Alles anzeigenThere's some misunderstandings on this matter.
The reason that OP was hacked, is none other than the fact that the container was running wide open.
When launching Heimdall and reverse-proxy it (be it via SWAG, NPM, whatever) it should be enforced that it should be configured a password access on it:
If people don't do this, anyone who can manage to find the URL, will be able to do any changes they want (which was the case of OP).
If the container is running as an unpriveledge user, the hack won't go too far other than beeing able to change the Heimdall container itself.
The links on the above example point to reverse-proxied services that will require another auth, once clicked. (NOTE: except SCRUTINY but will explain below)
The above example has only default links on Heimdall that point to other proxied services. Clicking those links will open NEW webpages that require another authentication. Hack will be blocked.
Now, let's add some complexity to this:
Imagine that USER created the links with access to extract INFO from the services that the links point to (which required saved USER/PASSWORD) to read some METRICS from those same services.
The HACKER will be able to find more INFO on how to access those services.
As mentioned above, the SCRUTINY service that is seen on that PAGE, once running, is open to the world.
Although it's a not-so-dangerous container, it's still accessible from anyone via WAN (if they figure out the URL), as long as it's running.
With this in consideration, I keep the container down, until I want to see the INFO from it:
Go to OMV GUI, launch the container on Services-> Compose, access the SCRUTINY PAGE, see what I want to see and bring the container down, afterwards.
So, TL:DR;
When running Heimdall, make sure that a USER/PASSWORD is set/created PRIOR to make any hops/links to block any unwanted access.
Agreed. Running wide open is a major security concern, but that was already mentioned above.
My reverse proxy/fail2ban comments along with the mention of only exposing things that you want others to access using a login is the the whole point.
Minimize the attack surface by reducing the number of things exposed to the world, secure it with some kind of authentication, and do it through a reverse proxy so the open open ports are minimized and something like fail2ban can be implemented to monitor the logs and automatically institute bans if someone is hammering to try to get in.
That is the minimum requirement as far as I am concerned, and realistically it's basically what you need in order to make the cloudflare/firewall things that others suggested functional.
The other options like the cloudflare thing can work, but once again to make it effective, something like fail2ban via a connector needs to report failed attempts to cloudflare. Without that you are just masking your wan ip address. The pfsense/opnsense thing can help by instituting a good firewall with lots of control, but once again, unless it is actually handling the reverse proxy and failed login monitoring, it has no way to block someone from hammering.