diy solar

diy solar

No issue. I did it. 20k phantom load and lost all settings and lost AC Couple on 18kpv

@millsan1 A while back, I thought my account had been hacked too, but it turns out I was trying to record a video.. I played it back, and realized I had done it myself. I suspect the likelyhood of someone hacking your account to mess with you, is pretty low. Occams razor would sugest that.. like my scenario, you likely did it without realizing it.
 
@millsan1 A while back, I thought my account had been hacked too, but it turns out I was trying to record a video.. I played it back, and realized I had done it myself. I suspect the likelyhood of someone hacking your account to mess with you, is pretty low. Occams razor would sugest that.. like my scenario, you likely did it without realizing it.
Yeah, I just checked my cameras. I was driving back from lunch when it happened. Maybe a pocket dial thing? Anything is possible. But me, going in and setting all settings to default is not something I would have done purposely.
 
Sorry, didn't catch that the name matched. Guess the way you said this is the user, my brain assumed it was different.
my best bet its either the account is compromised or the user reset to default accidently, because looking at the logs there's to many setting changed by a single user name which is the owner account. any settings that changed is being recorded except if the setting is done on the inverter screen.
 

Attachments

  • eg42.png
    eg42.png
    163.4 KB · Views: 35
my best bet its either the account is compromised or the user reset to default accidently, because looking at the logs there's to many setting changed by a single user name which is the owner account. any settings that changed is being recorded except if the setting is done on the inverter screen.
Yeah, that is me fixing the problem.
 
my best bet its either the account is compromised or the user reset to default accidently, because looking at the logs there's to many setting changed by a single user name which is the owner account. any settings that changed is being recorded except if the setting is done on the inverter screen.
Are you sure you should be posting details from people's logs like this? I would not be happy if you did that to me that's for sure.
 
Another easy way the system can be breached is through local connect. But I recognize someone would have to be close to the unit.
 
1000000916-png.216390
you posted your serial number here. and its useless to anyone unless you have a super admin account with luxpower or EG4.
 
There are freely available lists IPs with the device type on the net, just a result of NMAP scans with fingerprinting turned on. My neighbor had their baby camera hacked until they switched it to an internal only wifi SSID.

I run 3 SSID on my wifi - The one we use in the house, the one I give to visitors when they want to use wifi, and the one of IoT devices. I have the internet of things devices segmented out so they can't see or access my lan devices.
 
So Gilbert is pointing a finger at "user error" Quite possible but a chat with the OP would have been nice to see if he was ok with his data being posted and being "ratted out". We have all made mistakes in the past.

BTW my new wireless router has guest and IoT networks, very nice.
 
I think the key would be the access log verse when the user was able to log in and change things. If the changes were made when he was fiddling then I vote user error..... if it was while he was on planes, trains, or away from home that is far less likely
 
If the system logs IPs obviously that could be confirmed with the OP via PM.

But again this is a common thing with password reuse (not saying that happened as I have no clue about millsan1s "opsec").
 
besides my serial number and station name?
Serial number not a privacy concern to anything or any device other than how inner systems operate and what employees have access to from there.
E.g. certain ISP employees can identify you via device serials
similar with the IMEI / IMSI numbers of a phone. Anyone with those numbers can uniquely track your device globally but they need access to the systems in the first place.. And that type of access they could be doing that tracking already regardless.

Anyway if these were unique keys they'd be random generated strings, not anything close sequential numbers like serials are.
*cough except for social security lmao


If the system logs IPs obviously that could be confirmed with the OP via PM.

But again this is a common thing with password reuse (not saying that happened as I have no clue about millsan1s "opsec").
he already has app / web access on that list so he's using multiple devices to reset his settings. Assuming it's all under the same IP it'd be easier
but yea I agree, a list of all sessions and their IPs is easiest method to see what is logged in. Sessions list being far superior.
Google, netflix, facebook and some other places usually make that available and let you see whom currently has an unexpired session key and can login.

