Best Way to Protect from Hackers?

A bit of background, I successfully got Let’s Encrypt working for remote access a few months ago but came across issues using it with emulated_hue and my Amazon Echo. So I just disabled it so had no encryption but remote access still enabled. Yes, I know it’s not safe, but since Home Assistant logs unsuccessful password attempts I thought that would be sufficient to warn me if someone was trying. 3 months passed and my Let’s Encrypt expired and I got my first invalid password warning. I looked up the IP and it’s definitely someone trying to break in. So I’m revisiting encryption and trying to get it to work this time. But before I do, just looking into what the best approach is until there are fixes…

  1. look at finding a way to block incoming IP addresses so they can’t even get to the password splash screen?
  2. Go back using Let’s Encrypt and put up with not using emulated_hue
  3. Leave config as is, just frequently change my password.
  4. Turn off remote access and just enjoy HASS on local network only.

Any recommendations?

4 Likes

Use vpn? Openvpn is included in many new routers.

I use vpn strictly to access my HA and servers.

1 Like

Definitely set up an OpenVPN if you can.

  1. work out why emulated_hue won’t work for you, fix it and switch SSL back on.

I have SSL and emulated_hue working fine here, and I can’t see any reason for it to be affected by SSL?

1 Like

But with VPN it would mean I’d always have to have it running to report my location with the iOS app. I may just enable in the meantime while I figure out what the problem with my config is. Thanks.

1 Like

Yes. That’s the goal. How long have you been using it? There was a bug earlier and was waiting to see if got fixed but couldn’t see anything in the subsequent release notes. I’ll try setting it back up tomorrow and see if it works now. Glad to hear it’s working for you.

Tbh it’s always worked for me so I wasn’t aware of any bugs, I haven’t updated my GitHub for a while but my config in relation to this should be still valid as I haven’t changed it. Link on my profile if it helps.

Do you use homebridge or are willing to? Then I have a method to solve the location-problem for you.

I use SSH with pre-shared keys or VPN for accessing my home network. It is possible to set up a VPN profile which opens a VPN connection on demand and automatically when you try to connect to a predefined domain. Works file even for location reporting with the iOS app.

1 Like

And if it doesn’t I think openwrt has it.

If you want to update your location, use VPN and have iOS this is a great way to do this:

This has been the most reliable way for me to update my location, and it uses HomeKit witch is a plus. I don’t use the iOS app to update my position.

1 Like

SSL has nothing to do with protecting your network. It encrypts your traffic to HA so that if you are on an open/evil WiFi neighbours/owner can’t sniff your password.

Another option besides VPN is port knocking. However it will work for manual access only not for apps like location reporting.

2 Likes

Yeah that’s what I figured. Is there a way to ban IP addresses when I see any that are knocking on my door?

In the meantime, I am still banging my head trying to get letsencrypt to work. A few late nights and for some reason it won’t log in. Maybe one day this will be easier. I’m wasting so much time on this, I’m wondering how much it’s worth it? I don’t use shady wifi networks so the only risk would be through my cell phone carrier. Is it really much of a risk??

Yes I do use homebridge. Thanks. I’ll look into it.

Nginx in front of HA may solve your hue/ssl issue.

Look into pfsense for network security.
I am certain this allows block ip.

I just went through letsencrypt renewal and documented the install/renewal process. I use docker + nginx so if you are interested in docker install of these i will post documented process and configs for you…this is specific to my install and definitely needs changes to docker container to work as intended but i can look into doing that

2 Likes

Great, let me know if you need help or clarification. I updated the method so be sure to read the last post if you decide to try it out.
For me this is a suprisingly solid method, and by homekit using geofence the battery drain is minimal.

I work in IT security, and one of my biggest issues with Home Automation, is that I see a lot of really insecure setups from people who, whilst very smart, don’t know much about digital security. When you have devices that control your locks, stove, gas fire, alarms etc, people don’t seem to click that it’s really important to prioritise security.

In the few Home Automation installations I’ve done for others, the cost of the security work has trumped the installation, and I refuse to do installations without making sure the security setup is top notch.

Each network is different, but broadly, this is what I aim for:

  • Segregated WIFI. One “Guest” network, which is heavily regulated, with clients unable to “see” other client devices, and one “Main” network, where clients are able to interact with other devices. For your typical household, you may well be comfortable giving visitors and friends access to your WIFI to access the internet, but you probably don’t want them unlocking your front door, or allow their already compromised device to affect your main network. Depending on your smart devices, I would also recommend using a VPN on the “Main” wifi; this means you not only need the wifi password, but also your VPN credentials to connect to the HA network and interact with smart devices, plus, your data traffic is encrypted and protected from sniffers (however, it can be quite tricky to make WIFI smart devices work with this setup, so it’s an added bonus, but probably not suitable for your average user).

  • For the HA host, I only allow connections via localhost by default, and always with SSL. If you want to connect remotely, use a VPN. However, if you absolutely need external access (for custom Alexa skills, for example) make sure to only allow specific IP address. That way, you can be reasonably confident that the vast majority of intruduers aren’t going to be allowed to connect. It’s still possible, but the type of attack needed would require the attacker to be very consciously targeting your network specifically.

  • Even with the above, I would still segregate the HA host onto a DMZ network or separate subnet and heavily regulate the traffic from the LAN. If you’re running HA, the host should only allow connections via 443 for the app to run, and probably SSH. If you are using SSH, always use public/private authentication. In this case, your DMZ either going to be private, or only accessible to specific IP ranges. Either way, I would only allow SSH access via LAN, and deny external connections entirely. If you want to make changes on the server, you should be on the LAN (either locally, or via VPN).

  • Always implement a firewall AND use IP Tables to make your hosts impenetrable.Yes, it’s a lot of work, and makes changes harder, but I can’t overstate how important this is if you’re really trying to implement robust security.

That’s my two-cents anyway… Hope that helps, and feel free to ask if you have any questions :slight_smile:

28 Likes

You can ban IP’s, use this in your config:

http:
 ip_ban_enabled: True
 login_attempts_threshold: 10 ### optional

and then populate the ip_bans.yaml:

54.244.171.42:
  banned_at: '2017-05-07T14:05:15'
1 Like

Great post, thanks!

No worries :slight_smile: always happy to help anyone with security-related questions. Bonus points for those running Linux!

1 Like