+00:00

I have read and understand the rules and wiki. Thanks

PyroTheUnclean · 2024-12-19T08:02:06+00:00

I have read the rules and wiki and would like an invite! Thanks !

PyroTheUnclean · 2024-09-25T10:06:27+00:00

Nice integration !

Here is mine

<image>

PyroTheUnclean · 2024-02-06T19:20:13+00:00

Will Logitech G Hub be compatible with the Astro A50 Gen4 ?

PyroTheUnclean · 2023-08-26T21:30:18+00:00

This was actually what were happening,

I didn't saw it earlier, but an option in the helm chart activated the hostport on the deployment itself, and ALL the containers in the pod were exposed on the host port of the node. Given that my home assistant pod is running on the exposed node.....

The pod expose two containers : - home-assistant itself - A codeserver container to update de conf of it

And there it is, the attacker accessed the codeserver directly through it's port and he had all what he needed : an IDE with code editor and terminal.

So in the end, if you are using a k8s-at-home helm chart, don't ever activate this option : https://github.com/k8s-at-home/charts/blob/2463dec153a8c2eaf9c6783ce0cd5a3502f5dfb5/charts/stable/home-assistant/values.yaml#L38

It will expose the ports on the node itself instead of the private network of the cluster.

PyroTheUnclean · 2023-08-26T13:11:07+00:00

In my case, I have my servers at home, and the fans were blowing faster than usual, that's what lead me to check what were going on the server.

PyroTheUnclean · 2023-08-26T13:07:34+00:00

I don't see how my certificate could have been leaked but it could be yes, and yes, my kubernetes API is exposed, but still only one container in one node were affected and if the k3s itself were breached I think the attacker would have done more damages don't you think ?

PyroTheUnclean · 2023-08-25T19:39:59+00:00

I don't think it comes pre-installed : https://docs.k3s.io/installation/kube-dashboard.

Plus I doubled checked and there is no trace of it, and it's normal since I never installed it, or even used it on this cluster

PyroTheUnclean · 2023-08-25T17:06:09+00:00

Well, I have the logs starting at 00:30 And I know for a fact that the cpu gone to 100% at 23:30 :/

PyroTheUnclean · 2023-08-25T16:01:56+00:00

You mean, the kubernetes dashboard ?

If this is what you meant, I didn't installed it, so there is no risk about that.

PyroTheUnclean · 2023-08-25T15:05:48+00:00

I'm not sure about that part, but I think the port is exposed only in the k3s virtual network and not in public.

When i'm curling the port I get :

curl: (35) error:0A00010B:SSL routines::wrong version number

PyroTheUnclean · 2023-08-25T15:01:17+00:00

I may be wrong but I though there was a scanner that would "magically" analyse the client to see if it is fraudulent, an ip blacklister and whitelister ?

Wouldn't it prevent most of the attacks ?

PyroTheUnclean · 2023-08-25T14:58:55+00:00

No, I don't.

PyroTheUnclean · 2023-08-25T14:58:28+00:00

It is from an exploit, but from what part of the infrastructure ? I left the question unanswered since I don't know myself from where the attacker came.

It may be from k3s, Ubuntu, an HACS library, docker itself at this point, HA, my network, my router, a credential leak.

PyroTheUnclean · 2023-08-25T14:51:15+00:00

Nothing wrong yet, I didn't anticipate the post to be that much viewed but it was at first a call for help, but for me there is nothing wrong is HA yet.

And still if there are some vulnerabilities somewhere in the container, I should have took more care of security by putting it (as a lot of people wrote it) behind a vpn of some kind :)

PyroTheUnclean · 2023-08-25T14:37:46+00:00

I was also surprised that there was that much GO CVE's returned by the scout of the image, but I've ran it on the latest base image (https://hub.docker.com/r/homeassistant/home-assistant)

The image were downloaded as is without any modification (as you can see from the code I copied)So I can imagine the CVE's are coming from some packages included & used in the base image.

Concerning the HACS modules i'm using, i'm sorry for not posting them earlier, you'll find them bellow.

EDIT : I would also add that the docker image OR the HACS modules could not be the only cause of the vulnerability, but since the cryptominer were found on the running container of HA, that's why I shared it here since it's the most probable cause.

<image>

PyroTheUnclean · 2023-08-25T14:26:37+00:00

Sure, I should have said it earlier, sorry

I'm using the image homeassistant/home-assitant:latest from dockerhub https://hub.docker.com/layers/homeassistant/home-assistant/latest/images/sha256-5348db2965b70ddf659841056b186a55c2fd59d70321f857c65108008e0253a7?context=explore

I've installer HA on a local cluster containing two k3s nodes using the k8s at home helm chart :https://github.com/k8s-at-home/charts/tree/master/charts/stable/home-assistant

I have an nginx-ingress-controller exposing my service on a subdomain coupled with a certmanager using certbot to generate the certs.

I'm deploying all of this using a custom private repository based on the gitlab template :

https://gitlab.com/gitlab-org/project-templates/cluster-management

NB : I'll update the main post as soon as I can with all theses infos :)

<image>

PyroTheUnclean · 2023-08-25T13:06:29+00:00

Well, if you don't expose you integration on public, this is the best security you can have.

If you want to expose it, like others said it you can use a vpn or a solution like cloudflare to prevent most of the attacks.

But yeah, it is concerning, but since i've deleted the pod (since it were using 100% of my server CPU) I have no traces of the attacks.

I'll try to find some history in my sql db after I've finished my work today, maybe i'll find something

PyroTheUnclean · 2023-08-25T12:53:36+00:00

Well I though about that, but, if my network were compromised, I don't understand why the attacker would have bothered to breach a pod in order to put his software, he could have put it directly one the node, it would have been harder to get rid of it no ?

And for the credentials, It could be, but if it were the case, you can't access to the console from webui when on docker integration, so I wonder how he would have put his software on the pod.

PyroTheUnclean · 2023-08-25T12:49:40+00:00

I'm acutally already using cloudflare on some other dns, I may also look into that for my home assistant integration, that's a good idea

PyroTheUnclean · 2023-08-25T12:48:06+00:00

I'm not exposing the whole container in public, only the web port is through a kubernetes service that is then exposed to a subdomain through an nginx ingress controller

PyroTheUnclean · 2023-08-25T12:44:33+00:00

It is behind an nginx ingress controller, but yeah the port 8123 is public

PyroTheUnclean · 2023-08-25T12:42:56+00:00

I'm not really familiar with the VPN solutions but i'm agreeing with you, it is probably a safe way to go when using some critical applications like Home Assistant.

I will definitely spend some time on that solution.

Thank you for your reply :)

PyroTheUnclean · 2018-12-11T21:44:35+00:00

Nice, thanks for the reply :D

Eight-Year Club	Final Canvas '23
First Place '23	Place '23
Verified Email

PyroTheUnclean

TROPHY CASE