In order to access accounts in many online systems you don't need username or password at all, you just need a valid key. This is why browser addons are dangerous as they can just steal that. Hence the heavy crack down on them last several years.
 
Lastpass is my friend - a bazzilion passwords - not one the same and none less than 12 characters unless the stupid webste won't allow complex and longer.
 
Serial number not a privacy concern to anything or any device other than how inner systems operate and what employees have access to from there.
E.g. certain ISP employees can identify you via device serials
similar with the IMEI / IMSI numbers of a phone. Anyone with those numbers can uniquely track your device globally but they need access to the systems in the first place.. And that type of access they could be doing that tracking already regardless.

Anyway if these were unique keys they'd be random generated strings, not anything close sequential numbers like serials are.
*cough except for social security lmao



he already has app / web access on that list so he's using multiple devices to reset his settings. Assuming it's all under the same IP it'd be easier
but yea I agree, a list of all sessions and their IPs is easiest method to see what is logged in. Sessions list being far superior.
Google, netflix, facebook and some other places usually make that available and let you see whom currently has an unexpired session key and can login.

In order to access accounts in many online systems you don't need username or password at all, you just need a valid key. This is why browser addons are dangerous as they can just steal that. Hence the heavy crack down on them last several years.

Yeah but those session attacks need "physical" (obviously could happen without being physically there) access and in this case it's simply trying to track down whodunnit and an IP would generally be sufficient as most attacks aren't going to originate from legit sources but mostly from datacenter blocks that are known to not care who runs what (I love those, they are my most favorite thing in the world when one of our users does the bad thing).
 
Yeah but those session attacks need "physical" (obviously could happen without being physically there) access and in this case it's simply trying to track down whodunnit and an IP would generally be sufficient as most attacks aren't going to originate from legit sources but mostly from datacenter blocks that are known to not care who runs what (I love those, they are my most favorite thing in the world when one of our users does the bad thing).
What do you mean by physical?
Any compromise to a computer/phone can take the session key from it and login on their own device
It's the most common "hack" method today.
The only other one is of course social engineering.. just asking for the info, most people give it out lmao

Lastpass is my friend - a bazzilion passwords - not one the same and none less than 12 characters unless the stupid webste won't allow complex and longer.
yep password managers are good, I definitely wouldn't trust an online one though
but regardless, when these big sites get compromised, it's nice to not have to change 500 passwords because they all were the same.
It's more likely a bank or website leaks your pass today and hackers try that password on all your other accounts, than it is they "guess" it
"stupid website that won't allow complex and longer"
*cries for the bad banks on 50 year old systems*
 
Serial number not a privacy concern to anything or any device other than how inner systems operate and what employees have access to from there.
E.g. certain ISP employees can identify you via device serials
similar with the IMEI / IMSI numbers of a phone. Anyone with those numbers can uniquely track your device globally but they need access to the systems in the first place.. And that type of access they could be doing that tracking already regardless.

Anyway if these were unique keys they'd be random generated strings, not anything close sequential numbers like serials are.
*cough except for social security lmao



he already has app / web access on that list so he's using multiple devices to reset his settings. Assuming it's all under the same IP it'd be easier
but yea I agree, a list of all sessions and their IPs is easiest method to see what is logged in. Sessions list being far superior.
Google, netflix, facebook and some other places usually make that available and let you see whom currently has an unexpired session key and can login.

In order to access accounts in many online systems you don't need username or password at all, you just need a valid key. This is why browser addons are dangerous as they can just steal that. Hence the heavy crack down on them last several years.


Ideally these devices would require a button push when setting up devices so only someone with physical access and the original password could add things. Then store a 4096 or similar key for future use.

Then the only way they get accessed is if someone physically has access of your device is hacked.

And if they supported MFA
 
What do you mean by physical?
Any compromise to a computer/phone can take the session key from it and login on their own device
I understand, the point of it being that those attacks are more sophisticated and you generally look at the low hanging fruit first.

To me, physical access is akin to any malware compromise where someone has gained remote access to the device itself. Outside of the very rare instances where someone literally steals memory modules from the machine to freeze and pick from later, physical and remote access attacks essentially result in the same thing.

