Best Way to Protect from Hackers?

I work in IT security, and one of my biggest issues with Home Automation, is that I see a lot of really insecure setups from people who, whilst very smart, don’t know much about digital security. When you have devices that control your locks, stove, gas fire, alarms etc, people don’t seem to click that it’s really important to prioritise security.

In the few Home Automation installations I’ve done for others, the cost of the security work has trumped the installation, and I refuse to do installations without making sure the security setup is top notch.

Each network is different, but broadly, this is what I aim for:

  • Segregated WIFI. One “Guest” network, which is heavily regulated, with clients unable to “see” other client devices, and one “Main” network, where clients are able to interact with other devices. For your typical household, you may well be comfortable giving visitors and friends access to your WIFI to access the internet, but you probably don’t want them unlocking your front door, or allow their already compromised device to affect your main network. Depending on your smart devices, I would also recommend using a VPN on the “Main” wifi; this means you not only need the wifi password, but also your VPN credentials to connect to the HA network and interact with smart devices, plus, your data traffic is encrypted and protected from sniffers (however, it can be quite tricky to make WIFI smart devices work with this setup, so it’s an added bonus, but probably not suitable for your average user).

  • For the HA host, I only allow connections via localhost by default, and always with SSL. If you want to connect remotely, use a VPN. However, if you absolutely need external access (for custom Alexa skills, for example) make sure to only allow specific IP address. That way, you can be reasonably confident that the vast majority of intruduers aren’t going to be allowed to connect. It’s still possible, but the type of attack needed would require the attacker to be very consciously targeting your network specifically.

  • Even with the above, I would still segregate the HA host onto a DMZ network or separate subnet and heavily regulate the traffic from the LAN. If you’re running HA, the host should only allow connections via 443 for the app to run, and probably SSH. If you are using SSH, always use public/private authentication. In this case, your DMZ either going to be private, or only accessible to specific IP ranges. Either way, I would only allow SSH access via LAN, and deny external connections entirely. If you want to make changes on the server, you should be on the LAN (either locally, or via VPN).

  • Always implement a firewall AND use IP Tables to make your hosts impenetrable.Yes, it’s a lot of work, and makes changes harder, but I can’t overstate how important this is if you’re really trying to implement robust security.

That’s my two-cents anyway… Hope that helps, and feel free to ask if you have any questions :slight_smile:

28 Likes

You can ban IP’s, use this in your config:

http:
 ip_ban_enabled: True
 login_attempts_threshold: 10 ### optional

and then populate the ip_bans.yaml:

54.244.171.42:
  banned_at: '2017-05-07T14:05:15'
1 Like

Great post, thanks!

No worries :slight_smile: always happy to help anyone with security-related questions. Bonus points for those running Linux!

1 Like

Thanks so much! It really is helpful! @wingers1290

And thanks @Bob_NL for the tip on IP banning. I’ll go log my attempted intruder now

2 Likes

The best way? Depends how savvy you are, family approval factor, and how much pain and suffering you are willing to put up with. The internet is a dangerous place for anyone, especially your house and private lives. If you don’t really know what you are doing, a VPN is usually a great first step instead of exposing HASS to the internet.

My current setup consists of, following the flow of a packet from Internet -> Cloudflare -> Firewall -> NGINX -> HASS:

  1. Hosted DNS, TLS/Certificate, and proxied through Cloudflare using Authenticated Origin Pulls. This is all free, and they have excellent documentation and tutorials. Even if you don’t upgrade to Pro (for the WAF) there are great features like DNSSEC and Certificates. Be careful with the caching settings, I have had a few problems with HASS when those settings were enabled. Don’t forget to enable websocket support in the CF console!

  2. PFsense 2.4 running dynamic dns updates to Cloudflare, Snort pro rules with custom tuned rules for the WAN interface and ‘balanced’ rule set on LAN/IOT. Then add pfblockerng with cherry picked threat feeds from FireHOL. If an ip address ends up sending you a packet of any kind and it is known by these feeds… they generally don’t need to continue and get blocked. Why let an attacker try all your doors and windows when you know they are bad after one knock.

