So what!
Specifically you are not using those specific addons I mentioned. I really wish there was a way to do what I am doing without forwarding the ports but there isn’t. I’ve tried many other configurations and they don’t work. I even corresponded with the plugin author. I’d love to not open those ports and have the same functionality but it’s not possible. Again, they are protected with strong passwords anyway so I don’t see this as a huge risk.
The solution to your problem is called split DNS. You just need to deploy a DNS server on your network that resolves your public DNS names to your internal IPs. Once you do that, you can stop port forwarding to those addons.
I’m not seeing this as a problem that needs to be solved to be honest.
Please don’t assume that you know my configuration.
Please don’t assume you know mine!
Please guys, your specific use cases are probably be better taken to another thread.
Not sure what you are talking about. Please explain.
I’ll be plainer, take your only slightly relevant bickering elsewhere.
This post is hilarious. It’s a circle jerk indirectly blaming the naive user (that totally should know better) with who has the safest setup… I wouldn’t run HA without a IDS and IPS
wouldn’t it still get listed on the likes of Shodan using any port? I don’t see how the port number would change something like that which surely scans all ports…
these connect for me on my LAN without the port forwarding, IF i use the IP address of the RPi rather than my duckdns address. the port forwarding is only required for external access since that is what port forwarding is all about
Yes for me as well but if you use the iFrame so it shows in the front end, you can’t do that.
Yes, there is no point in security through obscurity.
Neither my IP address (public and semi-static, very sticky) or my duckdns address show up on Shodan. I have no idea why.
This is the security thread isn’t it? I am not bickering nor am I taking action on the other parties aggressive comments attempting to bait a flame war.
There just happens to be 2 or 3 conversations about the same subject. Very common in many threads here.
Yes this is quite the thread and shows just a small sample of why so many setups are insecure but this is more than just a Homeassistant issue.
Jumping out of this dumpster fire myself…
Shodan only reports the information they gathered during their scans (unless you buy credits) which might not be up to date. While Shield UP! for example scans your ports on the fly.
As interesting as many of the comments on here have been (and they have been, I am not being facetious), my OP was actually driving at something subtly different than who’s fault or responsibility system security was.
My underlying point was meant to be that wherever the responsibility lies, surely the goals of HA are not dissimilar to those of an equivalent commercial organisation - minus the profit motive. i.e Success and growth in the home automation arena.
It seems to me that it is in the best interest of the entire HA ecosystem to do whatever it can to (help) protect it’s users.
And even if resources only allow that to mean clear, concise documentation that is accessible to everyone that would be a start. I for one do not believe it is currently provided.
As I said in my OP:
To my mind that is not good enough and as security of HA is clearly an issue at some level, I think it deserves a whole section of it’s own on the website.
I don’t want to be critical, I want HA to succeed and survive but one of the surest way for something like this flounder is for it to get a reputation (fairly or not) for insecurity.
1 Like
There obviously is a whole section on the website. The issue is people don’t read or simply ignore it because they don’t understand instead of searching or asking for help.
Well… that’s the problem. Maybe they are not clear for everyone but that doesn’t mean they aren’t relevant because they definitely are!
1 Like
If I scan the specific ports in Shields up it shows them as open as you’d expect.