Yes, I’m just trying to get a better understanding 
No, but if you pick something high then you’ll move outside all the usual noise and when something does turn up in the logs, you’ll know it’s something to pay attention to.
2 Likes
Ports above 32k are routinely opened by your router. That is how a remote site returns information to a request. It isn’t a very useful range for port scanners since the ports don’t generally stay open very long and the attacker would need to know what vulnerability to exploit in the brief time they were open. Using upper ports shouldn’t be your only defence, but added to other protections sure cuts down on attempts. Every IP address has thousands of scans every day. If you have router logs, take a look. Pretty scary.
Completely agree.
I’m using MAC filtering for my wireless network.
Most of the IP Addresses STATIC.
DHCP limited for number of IP addresses distributed for network.
MAC filtering doesn’t actually help with security any more than hiding the SSID. It’s an extra layer against novice hackers I guess…
MAC addresses are about the easiest thing to spoof. Every operating system has a very simple setting to enable replacing the physical MAC address with another. Not that you shouldn’t do it, just not rely on any one thing for defence. As much as you can keep track of and manage.
That is not quite how NAT works.
NAT only opens a port as part of an OUTGOING transaction from within your LAN. Packets can only come into the LAN in response to an outgoing message.
1 Like
And how is this not a simpler version of what you wrote. I could have dragged in all sorts of NAT jargon which wouldn’t have made sense to most.
This is a good thread and this comment is where I will add my own comment. It appears that the focus is securing remote access, which is certainly important, and there has been mention of a code review that is also important, but I’m concerned with the talk that internal networks are secure and safe. All it takes is one host on that internal network to be compromised and used as a jump point to other hosts and eventually Home Assistant, and that “safe” internal network isn’t so safe anymore. This is common practice when seeking access to an internal system by hackers. Home Assistant should be secured as if it was on a unsecure network, regardless of it’s location.
The methods to secure all of a networks devices can be complex, and in some cases impossible, but to say that a home’s or business’s internal network is entirely safe is not correct. I feel that Home Assistant should enable security measures out of the box, but that would make things much more challenging for the project and less convenient for end users. I run Home Assistant on it’s own internal network, which is on a separate physical segment on my firewall, and also segment other internal device types by VLANs. Remote access to my networks are through a VPN. This is common practice, but not feasible for most home networks. Hence, my thought that HA should be secured even on a home network.
You mention “isolated network”, but does that include connectivity to the internet or any other network? Because that’s not an “air gaped” network. By placing Home Assistant on an air-gaped network, that would make it pretty much unusable from the rest of the internal network(s).
If I understand your line of thought that an internal network, one typically segmented from the public internet via a router or firewall, is considered to be air gaped, then I disagree with that position and consider it to be outdated and incorrect, yet popular.
For reference:
Hacker Lexicon: What Is an Air Gap?
"
“Air-gap refers to computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet”
."
“… it is necessary to write data to a physical medium, and move it to a device on the latter network.” “It is not possible for network packets to “leap” across the air gap from one network to another”
Not entirely, someone may want it setup for pure automation processes. ZWave devices and homebrew sensors/relays do not require internet access to fulfil this case.
FYI these are hypothetical not how I run my setup.
Good point, but air gaping the HA server is pretty extreme. This is a good discussion to increase awareness of the security issues that we all face.
While we are on this, can we discuss docker and the potential for adding malware to container that get picked up at rebuild …use trusted Dev containers or build your own.
This is were I begin to see myself as IT equivalent of dooms day preper.
I’m sorry to go back to a section of this thread which was a little bit OT but I as I am the OP I decided it was ok.
So, I changed my port forwarding to a higher port as it seemed like good advice for even just a tiny bit of added security. I didn’t change the port HA listens on though as I didn’t see any point. So I have a this:
And everything is good. Except… my Sonos TTS cannot now play the mp3 file that HA creates because it is looking for it at mydomian.duckdns.org:myhighportnumber.
Is the only solution to use server_port in my config?
Does your router support NAT reflection/loopback? If so that should just work. You’ll probably need to update base_url: - but I wouldn’t change the server port, since that’ll change the port it’s actually listening on.
I don’t know about support for NAT reflection/loopback, I am using a consumer ISP (BT) router/modem and there is no mention of it anywhere. I did a quiick search and it wasn’t supported on the BT Home Hub 3 but apparently is on the Home Hub 5. I have the next generation (the SmartHub 6) so I am guessing it might be?!?!)
Should I change base_url: and see what happens? Sorry for the dumb question but I don’t want to change something that inadvertantly locks me out of my HA!
Changing base_url won’t lock you out.
Having SSH set up is good practice anyway, in case the GUI isn’t running. But before restarting you are I assume running a config check to be sure that you didn’t introduce errors.
This adds no security.
Unless we are to believe painting a house black makes it more secure from being broken into at night?
1 Like
Yes, Ok, not security. A little obscurity maybe.
I’m only following advice from here on this thread and I did purposely say a tiny bit.
Every little bit helps surely?
Thanks, I’ll give it at try and yes I always run check config!