Thanks so much! It really is helpful! @wingers1290
And thanks @Bob_NL for the tip on IP banning. I’ll go log my attempted intruder now
Thanks so much! It really is helpful! @wingers1290
And thanks @Bob_NL for the tip on IP banning. I’ll go log my attempted intruder now
The best way? Depends how savvy you are, family approval factor, and how much pain and suffering you are willing to put up with. The internet is a dangerous place for anyone, especially your house and private lives. If you don’t really know what you are doing, a VPN is usually a great first step instead of exposing HASS to the internet.
My current setup consists of, following the flow of a packet from Internet -> Cloudflare -> Firewall -> NGINX -> HASS:
Hosted DNS, TLS/Certificate, and proxied through Cloudflare using Authenticated Origin Pulls. This is all free, and they have excellent documentation and tutorials. Even if you don’t upgrade to Pro (for the WAF) there are great features like DNSSEC and Certificates. Be careful with the caching settings, I have had a few problems with HASS when those settings were enabled. Don’t forget to enable websocket support in the CF console!
PFsense 2.4 running dynamic dns updates to Cloudflare, Snort pro rules with custom tuned rules for the WAN interface and ‘balanced’ rule set on LAN/IOT. Then add pfblockerng with cherry picked threat feeds from FireHOL. If an ip address ends up sending you a packet of any kind and it is known by these feeds… they generally don’t need to continue and get blocked. Why let an attacker try all your doors and windows when you know they are bad after one knock.
(2a) Take a look for some big names. Talos (Cisco), Bambenek, binary defense systems (bds) and other well known threat intelligence are out there for free.
Previously mentioned by others; PFsense as a router on a stick, and Unifi wireless/switch run three networks: LAN, IOT, and Guest. Dump everything in the IOT vlan and setup very specific firewall rules between your vlans. Block by default and use the firewall logs to figure out what is the minimum set of ports (if any) you need back into the LAN.
NGINX running locally as a reverse proxy using TLS and a certificate provided by Cloudflare. Combined with authN origin pulls from #1. I have been lazy, but want to get around to running mod_security as a module here if you wanted to BYO-WAF instead of paying Cloudflare. I kinda-sorta compensate with some snort web app rules, but I should get around to this…
(5a) If you didn’t want to go with Cloudflare, you could also setup your own NGINX mutual auth using your own self-signed certificates.
Homeassistant with a good password, and make sure you read the components to setup cors_allowed_origins, use_x_forwarded_for (critical for correct proxy functionality), ip_ban_enabled, and login_attempts_threshold.
Make sure you test and run scans on your domain using SSLabs or HTbridge. Then check your headers using securityheaders.io. Lastly, sign up for a free shodan account and search your own IP. Shodan should only show ports you expect (Like TCP 443 for HTTPS/TLS).
Stay on top of your patching. OS, Packages, Libraries, patch it all and constantly.
A full writeup of that would be quite the saga, and there is probably something I missed. However take a look at either a VPN or Cloudflare first and get started, buy a domain from a reputable reseller like gandi and not godaddy, then configure HASS and NGINX… big win and free TLS/Certificates. Second priority would be pfsense, what a wonderful piece of free open source software and packages. Dump your terrible consumer router and never look back. I could see some not bothering with segmented vlans and wifi… leave this until later as being exposed to the internet is your primary threat. I have some terrible wemo devices I am afraid of, alexa, and the nvidia shield all belong in the dirty IOT vlan because they are far too chatty for my liking.
Wow, this is really good to read (although I’m getting paranoid about my security when I read it). I’m using VPN to access my hass, and wanted to fiddle with vlans and iptables when I realized that my asus-router was too limited.
Have been looking into pfsense, need to buy a new server to my plex then install pfsense on my old plex server first
By the way, what’s your opinion on opensense vs pfsense? Have read a lot about the similarities and differences and it get’s a little bit dirty sometimes…
Follow-up question, are you accessing your hass remotly with all that security? Thinking about the cloudfare etc.
An extra tip here…
admittedly, these are so common nowadays, e.g. when your devices are checking for Firmware / release updates
either create Firewall rules that allow such traffic(port, IP, URL), or lock it down in full
follow the rule “if not broken don’t fix it”
Lesson from my end, an IP CAM joined my network and was working perfectly until i noticed a certain spike of traffic streaming out of my network,
I found the IP CAM was doing autonomous update to a server in China, the intention was good helping its customers to connect back to their cameras when in the open internet, but not when their servers are playing up and giving different tokens back to end users
Using their IOS and Android app, I ended up seeing someone else’s bed room , sometimes hallway, on other times parking lots. (so you can imagine, who was that sick puppy showing interest to my garage and front porch, spending time on-line congesting my BW)
Key culprit here, the IP CAM was doing a remote dydns update with a server in China, negotiates with my router to allocate a port keeping an “open session” with the remote server. So, I hunted down this service, disabled dydns in IP CAM, blocked the dydns address in my Router Firewall, and restricted all IP CAMERA traffic in-house.
