I’ve not seen any sign of Shodan scanning every port. Let’s put it this way, I’ve had remote access going for well over 12 months, I’m not on Shodan.
It’s not security, but it does raise the bar one step. Security is why I run with NGINX doing authentication, and use fail2ban, and review the logs for failed attempts.
I’m thinking Shodan only scans the first 1024 ports (like the default GRC scan) but I could be wrong.
And here is another example why in my opinion the docs can be confusing.
I know there is logon_attempts_threshold but anyone reading this might now think they really need fail2ban. If they look in the docs it completely ignores the fact that (unless I am wrong - in which case, err, the docs 
) it can’t be used with hassio which is in itself confusing for less experienced users let alone worrying for them if they think they need it. And let’s not forget, I think we all agree that security should be implemented at the beginning i.e. when those new comers are inexperienced.
Suddenly they are afraid they are not as secure as they could/should be.
I’m just saying that I think the docs should always mention hassio even if it is to just to dismiss it. And if that is the case then I then think (especially) if the docs in question relate to security there should be some mention of alternatives or what the issue is with not using it or even advice that it is not necessarily essential to security.
I get the feeling many here really don’t agree with the thrust of what I am saying, just be aware that I don’t intend to cause anyone any offence or be critical of the efforts that go into this project
You’re right, in that the fail2ban docs don’t mention anything about Hass.io. Mind you, the security steps don’t mention fail2bain either.
If you want to suggest an edit to the fail2ban docs to highlight that it’s not (currently) possible on Hass.io then I’m sure we can get that merged in.
I think it’s more that there’s degrees to security, and some people are treating it as binary. Some people also seem to assume that it’s the developers responsible entirely - like it would be a house builders responsibility to ensure you locked your doors and windows every time you left the house.
There have been some good points raised here, and (IMO) some outright FUD by some posters.
Could the security documentation be improved? Sure - and I’d encourage people to do so. Could people actually take the time to read the documentation that’s there? That’d be nice 
I see a lot of assumptions in the thread. Just to be clear: We, the Home Assistant Developer, take security, privacy and integrity very serious.
Most points mentioned here are not new and we discussed some of them long and hard. Of course, a thread with the title “I got hacked” will get more attention than one with “I didn’t read the docs”. It’s pretty much the same as what happens with Efail. Sure, would it be nice if we would have the resources to review every module we depend on, improve the documentation or create a one-click-solution to protect people’s Home Assistant installation.
Because we know that people want to get access to their home automation solution from insecure networks we have multiple guides in different skill levels for securing the remote access. What’s not going to happen is that we start to duplicate existing guides/documentation/tutorial at a large scale because using a search engine is too much for some persons.
Other company solve this by making all service run through their cloud.
Reason I use HA is to avoid 3rd party cloud
More warnings may be needed but I do not think HA can prevent user with No Password or user Expose Samba.
EDIT
Just to be clear.
I feel better support may be provided to users through detailed instructions and I recommend some security rating system(5 stars or 5 skull/crossbones) to rate security danger of component uses if misconfigured.
I also know this is problem experienced by even large Enterprise and more wider issue than HA.
im afraid we are alone.
For the overwhelming majority of people here the “alert” is there on the front page of the docs and it’s enough. People deserve to suffer the consequence if they don’t read it or understand.
I’m still surprised with the lack of empathy and overall feel of superiority.
Thanks for the input, I appreciate all the work that you guys put on.
I think as a community we should avoid to judge people and look back on why it happened. For me the issue here is not on the programming side but the documentation. Looking on how many people posted their super secure setup I feel that would be great if they could share more in a dumb down version to help others incorporating on the already existing documentation.
You’re taking things way out of context and extrapolating your own skewed view of this subject.
A. If you follow the directions like you’re supposed to, you will actually see the warnings.
B. How many other things do people randomly open ports for without warning? (Gaming consoles come right to my mind at the top of the list).
You’re making it out to be that HA is somehow responsible for the security of the user’s Network, for which HA has no control. People would likely ignore a warning on their HA page anyway or put in a super easy password to get rid of the message. It doesn’t change the fact that people will refuse to learn what they are doing. They will just follow some random tutorials or videos without an inkling of an understanding of what they are doing. It’s been this way, literally, forever. HA warns the user in the documentation, and that should be as far as HA goes. Rewriting the documentation won’t fix the problem if they aren’t reading the documentation that’s already there…it’s just going to make it messier.
It is simply not the responsibility of HA to inform people the basics of internet/network security. You don’t HAVE to open up your install to the internet to use the software…
I’m not saying that. Saying that the documentation is bad is not the same as saying that it’s their fault. I was hoping to inspire people to help making it better.
And you are right we can avoid if people don’t read it. However, I believe we can make it better. You don’t.
But don’t worry I’m not going to suggest any changes in the documentation. Let’s all sit here and feel good that we did read the documentation.
Why aren’t they reading?
Why?
If you have ideas share them, but you’ve really said nothing but suggest the developers need to fix a problem, that you perceive exists. The problem is with the “end user”, not the software.
Make suggestions for the documentation! Do it! You don’t need the forums permissions to do so! You just fire up your text editor and start writing your changes. Submit your pull requests and wait for an answer.
Why have people literally never read the information in front of them?
Because of laziness, inability to understand why they would need to read it, or because they simply don’t care.
I have a more sympathetic view instead of assuming the worst of them. That user was me a few months ago.
Rewriting the documentation won’t fix the problem
I’m not writing because you convince me making abundantly clear that the documentation is good.
I would strongly advise to tune down a little. This is starting to become a flame war, which is not helping anybody.
I’ve been involved with open source projects for many many years and my view is very very different than yours.
You keep saying it’s not though.
What exactly are your ideas? How would you change things? Instead of pouting about not getting the support from everyone in the forums go submit your ideas. My opinion doesn’t matter in the slightest, and shouldn’t sway you away from trying to change things for what you perceive as better. My opinion is nothing more than my opinion. Your opinion is yours. Your opinion is that documentation should be made better, I want to know HOW it could be better. I don’t think you are grasping that concept. I’m not saying the documentation is great, I’m saying what more can you do or say that will make anyone actually read it, considering they obviously don’t read what’s already there?
No flame war here. Just a difference in opinions and ideas.
I have a question about ports.
Someone said here that any port can be used.
Is there special reason HA chose 8123?
Can I literally just:
And nothing will be different?
If I am right it begs the question as to why HA (or anyone) ever suggests a specific port number?
And I am more than happy to be told if this is a stupid question… 
Opening the port on your router doesn’t make the service listen on that port on your server.
You will need to forward port 60000 to 8123 on your HA server.
You have to define a port to listen on. The service internally on your network is different than anything your router does. You can use home assistant without exposing it to the internet and it still needs a port to listen on.
Ah, yes.
Thanks.
You can also make HA listen on a port other than 8123 by setting the server_port: option in the http component..
But just making it a different port does NOT make it more secure.