I recently upgraded my network to include a UDM Pro as my Controller / Firewall.
After activating the Honneypot feature i am now getting notifications of Honneypot Hits from my C-3 and C-4 Hubs, (nothing from my C-7 )
I am not super concerned about it, but i do not know of any reason that they should be doing this.
Any thoughts or ideas?
Could simply be random scans looking for open ports. I don't use a DM (I use watchguard) I simply block all uninitiated traffic.
It is coming from the IPs of the 2 Hubs, and only those IPs, so if it is a random scan it appears is being performed by the hubs.
Oops, sorry I wasn't paying attention. Do you have hubmesh turned on? That will likely set it off.
Which ports/services is it hitting?
A couple of examples off the top of my head, hub mesh does discovery in the background and Wiz integration sends UDP packets looking for compatible devices.
I do have hub mesh turned on the two hubs that hit the Honeypot, so that is a likely candidate. It is also turned on on the C-7 but it is functioning more as the receiver of the mesh, so maybe that is the difference.I will have to look at the Mesh setup and see if there is a difference there.
I do not have the Wiz integration installed
I do not know what port it is using, I will try to catch it sooner next time it happens and see what my firewall logged. The Honeypot is on the UDM and i have a Untangle firewall between it and the hubs, so it should log the activity.
Interesting. The honeypot on my UXG-Pro has never flagged my C7 hub. But I don’t have hub mesh turned on, so perhaps that’s why.
I have not gotten hits from my C-7 either, which makes it even more odd to me
Found a bit more info... Port 80
DateDec 27 2022
After the latest update (22.214.171.124) my C-7 hits the honneypot every few minutes
I would guess that's how a hub searches for other Hubitat hubs on the network.
Could be, but it must be a broad search since it is hitting the Honeypot on a different VLAN/Subnet.
I'm on the C5 Hub, OS Version 126.96.36.199. My honeypot started getting hits two days ago, for about 4-5 hours, and again yesterday, for the same amount of time.
It was at two different time periods. First time, it started happening at around 12 AM, until about 5 AM, and second time, at around 4 PM, until about 9 PM.
I've had an integration with Unifi for Presence, and monitoring devices, which was removed. Another network application that was running, and was showing activity around the "hit" times was LG integration which was also removed. After finding this forum entry, I re-checked that Meshing is set to off (this C5 is my only hub anyway). Hub was rebooted after every major change
Hub mesh is now using TCP instead of UDP (UDP has been eliminated) and apparently hub mesh scanning is setting off peoples honeypots on the unifi's
We'll be moving hub mesh discovery to use mDNS. It's on the to do list.
When will this be done?
I updated from .134 to .148 last night before bed and woke up to over 100 hits every 5-10 minutes getting multiple hits.