[Support]: Frigate (standalone) was hacked! Found this in my config file

[FS1961]

Describe the problem you are having

Checked my Frigate via proxy and most of my cameras weren't working. Checked the config file and found this instead. I'm running via Portainer/Docker on a separate Ubuntu host. I've changed all the userids/passwords on the cameras, the Portainer login, the Ubuntu host. Not sure where they would have gotten in.

Everything is shutdown at the moment. Trying to get an idea if they came from the HA into the Proxy Add-On, directly into the server somehow, through Portainer, etc.

1. Is this a common problem?

2. Anyone else have this happen?

3. Since I'm using the proxy add-on, do I even need these ports open? I use Frigate cards in my Lovelace and also have the UI in the sidebar. Don't really go directly to the Frigate server at all.

Appreciate any support, links to locking down the system, etc.

Version

0.13.2

Frigate config file

mqtt:
  host: 192.168.178.82
  user: mqtt
  password: password

# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!

# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!

# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!
# HACKED WE CANN SEE YOU!

# HACKED WE CANN SEE YOU!

ffmpeg:
  hwaccel_args: preset-vaapi
    
go2rtc:
  streams:
    Office:
      - "rtsp://frigate:[email protected]:554/stream1"
      - "ffmpeg:Office#audio=aac"

cameras:
  Dining: # <------ Name the camera
    ffmpeg:
      inputs:
        - path: rtsp://frigate:[email protected]:554/play1.sdp # <----- Update for your camera
          roles:
            - detect
            - record
    detect:
      width: 1280 # <---- update for your camera's resolution
      height: 720 # <---- update for your camera's resolution
    record:
      enabled: True
      events:
        retain:
          mode: motion
          default: 10


            

detectors:
  coral:
    type: edgetpu
    device: usb
record:
  enabled: True
  retain:
    days: 7
    mode: motion
  events:
    retain:
      default: 7
      mode: active_objects

telemetry:
  stats:
    intel_gpu_stats: True

  version_check: True

ui:
  timezone: Europe/Berlin

Relevant log output

N/a

FFprobe output from your camera

N/a

Frigate stats

No response

Operating system

Debian

Install method

Docker Compose

Coral version

USB

Network connection

Wired

Camera make and model

N/a

Any other information that may be helpful

Here is my Portainer stack:

services:
frigate:
container_name: frigate
privileged: true # this may not be necessary for all setups
restart: unless-stopped
image: ghcr.io/blakeblackshear/frigate:stable
shm_size: "256mb" # update for your cameras based on calculation above
devices:
- /dev/bus/usb:/dev/bus/usb # passes the USB Coral, needs to be modified for other versions
- /dev/dri/renderD128 # for intel hwaccel, needs to be updated for your hardware
volumes:
- /etc/localtime:/etc/localtime:ro
- /home/frank/frigate/:/config
- /mnt/sdb/frigate:/media/frigate
- type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
target: /tmp/cache
tmpfs:
size: 1000000000
ports:
- "5000:5000"
- "8554:8554"
- "8555:8555/tcp"
- "8555:8555/udp"
environment:
FRIGATE_RTSP_PASSWORD: "password" #modify to whatever if using rtsp
TZ: "Europe/Berlin"

[NickM-27]

1. I have seen a couple instances of it, all times where people were proxying their instance to the open world without authentication.
2. You are running frigate in bridge mode, without the ports mapped nothing would be accessible at all

[blakeblackshear]

Is the separate Ubuntu host exposed to the internet? Is there anything else on that machine?

Here are the most likely vectors:

1. Ubuntu host with frigate is exposed externally by mistake
2. There is a security issue with the supervisor proxy for addons. This enforces HA auth for addons. Were any other addons impacted?
3. Something hopped over from another host on your internal network.

If you have the nginx logs, you would be able to see if the config was modified via the API.

[blakeblackshear]

Exposed on your public IP address? Or just internal to the network? In the instances that I have seen so far, this has been because Frigate was publicly exposed without any authentication.

I was referring to the nginx logs for frigate, not the addon. You should be able to get the docker logs for frigate, but they won't be in the Frigate UI.

[FS1961]

I closed all ports on my router. Here are the logs.

What ports have to be open in the router?
ports:
- "5000:5000"
- "8554:8554"
- "8555:8555/tcp"
- "8555:8555/udp"

How to I just expose to the internal network?

frigate_logs-2.txt

[blakeblackshear]

Ports 5000 and 8554 should never be forwarded on your router. If they were before, then that explains someone changing your config. 8555 would only be port forwarded if you are using webrtc for live view.

Simply having the ports listed in the docker compose or portainer would expose them on the internal network only.

[FS1961]

Okay. Good clarity.

I've updated the router and redeployed the Portainer stack. However, I can't reach the server.

Not sure what's happening now. Do these logs suggest anything?
frigate_logs-3.txt

Maybe I should delete the stack/directory and reinstall?

[nwish]

Looks like Frigate can’t find your config file. Did you change the directly in which your config file lives, and forget to map it in your docker compose entry?

[FS1961]

Yes, sorry. Just figured that out. I’ve got all but 1 working now.

…

On Mar 10, 2024, at 5:26 PM, Max Davis ***@***.***> wrote: Looks like Frigate can’t find your config file. Did you change the directly in which your config file lives, and forget to map it in your docker compose entry? — Reply to this email directly, view it on GitHub <#10348 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AXPFZNRFBGVQ5W4IZVP5W73YXSJTFAVCNFSM6AAAAABEOEACRKVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DOMZWGYZTO>. You are receiving this because you authored the thread.

[FS1961]

Thanks to everyone. I have now a working unit with no ports exposed. So the only port I have open on my router is the HA 443 NGINX port. That's correct, right?

[blakeblackshear]

That's correct.