SSL has nothing to do with protecting your network. It encrypts your traffic to HA so that if you are on an open/evil WiFi neighbours/owner can’t sniff your password.
Another option besides VPN is port knocking. However it will work for manual access only not for apps like location reporting.
Yeah that’s what I figured. Is there a way to ban IP addresses when I see any that are knocking on my door?
In the meantime, I am still banging my head trying to get letsencrypt to work. A few late nights and for some reason it won’t log in. Maybe one day this will be easier. I’m wasting so much time on this, I’m wondering how much it’s worth it? I don’t use shady wifi networks so the only risk would be through my cell phone carrier. Is it really much of a risk??
Nginx in front of HA may solve your hue/ssl issue.
Look into pfsense for network security.
I am certain this allows block ip.
I just went through letsencrypt renewal and documented the install/renewal process. I use docker + nginx so if you are interested in docker install of these i will post documented process and configs for you…this is specific to my install and definitely needs changes to docker container to work as intended but i can look into doing that
Great, let me know if you need help or clarification. I updated the method so be sure to read the last post if you decide to try it out.
For me this is a suprisingly solid method, and by homekit using geofence the battery drain is minimal.
I work in IT security, and one of my biggest issues with Home Automation, is that I see a lot of really insecure setups from people who, whilst very smart, don’t know much about digital security. When you have devices that control your locks, stove, gas fire, alarms etc, people don’t seem to click that it’s really important to prioritise security.
In the few Home Automation installations I’ve done for others, the cost of the security work has trumped the installation, and I refuse to do installations without making sure the security setup is top notch.
Each network is different, but broadly, this is what I aim for:
Segregated WIFI. One “Guest” network, which is heavily regulated, with clients unable to “see” other client devices, and one “Main” network, where clients are able to interact with other devices. For your typical household, you may well be comfortable giving visitors and friends access to your WIFI to access the internet, but you probably don’t want them unlocking your front door, or allow their already compromised device to affect your main network. Depending on your smart devices, I would also recommend using a VPN on the “Main” wifi; this means you not only need the wifi password, but also your VPN credentials to connect to the HA network and interact with smart devices, plus, your data traffic is encrypted and protected from sniffers (however, it can be quite tricky to make WIFI smart devices work with this setup, so it’s an added bonus, but probably not suitable for your average user).
For the HA host, I only allow connections via localhost by default, and always with SSL. If you want to connect remotely, use a VPN. However, if you absolutely need external access (for custom Alexa skills, for example) make sure to only allow specific IP address. That way, you can be reasonably confident that the vast majority of intruduers aren’t going to be allowed to connect. It’s still possible, but the type of attack needed would require the attacker to be very consciously targeting your network specifically.
Even with the above, I would still segregate the HA host onto a DMZ network or separate subnet and heavily regulate the traffic from the LAN. If you’re running HA, the host should only allow connections via 443 for the app to run, and probably SSH. If you are using SSH, always use public/private authentication. In this case, your DMZ either going to be private, or only accessible to specific IP ranges. Either way, I would only allow SSH access via LAN, and deny external connections entirely. If you want to make changes on the server, you should be on the LAN (either locally, or via VPN).
Always implement a firewall AND use IP Tables to make your hosts impenetrable.Yes, it’s a lot of work, and makes changes harder, but I can’t overstate how important this is if you’re really trying to implement robust security.
That’s my two-cents anyway… Hope that helps, and feel free to ask if you have any questions
The best way? Depends how savvy you are, family approval factor, and how much pain and suffering you are willing to put up with. The internet is a dangerous place for anyone, especially your house and private lives. If you don’t really know what you are doing, a VPN is usually a great first step instead of exposing HASS to the internet.
My current setup consists of, following the flow of a packet from Internet -> Cloudflare -> Firewall -> NGINX -> HASS:
Hosted DNS, TLS/Certificate, and proxied through Cloudflare using Authenticated Origin Pulls. This is all free, and they have excellent documentation and tutorials. Even if you don’t upgrade to Pro (for the WAF) there are great features like DNSSEC and Certificates. Be careful with the caching settings, I have had a few problems with HASS when those settings were enabled. Don’t forget to enable websocket support in the CF console!
PFsense 2.4 running dynamic dns updates to Cloudflare, Snort pro rules with custom tuned rules for the WAN interface and ‘balanced’ rule set on LAN/IOT. Then add pfblockerng with cherry picked threat feeds from FireHOL. If an ip address ends up sending you a packet of any kind and it is known by these feeds… they generally don’t need to continue and get blocked. Why let an attacker try all your doors and windows when you know they are bad after one knock.
Previously mentioned by others; PFsense as a router on a stick, and Unifi wireless/switch run three networks: LAN, IOT, and Guest. Dump everything in the IOT vlan and setup very specific firewall rules between your vlans. Block by default and use the firewall logs to figure out what is the minimum set of ports (if any) you need back into the LAN.