But, going back to it, people looking for that are likely not interested in an inverter and would be looking for banking sites or email where they can pivot from.
 
Ideally these devices would require a button push when setting up devices so only someone with physical access and the original password could add things. Then store a 4096 or similar key for future use.

Then the only way they get accessed is if someone physically has access of your device is hacked.

And if they supported MFA
remember, rsa keys aren't secure, use ed25519

would be an interesting device to press a button to grant access for the next 15 seconds. That'd be pretty cool
 
To me, physical access is akin to any malware compromise where someone has gained remote access to the device itself. Outside of the very rare instances where someone literally steals memory modules from the machine to freeze and pick from later, physical and remote access attacks essentially result in the same thing.
That's remote access, you even said it there
physical access is physical being there or having it. There's not much protection or any at all for most devices at that point

Session key exploits are the most common other than email spam scams. These aren't people looking for them, it's shot gunned out broadcast of hoping literally anything gets on their radar. Those are the low hanging fruit. It's just "hope someone downloads this and bam you are in"

That's why all IPs are scanned for "regular" ports multiple times daily and when those ports are seen open they will start hitting it with basic requests for "low hanging fruit" like port 80/443 and wordpress default URL and default logins etc
 
My wifi router has a button for that.... press the button and for 2 minutes it will accept a connection on the default SSID. Then you can log in and configure it.

People are lazy, plain and simple - security takes time
 
My wifi router has a button for that.... press the button and for 2 minutes it will accept a connection on the default SSID. Then you can log in and configure it.
The regular WPS button?

or actual access to it's web interface?
never seen one like that, only things like "disable all wireless access to admin config"
 
That's remote access, you even said it there
physical access is physical being there or having it. There's not much protection or any at all for most devices at that point

Session key exploits are the most common other than email spam scams. These aren't people looking for them, it's shot gunned out broadcast of hoping literally anything gets on their radar. Those are the low hanging fruit. It's just "hope someone downloads this and bam you are in"

That's why all IPs are scanned for "regular" ports multiple times daily and when those ports are seen open they will start hitting it with basic requests for "low hanging fruit" like port 80/443 and wordpress default URL and default logins etc

Besides arguing the fact I don't use words real good that often, I have not seen a single session cookie exported from a user of ours but I have seen hundreds of compromises based on phishing and just simple password re-use.

But, the real point to this was not how it was done but simply looking to see if it was OP logged in from a device he owns or if it was from a remote device he does not own, most easily done by referencing the IP.

Outside of that, this probably isn't the best place to dive further into technobabble.
 
but I have seen hundreds of compromises based on phishing and just simple password re-use.
Yep like I said, people will just spit that info out to others. social engineering is pretty sad/funny depending where you're sitting
But, the real point to this was not how it was done but simply looking to see if it was OP logged in from a device he owns or if it was from a remote device he does not own, most easily done by referencing the IP.
This is where this discussion started. It's most easily done by referencing the session*
If he's NAT'd he can have thousands of devices behind 1 IP address, if a device is compromised it's easiest to see which specific device it is by session, IP won't help unless the person is accessing from a different location entirely.
And assuming his phone was out of the house, it probably has 20 different IPs every day from different cell towers.

for example:

 
Just a note; there is a reverse the CT's switch on the first page of maintenance- would this cause your bizarre response?
 
Lastpass is my friend - a bazzilion passwords - not one the same and none less than 12 characters unless the stupid webste won't allow complex and longer.
You might want to have a look at lastpass's security track record :). There are other choices out there. I used to use lastpass but stopped when logmein bought them. Since then, I realized multiple times that it was likely a wise choice to move on :)
 
You might want to have a look at lastpass's security track record :). There are other choices out there. I used to use lastpass but stopped when logmein bought them. Since then, I realized multiple times that it was likely a wise choice to move on :)

I am aware they got hacked and the crypted files were stolen. And the logmein thing irritated me. But they still do the crypt and hash on the local devices so what they hackers got was unusable without the salt and password.