  3. (2a) Take a look for some big names. Talos (Cisco), Bambenek, binary defense systems (bds) and other well known threat intelligence are out there for free.

  4. Previously mentioned by others; PFsense as a router on a stick, and Unifi wireless/switch run three networks: LAN, IOT, and Guest. Dump everything in the IOT vlan and setup very specific firewall rules between your vlans. Block by default and use the firewall logs to figure out what is the minimum set of ports (if any) you need back into the LAN.

  5. NGINX running locally as a reverse proxy using TLS and a certificate provided by Cloudflare. Combined with authN origin pulls from #1. I have been lazy, but want to get around to running mod_security as a module here if you wanted to BYO-WAF instead of paying Cloudflare. I kinda-sorta compensate with some snort web app rules, but I should get around to this…

  6. (5a) If you didn’t want to go with Cloudflare, you could also setup your own NGINX mutual auth using your own self-signed certificates.

  7. Homeassistant with a good password, and make sure you read the components to setup cors_allowed_origins, use_x_forwarded_for (critical for correct proxy functionality), ip_ban_enabled, and login_attempts_threshold.

  8. Make sure you test and run scans on your domain using SSLabs or HTbridge. Then check your headers using securityheaders.io. Lastly, sign up for a free shodan account and search your own IP. Shodan should only show ports you expect (Like TCP 443 for HTTPS/TLS).

  9. Stay on top of your patching. OS, Packages, Libraries, patch it all and constantly.

A full writeup of that would be quite the saga, and there is probably something I missed. However take a look at either a VPN or Cloudflare first and get started, buy a domain from a reputable reseller like gandi and not godaddy, then configure HASS and NGINX… big win and free TLS/Certificates. Second priority would be pfsense, what a wonderful piece of free open source software and packages. Dump your terrible consumer router and never look back. I could see some not bothering with segmented vlans and wifi… leave this until later as being exposed to the internet is your primary threat. I have some terrible wemo devices I am afraid of, alexa, and the nvidia shield all belong in the dirty IOT vlan because they are far too chatty for my liking.

28 Likes

Wow, this is really good to read (although I’m getting paranoid about my security when I read it). I’m using VPN to access my hass, and wanted to fiddle with vlans and iptables when I realized that my asus-router was too limited.

Have been looking into pfsense, need to buy a new server to my plex then install pfsense on my old plex server first :smiley:

By the way, what’s your opinion on opensense vs pfsense? Have read a lot about the similarities and differences and it get’s a little bit dirty sometimes…

Follow-up question, are you accessing your hass remotly with all that security? Thinking about the cloudfare etc.

An extra tip here…

  1. Make sure your LOCAL DEVICES are “controlled” and not doing their own autonomous session with “third parties” indiscriminately.
  • admittedly, these are so common nowadays, e.g. when your devices are checking for Firmware / release updates

  • either create Firewall rules that allow such traffic(port, IP, URL), or lock it down in full

  • follow the rule “if not broken don’t fix it”

  1. If you have an IP CAMERA (I got mine from a supplier from the East), make sure you know what are the services running on top of it.

Lesson from my end, an IP CAM joined my network and was working perfectly until i noticed a certain spike of traffic streaming out of my network,

I found the IP CAM was doing autonomous update to a server in China, the intention was good helping its customers to connect back to their cameras when in the open internet, but not when their servers are playing up and giving different tokens back to end users

Using their IOS and Android app, I ended up seeing someone else’s bed room , sometimes hallway, on other times parking lots. (so you can imagine, who was that sick puppy showing interest to my garage and front porch, spending time on-line congesting my BW)

Key culprit here, the IP CAM was doing a remote dydns update with a server in China, negotiates with my router to allocate a port keeping an “open session” with the remote server. So, I hunted down this service, disabled dydns in IP CAM, blocked the dydns address in my Router Firewall, and restricted all IP CAMERA traffic in-house.

