HA Security. Consensus?

Indeed, DNS is a convenience element helping you (and others) find and connect to your IP, offering very little in the way of security.

Encryption prevents the sniffing packets and passwords getting picked up while traveling from your remote device to your server.

That does nothing to protect your server when accessed directly by someone else. You need a decent password and IPban as a minimum to prevent a simple brute force attack.

but that does nothing to stop people using any backdoor or exploit (known or not).

4 Likes

Simple.

Dont expose your home network to the outside world.

Poll the data you need to your systems from the outside.

Sure it is safer to just donā€™t expose anything to the outside, maybe I misunderstand your idea, but how do you poll anything from the outside if there is no way to do so?

You can use a number of systems to grab the data from an outside server. You do this every time you open a browser or have HA get the weather.

A better question would be to ask why do you need to open up HA to the outside? What is it you are wanting to do?

Use the Tor service on HA. There is also an Hasio addon. No ports to open and with the stealth mode your HA is invisible.

A far better solution would be a VPN. Client to server, end to end fully encrypted and encapsulated on all ports and services, not just HTTP.

That way ( unless itā€™s your vpn software ) even if there are exploits in the service you run it doesnā€™t matter because your only exposing a VPN service to the outside world - which needs a certificate not just a password.

1 Like

Iā€™m sorry, but I still canā€™t make sense of your answer. What has using a web browser to browse the internet to do with exposing a local port on your LAN to the WAN? To grab data from the so called cloud, aka. web servers you donā€™t need to expose anything to the WAN. Outbound traffic is no problem. It is the inbound traffic that has to be secured properly.

There are plenty of reasons to be using HA from outside your LAN. Being able to control certain devices, check web cams, reading values. So, the question is not why to use it, but rather, how to make is ā€œbullet proofā€. And there are plenty of options that have already mentioned in this thread.

Iā€™m trying to work out if youā€™re being deliberately facetious or not with this :roll_eyes:

People want to control their HA install when they arenā€™t at home. You seem to know of a way of doing this by a polling method. If you do, please explain it to the group.

2 Likes

Correct. By using VPN, TOR (I think) or an SSH tunnel you donā€™t have to expose HAā€™s port to the outside which makes it a lot more secure. You just have to make sure that your authentication mechanisms are set up correctly to ensure nobody but you (and whoever you consider) can access your local network.

Iā€™m not sure how Tor works. SSH you would need the port open for this and would need to have user and password, unless you setup key exchange between the client and the device, making it password less. Only setback on that is an ssh tunnel needs to have one per port/ service.

I want to access lots of my home services, HA, open energy monitor, grafana, phpmyadmin, my nas, my router etc. VPN gives me all of the connections I need in one connection open on my router. Plus I can browse the internet via my home lan without the local network knowing what Iā€™m doing.

Havenā€™t tried tor but to be honest it would take something pretty amazing to top vpn, for me.

You can use an SSH tunnel as a proxy, that way youā€™d be browsing pretty much like when youā€™re at home. Pre-shared keys are a must in my opinion. But I use it only if I canā€™t use VPN which I prefer as well. I have yet to find a reason to expose the HA port to the outside world.

2 Likes

Agreed. Have a president to only expose services which are designed with security as their primary objective.

Now thereā€™s an idea. Have an intermediary service which can be polled from HA.

I think HA cloud works like that - the dev team have some big plans for it. Iā€™m very much looking forward to Alexa shopping list integration.

Facetious??.. Just trying to understand what is trying to be achieved by presenting HA to the world? Since there will be better options.

Unless you know and understand what your doing, know how to test. Do not present anything from your internal network to the world. If your on a forum asking how to do this - the answer is simple - Donā€™t

1 Like

cgtobi3h
You can use an SSH tunnel as a proxy, that way youā€™d be browsing pretty much like when youā€™re at home. Pre-shared keys are a must in my opinion. But I use it only if I canā€™t use VPN which I prefer as well. I have yet to find a reason to expose the HA port to the outside world.

I agree with thisā€¦

However, people must understand what it is they are doing before putting there entire network at riskā€¦even with implementing VPN or SSH

2 Likes

Yeah, facetious, because you act like you have no idea why people want external access to their system when it is patently obvious, and claim to have a way to access homeassistant via a polling method, but clearly you do not otherwise you would have told us what it was.

yawn

1 Like

???

I was asking what the OP was specifically after from his HA in the outside world? Then it would have been easier to give an answer. I think you miss-understood or miss-read my responses.

I have not claimed anything - please slow down, calm down and re-read.

