The cloud services only allow you to interact over Google Assistant/Alexa. That doesn’t do anything to give you secure access to HA frontend
bummer, I didn’t know that 
Thanks for pointing it out though
My router has a VPN server inbuilt but I use a strong API password on the frontend and terminal and configurator as well so they are exposed to the Internet and on SSL and DuckDNS. I really don’t want to have to use the VPN for this though and with strong passwords don’t see that this is a problem. My router forwards those 3 ports.
Searching my IP and my duckdns name on Shoday gives no matches. Am I missing something here?
I only set a SMB username and password this week but I don’t think that was necessary anyway as I don’t have SMB exposed anyway.
8123, 3218, 7681
Why 3218 an 7681? These are not needed for HA.
Hassio Addons Terminal & Configurator. I did mention that above I believe. If you don’t forward those ports you can’t connect.
Ok, well these ports only needs to be forwarded if you want to access terminal and configurator from outside your local network as far as I understand. Personally I would be very cautious doing so as one small mistake (eg forget to change the default password in the terminal addon) gives full access to your system.
I would suggest to keep stuff which gives access to the core of your system limited to locally. Since your router supports VPN that should not limit you doing stuff remotely.
Thanks but I have it configured correctly and it works just the way I want it to.
As the OP, despite some of the replies here which I broadly accept are all offering a reasonable point of view I still have what I believe are some legitimate concerns. Be that as it may, I would like to try and clarify a couple of things for my own understanding (and hopefully to help others).
I use hass.io
I use DuckDNS and LetsEncrypt.
I use the MQTT addon
I have the Samba addon so that I can use Visual Studio Code
I have a strong HTTP password for HA
I have a strong password for the MQTT addon
I have a strong password for the Samba addon
I have two ports open, one for HA and one for MQTT.
This feels like it will quite likely be a very common setup for lots of people.
Is there anything more I could do right now to secure my system, bearing in mind that I am not proficient (yet?) with reverse proxies, VPN etc.?
And finally, am I right in thinking that my Samba shares are only accessible locally with this configuration even if (and I wouldn’t) I removed the Samba password because no port is open for Samba and HA does not expose it?
Thanks.
You don’t mention it, but I hope you encrypt your MQTT traffic if you are using it from the internet.
1 Like
The documentation is largely written by the community - if you think it can be improved then you are encouraged to submit updates. Posting in a forum thread complaining about the state of things is easy, helping to make things better is harder 
3 Likes
There is however a huge range between “secure enough” and “fully secure”. Even in the security world “fully secure” is a thing that’s rarely aimed for and kept for the absolute highest threat situations (and let’s be honest, never achieved). If you’re using SSL and a “good” password then the risks are minimal. If you move it off to a random high numbered port then odds of some idiot finding you at random drop off massively.
Let’s put it this way - none of the services you’re using on the Internet are “fully secure” If they wanted fully secure, as @flamingm0e said, it wouldn’t be on the Internet.
Good password? Experts constantly change their mind on what that means, but my view is as long as it’s not dictionary words, not something you’ve used somewhere else, and at least 10 characters you’re on the right path. Use a password manager and generate some random gibberish.
Other than ensuring that you’ve got SSL for MQTT, you’re good
Correct - the only things accessible from the Internet are the things you forwarded ports for.
Thank you that largely puts my mind at rest!
Except for one thing…
One of the first things I did with HA was to set up Mosquitto on hass.io when I knew even less than I do now.
I hadn’t been using SSL (oops) but now I am. However whilst OwnTracks connects successfully to the Mosquitto addon (so something is right!) HA itself will not recognise any of my sonoff switches anymore.
Do I need to do something else in my config? The docs for MQTT Brokers (https://www.home-assistant.io/docs/mqtt/broker/#certificate) mention a certificate but give no clue how to get one and the Mosquitto docs (https://www.home-assistant.io/addons/mosquitto/#listening-simultaneously-on-ssltls-8883-and-insecure-1883-ports) talk about using both ports. I am a little confused.
Thanks for any help.
Currently I have:
# MQTT configuration
mqtt:
broker: core-mosquitto
port: 8883
username: !secret mqtt_username
password: !secret mqtt_passwordYour local devices connect to the insecure port (1883) which means you need to configure your broker to listen to both ports.
Just to return to your original point, what needs to done to stop someone like you doing this? Opening insecure ports to the internet seems the most basic security problem.
@gpbenton I would like to respond to that more fully later because hopefully I will be able to add something useful from my experience that might help to improve the experience of others. But first…
(and also @sjee)
I just cannot get Mosquitto to work with HA now that I have successfully set it up for TLS.
The docs are I’m afraid a bit sketchy on this subject. I have Owntracks talking to my hass.io Mosquitto addon server through TLS perfectly. What I cannot get working though is my sonoffs on HA talking to Mosquitto.
I would be incredibly grateful for any advice as my entire HA setup is currently useless as it relies on MQTT! Sadly it was all working perfectly before I secured MQTT traffic 
My configs are as follows:
configuration.yaml (NOTE: there is no certificate variable as I don’t know what to put there, if anything)
# MQTT configuration
mqtt:
broker: core-mosquitto
port: 8883
username: !secret mqtt_username
password: !secret mqtt_password
My Mosquitto config looks like this:
{
"plain": false,
"ssl": true,
"anonymous": false,
"logins": [
{
"username": "xxxxxxx",
"password": "xxxxxxx"
},
],
"customize": {
"active": true,
"folder": "mosquitto"
},
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
My Mosquitto log is:
Log
starting version 3.2.2
Error: Unable to open include_dir '/share/mosquitto'.
Error found at /etc/mosquitto.conf:19.
Error: Unable to open configuration file.
I have the file insecure.conf in a folder as follows but clearly it is not finding it:
I have some sonoffs configured to use port 1883 and some to use 8883 but none show up in HA. Owntracks as I said is connected in the app via 8883 but HA does not see it.
Thanks in advance, this has been one step forward (in security) and two steps back (in Ha functionality)!
You need to use the unencrypted port - 1883 - from HA. There is no need to encrypt data on your local network.