1 Like

I recommend IPFire. What’s the difference? Basically, IPFire is more boring, but very stable. Pfsense is very interesting, but not as stable.

Build one machine to host all your services as VMs. Plex can quite comfortably run as a virtual instance, and then you can do cooler things with your NAS and treat it all as one big cloud blog that gets allocated to specific VMs for specific purposes (such as reading and writing movies). If you’re running Hyper-V, you can very easily segregate your network with virtual switches, to make one group of VMs in your DMZ, for example, one on your LAN, and one on a separate subnet. So powerful!

Then build a simple hardware machine with at least two NICs to run your firewall from. This sort of infrastructure is much more scalable, and VMs make maintenance soooo easy.

I have 2 asus ac68, can I use those to some sort of network instead of buying an unify-ac. They are quite new, a bit sad to just throw them away :slight_smile:

Speaking in terms of adding a layer of security.

Thinking of installing tomato shibby on one of them and add the benefit of vlan:

Thats sounds idea but super timely to setup and maintain. That’s corporate level kinda stuff. :smiley:

Yep, that’s a pretty good walkthrough, and basically what I said above. Segregate your wifi and use multiple subnets. You’ll only need one router for that, unless you’re extending the range.

The key thing is that you understand IP Tables, since that’s what you are using to provide the security, and they can get very complex (and easy to get wrong and leave security holes). That’s why it’s better to use a firewall that’s upstream of your routers; it means the routers can be relatively agnostic of what’s going on, and all the networking information is defined in one place. And since IP Fire is designed for this sort of thing, it is easier to manage. Either way, you’ll still need the wireless access points.

I’m a IT security engineer, i work with Check Point, Fortinet, F5, Imperva, Aruba, etc

So, use a small cheap pc and download the sophos Home UTM firewall.
you can use it for VPN, captive portal, IPS, antivirus … and WAF “Web Application Firewall” for your HA webpage.

This is a professional Firewall with a nice gui, easy to use with many possibilities.

https://www.sophos.com/en-us/products/unified-threat-management.aspx

2 Likes

Agreed! Sophos UTM is definitely a great product and has a much easier interface to setup the reverse proxy and IPS than haproxy or squid in pfsense or rolling your own nginx.

1 Like

This is interesting. I’ve been testing things on SSL Labs and get an A for everything.

Securityheaders.io gives me an F on my HA instance (though a B on Nextcloud). Guess I should take another look at my reverse proxy at some point. Thanks!

couple this with fail2ban

I recently have prepared a Dockerfile which sets up a reverse proxy that requires OpenID Connect authentication to gain access to whatever is proxied behind. Using Google as the authentication provider with activated 2-Factor-Authentication, HASS should be pretty safe. Here’s the post: Multi-Factor-Authentication via OAuth (nginx reverse proxy in Docker container)

1 Like

You could try using Cloudflare. Their free tier provides some basic protections…if you upgrade to the $20 plan that has a build in WAF.

1 Like

I have resisted exposing my HA to the WAN until I was reasonably sure that I knew what I was doing. I am a Linux novice but very security conscious. I also don’t want to have to use third party services if possible. So I decided to go with Tightvnc server/viewer (with androidVNC for my Android phone) combined with Stunnel4 to provide the secure SSL layer. It works well, especially if you set up the TightVNC server with a geometry parameter to match your phone screen resolution. I just need one port forwarding rule on my router. Stunnel and TightVNC server are both enabled to start automatically at boot.

I was wondering if anyone else has gone this route and if it is as secure as I hope.

Following on from my comment, I’ve just written an article about the challenges of securing home automation networks using non-enterprise hardware. https://echoit.co.nz/securing-home-automation-networks/

In short, the typical home owner either needs to start engaging with security issues at a really high level - or, the security industry needs to find ways of making it accessible and scaleable at the home level.

2 Likes