I recommend IPFire. What’s the difference? Basically, IPFire is more boring, but very stable. Pfsense is very interesting, but not as stable.
Build one machine to host all your services as VMs. Plex can quite comfortably run as a virtual instance, and then you can do cooler things with your NAS and treat it all as one big cloud blog that gets allocated to specific VMs for specific purposes (such as reading and writing movies). If you’re running Hyper-V, you can very easily segregate your network with virtual switches, to make one group of VMs in your DMZ, for example, one on your LAN, and one on a separate subnet. So powerful!
Then build a simple hardware machine with at least two NICs to run your firewall from. This sort of infrastructure is much more scalable, and VMs make maintenance soooo easy.
I have 2 asus ac68, can I use those to some sort of network instead of buying an unify-ac. They are quite new, a bit sad to just throw them away
Speaking in terms of adding a layer of security.
Thinking of installing tomato shibby on one of them and add the benefit of vlan:
Thats sounds idea but super timely to setup and maintain. That’s corporate level kinda stuff.
Yep, that’s a pretty good walkthrough, and basically what I said above. Segregate your wifi and use multiple subnets. You’ll only need one router for that, unless you’re extending the range.
The key thing is that you understand IP Tables, since that’s what you are using to provide the security, and they can get very complex (and easy to get wrong and leave security holes). That’s why it’s better to use a firewall that’s upstream of your routers; it means the routers can be relatively agnostic of what’s going on, and all the networking information is defined in one place. And since IP Fire is designed for this sort of thing, it is easier to manage. Either way, you’ll still need the wireless access points.
I’m a IT security engineer, i work with Check Point, Fortinet, F5, Imperva, Aruba, etc
So, use a small cheap pc and download the sophos Home UTM firewall.
you can use it for VPN, captive portal, IPS, antivirus … and WAF “Web Application Firewall” for your HA webpage.
This is a professional Firewall with a nice gui, easy to use with many possibilities.
https://www.sophos.com/en-us/products/unified-threat-management.aspx
Agreed! Sophos UTM is definitely a great product and has a much easier interface to setup the reverse proxy and IPS than haproxy or squid in pfsense or rolling your own nginx.
This is interesting. I’ve been testing things on SSL Labs and get an A for everything.
Securityheaders.io gives me an F on my HA instance (though a B on Nextcloud). Guess I should take another look at my reverse proxy at some point. Thanks!
I recently have prepared a Dockerfile which sets up a reverse proxy that requires OpenID Connect authentication to gain access to whatever is proxied behind. Using Google as the authentication provider with activated 2-Factor-Authentication, HASS should be pretty safe. Here’s the post: Multi-Factor-Authentication via OAuth (nginx reverse proxy in Docker container)
You could try using Cloudflare. Their free tier provides some basic protections…if you upgrade to the $20 plan that has a build in WAF.
I have resisted exposing my HA to the WAN until I was reasonably sure that I knew what I was doing. I am a Linux novice but very security conscious. I also don’t want to have to use third party services if possible. So I decided to go with Tightvnc server/viewer (with androidVNC for my Android phone) combined with Stunnel4 to provide the secure SSL layer. It works well, especially if you set up the TightVNC server with a geometry parameter to match your phone screen resolution. I just need one port forwarding rule on my router. Stunnel and TightVNC server are both enabled to start automatically at boot.
I was wondering if anyone else has gone this route and if it is as secure as I hope.
Following on from my comment, I’ve just written an article about the challenges of securing home automation networks using non-enterprise hardware. https://echoit.co.nz/securing-home-automation-networks/
In short, the typical home owner either needs to start engaging with security issues at a really high level - or, the security industry needs to find ways of making it accessible and scaleable at the home level.
Nice article, I’ll have to do some more research and thinking about this topic, thanks.
I know this is an old thread (was revisiting security now that wildcard certificates have been released), but +1 for Sophos. Do you use it for presence detection, and if so, what have you found to work best? I’m currently just pinging each of my 3rd party access points, but it’d be nice to centralize and possibly integrate with Sophos’ authentication and identity management. Ping, Nmap, and SNMP all have shortcomings even before introducing multiple subnets and FW rules.
How to setup this? I am beginner.
I just put:
http:
ip_ban_enabled: True
login_attempts_threshold: 10 ### optional
and then create ip_banks.yaml file and HA will write banned IPs down automatically. Nothing more to type?
I use openvpn in the router. And set it to only protect incoming traffic so rest of the family can have a simple way out. I used Cloudflare Access with two stage authentication before and that worked flawless also. And its free