NGINX running locally as a reverse proxy using TLS and a certificate provided by Cloudflare. Combined with authN origin pulls from #1. I have been lazy, but want to get around to running mod_security as a module here if you wanted to BYO-WAF instead of paying Cloudflare. I kinda-sorta compensate with some snort web app rules, but I should get around to this…
(5a) If you didn’t want to go with Cloudflare, you could also setup your own NGINX mutual auth using your own self-signed certificates.
Homeassistant with a good password, and make sure you read the components to setup cors_allowed_origins, use_x_forwarded_for (critical for correct proxy functionality), ip_ban_enabled, and login_attempts_threshold.
Make sure you test and run scans on your domain using SSLabs or HTbridge. Then check your headers using securityheaders.io. Lastly, sign up for a free shodan account and search your own IP. Shodan should only show ports you expect (Like TCP 443 for HTTPS/TLS).
Stay on top of your patching. OS, Packages, Libraries, patch it all and constantly.
A full writeup of that would be quite the saga, and there is probably something I missed. However take a look at either a VPN or Cloudflare first and get started, buy a domain from a reputable reseller like gandi and not godaddy, then configure HASS and NGINX… big win and free TLS/Certificates. Second priority would be pfsense, what a wonderful piece of free open source software and packages. Dump your terrible consumer router and never look back. I could see some not bothering with segmented vlans and wifi… leave this until later as being exposed to the internet is your primary threat. I have some terrible wemo devices I am afraid of, alexa, and the nvidia shield all belong in the dirty IOT vlan because they are far too chatty for my liking.
Wow, this is really good to read (although I’m getting paranoid about my security when I read it). I’m using VPN to access my hass, and wanted to fiddle with vlans and iptables when I realized that my asus-router was too limited.
Have been looking into pfsense, need to buy a new server to my plex then install pfsense on my old plex server first
By the way, what’s your opinion on opensense vs pfsense? Have read a lot about the similarities and differences and it get’s a little bit dirty sometimes…
Follow-up question, are you accessing your hass remotly with all that security? Thinking about the cloudfare etc.
Make sure your LOCAL DEVICES are “controlled” and not doing their own autonomous session with “third parties” indiscriminately.
admittedly, these are so common nowadays, e.g. when your devices are checking for Firmware / release updates
either create Firewall rules that allow such traffic(port, IP, URL), or lock it down in full
follow the rule “if not broken don’t fix it”
If you have an IP CAMERA (I got mine from a supplier from the East), make sure you know what are the services running on top of it.
Lesson from my end, an IP CAM joined my network and was working perfectly until i noticed a certain spike of traffic streaming out of my network,
I found the IP CAM was doing autonomous update to a server in China, the intention was good helping its customers to connect back to their cameras when in the open internet, but not when their servers are playing up and giving different tokens back to end users
Using their IOS and Android app, I ended up seeing someone else’s bed room , sometimes hallway, on other times parking lots. (so you can imagine, who was that sick puppy showing interest to my garage and front porch, spending time on-line congesting my BW)
Key culprit here, the IP CAM was doing a remote dydns update with a server in China, negotiates with my router to allocate a port keeping an “open session” with the remote server. So, I hunted down this service, disabled dydns in IP CAM, blocked the dydns address in my Router Firewall, and restricted all IP CAMERA traffic in-house.
I recommend IPFire. What’s the difference? Basically, IPFire is more boring, but very stable. Pfsense is very interesting, but not as stable.
Build one machine to host all your services as VMs. Plex can quite comfortably run as a virtual instance, and then you can do cooler things with your NAS and treat it all as one big cloud blog that gets allocated to specific VMs for specific purposes (such as reading and writing movies). If you’re running Hyper-V, you can very easily segregate your network with virtual switches, to make one group of VMs in your DMZ, for example, one on your LAN, and one on a separate subnet. So powerful!
Then build a simple hardware machine with at least two NICs to run your firewall from. This sort of infrastructure is much more scalable, and VMs make maintenance soooo easy.
Yep, that’s a pretty good walkthrough, and basically what I said above. Segregate your wifi and use multiple subnets. You’ll only need one router for that, unless you’re extending the range.
The key thing is that you understand IP Tables, since that’s what you are using to provide the security, and they can get very complex (and easy to get wrong and leave security holes). That’s why it’s better to use a firewall that’s upstream of your routers; it means the routers can be relatively agnostic of what’s going on, and all the networking information is defined in one place. And since IP Fire is designed for this sort of thing, it is easier to manage. Either way, you’ll still need the wireless access points.
I’m a IT security engineer, i work with Check Point, Fortinet, F5, Imperva, Aruba, etc
So, use a small cheap pc and download the sophos Home UTM firewall.
you can use it for VPN, captive portal, IPS, antivirus … and WAF “Web Application Firewall” for your HA webpage.
This is a professional Firewall with a nice gui, easy to use with many possibilities.
Agreed! Sophos UTM is definitely a great product and has a much easier interface to setup the reverse proxy and IPS than haproxy or squid in pfsense or rolling your own nginx.
This is interesting. I’ve been testing things on SSL Labs and get an A for everything.
Securityheaders.io gives me an F on my HA instance (though a B on Nextcloud). Guess I should take another look at my reverse proxy at some point. Thanks!