Best Way to Protect from Hackers?

An extra tip here…

  1. Make sure your LOCAL DEVICES are “controlled” and not doing their own autonomous session with “third parties” indiscriminately.
  • admittedly, these are so common nowadays, e.g. when your devices are checking for Firmware / release updates

  • either create Firewall rules that allow such traffic(port, IP, URL), or lock it down in full

  • follow the rule “if not broken don’t fix it”

  1. If you have an IP CAMERA (I got mine from a supplier from the East), make sure you know what are the services running on top of it.

Lesson from my end, an IP CAM joined my network and was working perfectly until i noticed a certain spike of traffic streaming out of my network,

I found the IP CAM was doing autonomous update to a server in China, the intention was good helping its customers to connect back to their cameras when in the open internet, but not when their servers are playing up and giving different tokens back to end users

Using their IOS and Android app, I ended up seeing someone else’s bed room , sometimes hallway, on other times parking lots. (so you can imagine, who was that sick puppy showing interest to my garage and front porch, spending time on-line congesting my BW)

Key culprit here, the IP CAM was doing a remote dydns update with a server in China, negotiates with my router to allocate a port keeping an “open session” with the remote server. So, I hunted down this service, disabled dydns in IP CAM, blocked the dydns address in my Router Firewall, and restricted all IP CAMERA traffic in-house.

1 Like

I recommend IPFire. What’s the difference? Basically, IPFire is more boring, but very stable. Pfsense is very interesting, but not as stable.

Build one machine to host all your services as VMs. Plex can quite comfortably run as a virtual instance, and then you can do cooler things with your NAS and treat it all as one big cloud blog that gets allocated to specific VMs for specific purposes (such as reading and writing movies). If you’re running Hyper-V, you can very easily segregate your network with virtual switches, to make one group of VMs in your DMZ, for example, one on your LAN, and one on a separate subnet. So powerful!

Then build a simple hardware machine with at least two NICs to run your firewall from. This sort of infrastructure is much more scalable, and VMs make maintenance soooo easy.

I have 2 asus ac68, can I use those to some sort of network instead of buying an unify-ac. They are quite new, a bit sad to just throw them away :slight_smile:

Speaking in terms of adding a layer of security.

Thinking of installing tomato shibby on one of them and add the benefit of vlan:

Thats sounds idea but super timely to setup and maintain. That’s corporate level kinda stuff. :smiley:

Yep, that’s a pretty good walkthrough, and basically what I said above. Segregate your wifi and use multiple subnets. You’ll only need one router for that, unless you’re extending the range.

The key thing is that you understand IP Tables, since that’s what you are using to provide the security, and they can get very complex (and easy to get wrong and leave security holes). That’s why it’s better to use a firewall that’s upstream of your routers; it means the routers can be relatively agnostic of what’s going on, and all the networking information is defined in one place. And since IP Fire is designed for this sort of thing, it is easier to manage. Either way, you’ll still need the wireless access points.

I’m a IT security engineer, i work with Check Point, Fortinet, F5, Imperva, Aruba, etc

So, use a small cheap pc and download the sophos Home UTM firewall.
you can use it for VPN, captive portal, IPS, antivirus … and WAF “Web Application Firewall” for your HA webpage.

This is a professional Firewall with a nice gui, easy to use with many possibilities.

https://www.sophos.com/en-us/products/unified-threat-management.aspx

2 Likes

Agreed! Sophos UTM is definitely a great product and has a much easier interface to setup the reverse proxy and IPS than haproxy or squid in pfsense or rolling your own nginx.

1 Like

This is interesting. I’ve been testing things on SSL Labs and get an A for everything.

Securityheaders.io gives me an F on my HA instance (though a B on Nextcloud). Guess I should take another look at my reverse proxy at some point. Thanks!

couple this with fail2ban

I recently have prepared a Dockerfile which sets up a reverse proxy that requires OpenID Connect authentication to gain access to whatever is proxied behind. Using Google as the authentication provider with activated 2-Factor-Authentication, HASS should be pretty safe. Here’s the post: Multi-Factor-Authentication via OAuth (nginx reverse proxy in Docker container)

1 Like

You could try using Cloudflare. Their free tier provides some basic protections…if you upgrade to the $20 plan that has a build in WAF.

1 Like

I have resisted exposing my HA to the WAN until I was reasonably sure that I knew what I was doing. I am a Linux novice but very security conscious. I also don’t want to have to use third party services if possible. So I decided to go with Tightvnc server/viewer (with androidVNC for my Android phone) combined with Stunnel4 to provide the secure SSL layer. It works well, especially if you set up the TightVNC server with a geometry parameter to match your phone screen resolution. I just need one port forwarding rule on my router. Stunnel and TightVNC server are both enabled to start automatically at boot.

I was wondering if anyone else has gone this route and if it is as secure as I hope.

Following on from my comment, I’ve just written an article about the challenges of securing home automation networks using non-enterprise hardware. https://echoit.co.nz/securing-home-automation-networks/

In short, the typical home owner either needs to start engaging with security issues at a really high level - or, the security industry needs to find ways of making it accessible and scaleable at the home level.

2 Likes

Nice article, I’ll have to do some more research and thinking about this topic, thanks.

1 Like

I know this is an old thread (was revisiting security now that wildcard certificates have been released), but +1 for Sophos. Do you use it for presence detection, and if so, what have you found to work best? I’m currently just pinging each of my 3rd party access points, but it’d be nice to centralize and possibly integrate with Sophos’ authentication and identity management. Ping, Nmap, and SNMP all have shortcomings even before introducing multiple subnets and FW rules.

How to setup this? I am beginner.

I just put:

http:
 ip_ban_enabled: True
 login_attempts_threshold: 10 ### optional

and then create ip_banks.yaml file and HA will write banned IPs down automatically. Nothing more to type?

I use openvpn in the router. And set it to only protect incoming traffic so rest of the family can have a simple way out. I used Cloudflare Access with two stage authentication before and that worked flawless also. And its free

1 Like

Hi,

Great article.
Could I have a bit more detail on pfsense and NGINX. Can they run on the same server?

Hi, nice tutor!!!

I want move to Cloudflare. But wondering if my Alexa Custom Skills, Control Devices and Flashbrieving skills will still work after the change. Or is there a way how to do this?

I did a change already and all skills didn’t work anymore. Now reverted back to old situation and now everything is working again.

So I need some help to change to Cloudflare with correct steps how to do this. Specially for Alexa Skills

Very late, bute no one has answered. I use cloudflare authentication to protect my HA. Now when i login in cloudflare access cotrol and want activate my skill in alexa, the skill didnt accept it, has anyone an idea why?