I used a yubikey for while and a couple of others. My stumbling block when I started with was that nobody supported Windows, Mac, Linux, iphone, and android except lastpass.
 
remember, rsa keys aren't secure, use ed25519
RSA keys above 2048 bits are still considered secure. I'm pretty sure NIST is recommending > 2048 after the year 2030 though. But claiming a vague statement like "they aren't secure" is a little.. misguided IMO.

*edited* I'm not sure why I said NSA but I meant NIST. edited the post to reflect the correction.
 
RSA keys above 2048 bits are still considered secure. I'm pretty sure the NSA is recommending > 2048 after the year 2030 though. But claiming a vague statement like "they aren't secure" is a little.. misguided IMO.

Meaning their back door will work until then? kinda like the DSA fun a few years back.
 
There are freely available lists IPs with the device type on the net, just a result of NMAP scans with fingerprinting turned on. My neighbor had their baby camera hacked until they switched it to an internal only wifi SSID.

I run 3 SSID on my wifi - The one we use in the house, the one I give to visitors when they want to use wifi, and the one of IoT devices. I have the internet of things devices segmented out so they can't see or access my lan devices.
Hi. How can I create a different ssid for my iot devices?
 
You have to log into your router's web interface and see if it has the ability to setup multiple SSID. Most newer routers will support 3~6 different SSID. Older ones only have one.

Once in the process will be different per vendor and probably model in some cases.... Start with the online user manual.
 
You have to log into your router's web interface and see if it has the ability to setup multiple SSID. Most newer routers will support 3~6 different SSID. Older ones only have one.

Once in the process will be different per vendor and probably model in some cases.... Start with the online user manual.
My router has a guest ssid. I guess I could use that since I'm not currently using it for anything.

Thanks
 
Last edited:
Are you sure you should be posting details from people's logs like this? I would not be happy if you did that to me that's for sure.
I dunno, nothing in the log has any security info, just random configuration items. Plenty of things to worry about, but I'm not sure what would be of concern at all in this particular case.
 
You might want to have a look at lastpass's security track record :). There are other choices out there. I used to use lastpass but stopped when logmein bought them. Since then, I realized multiple times that it was likely a wise choice to move on :)
My advice worth every penny you will pay for it:

Get a box/dropbox/onedrive/googledrive/whatever, free tier is fine, files are tiny.
Get keepassxc for your computers.
Get keepassdx for your phone/tablet (android, apple has some app or three as well, that supports synchronized file storage)
Create a vault, it will have a password of your choosing (The file is encrypted by you).
Put the vault (.kdbx file) on the the shared storage (I use my personal nextcloud server, Synology has "drive" as well), this will make it both visible and editable from any device you have keepassXX stored on and keep it syncronized across all your devices.

This has multiple advantages. 1) The file is encrypted, thus even if compromised it is unlikely to be useful to anyone. 2) There is an offline copy of the file on every device you use the service with. If anything goes wrong you can simply copy the .kdbx file from any device that still has a copy.

I started doing this with dropbox, but moved everything to my Nextcloud when they stopped supporting XFS underneath for Linux. I use it to store MFA/TOTP tokens as well, arguments on that front for another thread.
 
I used a yubikey for while and a couple of others. My stumbling block when I started with was that nobody supported Windows, Mac, Linux, iphone, and android except lastpass.
See my earlier post. Keepass v2 databases are supported on pretty much everything, they are a de-facto standard. I adore U2F keys. I wish all my banks would allow it. Everyone should allow TWO (2) different U2F devices as the 2nd factor. All my AWS primary accounts have this, one key stays in the safe, the other one is on my person. This is the *most* secure, but if you lose/destroy the key you are completely hosed, it cannot be copied. TOTP / Text if fine for most common things.
 
Hacking into an inverter is so bizarre.
Hey dude, wanna have some fun. Yeah man, what do you want to do? I know, let's hack into random solar inverters.
And set it all to default too! That’ll really get em
 
Back
Top