• 0 Posts
  • 40 Comments
Joined 2 years ago
cake
Cake day: June 14th, 2023

help-circle
  • I think it’s not quite as well known or prevalent as other services (as say SSH) so likely doesn’t have anything automated attacking it yet. If you check something like http://shodan.io/ against your ip, I’d guess the service has been found.

    Home Assistant likely won’t come under any kind of attack until there’s a very easy to exploit, unpatched zero-day vulnerability in the wild. Given how many people (myself included) who have HA exposed publicly it’s really a matter of time. The best mitigation is not exposing publicly if possible, and staying up to date.

    In my case I don’t expose HA over 8123, I have a proxy on 443 where HA is not the default host name, meaning if you don’t use the right host HA doesn’t receive the traffic. As I’d expect that automated attackers wouldn’t what my host is it’s a reasonable layer in the security onion. I don’t expect anything would realistically protect from a targeted attack but I’m also not important enough to be targeted.


  • You don’t need cards to have full bandwidth, they only time it will matter is when you’re loading the models on the card. You need a motherboard with x16 slots but even x4 connections would be good enough. Running the model doesn’t need a lot of bandwidth. Remember you only load the model once then reuse it.

    An x4 pcie gen 4 slot has ~7.8 GiB/s theoretical transfer rate (after overhead), a x16 has ~31.5GiB/s - so disk I/O is likely your limit even for a x4 slot.

    • overhead was already in calculations

  • We can’t ever stop this kind of stuff, but with something like fail2ban you can set it up to block on too many failures.

    Really though - ensuring your system is kept up to date and uses strong passwords or use a SSH keys is the best defence. Blocking doesn’t prevent them from trying a few times. Moving SSH to a non standard port will stop most of the automated attacks but it won’t stop someone who is dedicated.




  • Without looking at it it’s probably making a unique request to a resource on a NextDNS subdomain and watching where the request comes from. Like pulling an image from (unique _string).check.nextdns.com. This requires nothing special on the client, it’s making a standard request, and as part of that it needs to do a DNS lookup.

    If the source of the and your IP are similar then it’s likely the same network, otherwise it can correlate the source with known resolvers.



  • You get easy access to their addons with a VM (aka HAOS). You can do the same thing yourself but you have to do it all (creating the containers, configuring them, figuring out how to connect them to HA/your network/etc., updating them as needed) - whereas with HAOS it generally just works. If you want that control great but go in with that understanding.


  • I do this with my desktop - I work from home so it’s really nice to have my PC ready by the time I get down to it. There’s a workday integration too, set your typical schedule and it’ll be true when it’s a workday - with a motion sensor as the trigger as my start time varies if I have meetings In the morning.

    This is one of the first things I set up with HA for fun but the convenience is really nice.


  • From a Linux command line it would be the command called arp, you need to add a static arp entry. I don’t know how that works on sense, but on Linux it would be something like arp -s IP MAC

    Maybe there’s a module in opnsense to help. The way I’ve done this before is using a machine connected to the same network at my target to wake up by logging into that machine and issuing the wake command.


  • WoL packets are usually sent to the ip broadcast address for the network as they’re not ip based. I don’t know if this would ever work well across networks. Can you do send the wol packet from the opnsense router instead? Does it work then?

    If you’re sending it to the IP of the server, it likely works soon after your turn the machine off because the ARP entry hasn’t timed out yet, but once it times out it won’t work anymore. The router doesn’t know how to get to the machine. You may be able to add a static arp mapping to get it to work long term.


  • Yes, based on my migration from a Raspberry Pi to a mini x86 pc. A full backup contains a complete snapshot of that moment and all your configuration, history, and all add-ons and their data. I think HACS came across too, though I can easily be misremembering.

    The restore looked like it tried to do everything but my large database add on (PostgreSQL) gave it grief so I ended up restoring components separately. The backups did work overall though, and after a few reboots everything worked.





  • First thing - exclude recording of the devices. My method was to use a glob so I name devices/entity IDs specifically and they don’t get recorded (in my case I used f_ as in “filtered” so devices become like “F Source Presence”), but you can add specific entities or use your own glob. In configuration.yaml I have this:

    recorder:
      exclude:
        entities:
          - sensor.excluded_entity_1
        # AND/OR this (then of course rename entities as needed)
        entity_globs:
          # exclude all sensor entities that start with f_
          - sensor.f_*
    

    Then I created templates for my presence sensors, that just copy the state so I get history (yaml here, but can do through UI now too in the Helpers section, the import part is the template in the state key below):

    template:
      - binary_sensor:
          - name: Real presence
            unique_id: my_presence
            state: >-
              {{ states('binary_sensor.f_source_presence}}
            availability: >-
              {{
                not (
                  states('binary_sensor.f_source_presence') == 'unknown' or
                  states('binary_sensor.f_source_presence') == 'unavailable'
                )
              }}
            device_class: presence
    

    You could also use a statistics sensor to get a moving average for numeric values and get history from them too (and reduce the noise by reducing the precision and having a larger time window). This is also available through the UI - Helpers.


  • I’m curious too. As I understand it (and based on my observations after playing with it), it doesn’t change how often they send data to the controller, but instead changes how often the controller passes the data on. It doesn’t help the network, just the MQTT/Home Assistant side, but it can mean they flood the database less, if they’re tracking a value (like temperature). If they’re following a state (open or close) then I find they would miss the important messages and just not work well.

    In my case I’ve found a few Tuya devices that seem like they have bad firmware and flood the zigbee network - human presence sensors and co/voc/climate sensors. I experimented with denouncing them, but I still ended up retiring most of those devices as they degraded my network performance and other devices couldn’t communicate very well. If it actually prevented the devices from flooding the network it would make a lot more sense to use.

    I still have database filters to not record the main entities (for the mmWave presence sensors that I’m still using) and instead use a template on them to record their state as I found my database grew in size very quickly otherwise.




  • Then to link the entities together into a device you need to mimic the auto discovery, or you just have two split entities.

    I suppose you could create a template entity with the battery as an attribute to see it in the details view, but you still need the entities with the raw data. I’d be more inclined to create the device with auto discovery, seems like a cleaner way to go.