@anon59013933

OP here.
I want to be able to (amongst other things) control my garden irrigation when Iā€™m on holiday and see where people are on the map. Yes, the location bit can be achieved without HA.

At the moment I accept that I canā€™t. I am just trying to clarify in my mind whether I should expect to be able to. Most here seem to think I shouldnā€™t because I am (still) a long way from understanding network security to the level that I am told I need to.

1 Like

Evening klogg,

There are a few ways to do what you want of the top of my head and I am sure many, many others off the top of othersā€¦ :slight_smile:

I quite like using Apple Home app to use services outside my home. But this will depend on if you have an iPhone and a old iPad (iOS 10.x) or Apple TV (one below 4k) / Apple TV 4k (You will need an iPad/Apple TV to use the Home App outside your home)

I use a raspberry pi to run ā€œHomebridgeā€ and there are some nice simple guides to setting it upā€¦ Link

This will also give you feed back to what is turned on / off / state etc depending on if you have exposed it to home bridgeā€¦ the advantage of this is itā€™s behind Apple authenticated through your secure iCloud and quite a nice app to use.

As also mentioned above. VPN could also be a good option for youā€¦ This will give you your HA as it exists nowā€¦
However only enable it when you need to (your away) - your router will most likely have an option for thisā€¦ please understand the risks behind doing this and the protocols being used, its very easy to fall into a trap of false security because your using VPN - If you go don this routeā€¦ think about DNS. There are several free options but you dont want to go away and find your IP changes - but you can always get HA to ping you your new IPā€¦

Using an MQTT broker (i.e. CloudMQTT) your HA can then pull your message and act (i.e. turn on / off run automation) - I do this a lot but use Node Red to do the automation routineā€¦You can then get a MQTT message back to say x, y has been run / stopped / state or a notification. There are several MQTT publishing apps you could use from your phoneā€¦ Its a very fast, lightweight way of reliably getting info back and forthā€¦ since I know zero about irrigationā€¦ :slight_smile: you could send message for the status of your irrigationā€¦ then get a notification back to your phone ā€œNeeds waterā€ and send a message to water - sorry thats the extent of my knowledge on irrigation.

Using calendar services is a way to automate a schedule but there are several others. One advantage of a calendar is that you use your phone to set the event to start and stop with a moments notice depending how you setup HA/NodeRed etcā€¦ However it has the downsides with schedules.

You donā€™t say how you get the data position of mapping peopleā€¦ iCloud, Owntracks etc?

I mostly use NodeRed to run most things and use HA and a source for devices. Do you use any other services or just HA?

Why is it not a automated function though? Needs water -> water -> enough water -> stop water -> send notification ā€œWatered whatever - used 3.4 litters of water - time started 2:30pm time stopped 3:30pmā€

One more thingā€¦ what happens if there is a power cut? do all your services power on correctly? will you know? using something to monitor your systems (raspberry piā€™s are good for this) and restart services etc - UPS / NUT ā€¦ Super important if you use Docker especially on some NAS systems.

Dont want to see you go on holiday to find all your systems are down 2 days later :slight_smile:

1 Like

Evening :slight_smile:
Wowā€¦ thereā€™s a lot there. Thank you.

Immediate thoughts are that I donā€™t have anything Apple!

I use MQTT - Mosquitto on hassio - to control most of the things I have automated (especially Sonoffs) and it works well. I use OwnTracks for location which also seems to work well for me but since closing the router port I am trying to Bridge Cloudmqtt but I canā€™t get Mosquitto to read my conf file (a separate post exists for this so please if anyone knows how to make this work, tell me!! Did I say please?)

Specifically, the irrigation is weather dependant so unattended fixed watering durations donā€™t really work and despite many hours of research there is no reliable way to get rainfall info into HA (trust me on this, I know it sounds unlikely but I am not alone in having tried!). My own rain sensor would do it of course but currently I donā€™t have one.

Finally for now, much if what you suggest I do I am already doing using Telegram and I do plan to implement much more. It just seems a shame to have to effectively write a whole front end to HA when it already has a perfectly good one.

Oh yes, finally, finally, I have indeed set up a VPN server on a Pi (thanks to help from @Robbrad) but I got cold feet about implementing it for the very reasons you give. I would be putting blind faith in it as I do not (yet) fully understand what I have created!

EDIT: yes power cutsā€¦ thankfully very rare here.
And I forgot to mention that Iā€™d love to use some calendar integration but I use MS Outlook and that doesnā€™t seem to be an option with HA and no, I donā€™t really want to run a parallel Google calendar.