HA Security. Consensus?

Another thing to consider, is what you’re putting at risk. Skimming through the comments from today, most people are looking at what people could do in HA, or to your automations.

As I mentioned out in the other thread, that’s one aspect to be concerned about. The other is what else that toehold lets them do. I have enough stuff on my network that I can’t afford to lose (the wife would kill me) that I cam going to be slow and cautious in adopting anything security related.

The most important thing though, is research. You have to decide for yourself what your acceptable level of risk is, and you can’t really understand it until you have spent a lot of time researching risks, solutions, what alternatives you can come up with, what the flaws in that solution are, and repeat. There is no perfect security solution.

1 Like

I have seen some interesting projects with esp8266 used to create a weather station - Something I was thinking could be good fun… as well as, if plants need watering - That would be a project for under £10

Have you tried NodeRed? I use it with OwnTracks / CloudMQTT and have not had any issues. I then update HA from NodeRed - Well I present a MQTT message to HA for it to update.

HA is a great system - but somethings are just easier in other systems. NodeRed is very good as acting as a middle man when you need it to… Using external (outside HA but still on your .local network) broker gives several options to how you present data to and from HA…as well as automations… You might not have time before you go to get your head around it but i would highly recommend having a play, even if it just resolves your Owntracks issue. Actually I know I could give you some NodeRed code and YAML entry to get you up and running in a few minutes…(once you had NodeRed running on a Pi - but you would need to thing about your other MQTT dependent devices.

I dont think you need to write a whole front end. Just add-on to what you have. One of the great things about HA is that it can talk so well to so many systems…

I am more than happy to offer my help with MQTT or NodeRed if this is something that might help.

I’ll definitely take a look at NodeRed. And thanks for the offer!

The easy solution for other devices being exposed on your LAN would be simple VLAN setup. Segregate the IOT traffic away from personal. That way in the case your HA instance and/network become compromised they have access to only what the user has conneted to IOT VLAN. From that point its up to the end user to determine the level of risk a.k.a what devices are exposed and connected to what network etc

1 Like

Dont agree with you sr… forums are here for community collaboration. Try assisting istead of criticizing

1 Like

Unfortunately, we have a diametrically opposed situation of security vs. convenience. A totally secure solution (e.g., a VPN) drastically reduces usability, especially for the average use; a totally convenient solution (e.g., simply forwarding WAN traffic directly to the HASS host) comes at the elimination of most security measures.

Like many, I use a middle-of-the-road solution: NGINX as a reverse proxy to HASS (many guides for this exist in this forum). I’ve also implemented several additional security controls that drastically reduce attack vectors on my HASS:

  • I compile NGINX myself (in a Docker container) so that I can keep it updated frequently (amazing how many attacks come on old versions with discovered vulnerabilities).
  • I use LetsEncrypt SSL certs; I also use 4069-bit DH params.
  • I only accept the strongest SSL ciphers.
  • TLS 1.0 has known vulnerabilities; my NGINX requires a minimum of 1.1.
  • I use GeoIP filtering so that any IPs outside the USA are immediately served a 444 response (technically not an HTTP response, this is an NGINX instruction that immediately closes the connection – from a client’s perspective, being served a 444 makes it look like the host doesn’t exist at all).
  • I block user agents that are known to come from automated sniffing/attack/etc. tools. Same deal: requests with those user agents get served a 444.
  • I only allow the HTTP verbs that I want (GET, HEAD, and POST); any others are served a 444.
  • I set up my default domain to return a 444 (so that scans against it don’t reveal anything).
  • For the two subdomains I have exposed (one for HASS, one for AppDaemon), I use randomized subdomain names. In conjunction with the previous, it’s highly unlikely that anyone will guess the right URL to get to either apps.
  • I make sure to use X-Forwarded-For to track the request’s actual IP address.
  • I use NAXSI as a web application firewall; it watches for various attacks (SQL injection, XSS, etc.) and logs them.
  • In conjunction with NAXSI, I use Fail2Ban to jail any IP addresses that break NAXSI’s rules.

This isn’t perfect, but I regularly review my Fail2Ban jails and have yet to see any unauthorized traffic.

Everything is here: https://github.com/bachya/smart-home/tree/master/settings/nginx/conf – will answer any questions I can!

5 Likes

Security of web applications is a complicated multilayered thing.

If you’re running HA completely locally, no ports visible on the public network, you know the only people on your wifi is people and devices you trust, then do you really even need a password?

If you have a complex HA setup with remote controls linked to your door locks/HVAC/water etc, well do you trust that single password is enough to stop some script kiddie with too much time on their hands and no fear of consequences if they find a way in?

Conversely, if you set up your HA instance behind proxies, set up port knocking + VPN + two factor authentication + SSL certs to trust users and individual devices + time based limits to only allow access from certain devices during known times + auto ban IP blocks for failed login attempts + whatever other security you want to layer on top…well is that amount of inconvenience worth it for a system that is supposed to help you make things more convenient? On top of that, is your other security sufficient for stuff like that to make a difference? You can set up all those layers sure, but if you have your WIFI using WEP or a badly set up guest network and your neighbours or kids wardriving around can get in to your HA install anyway, what exactly have you secured?

So it’s all a balance of effort/risk/convenience, and everyone has to make their own decision for what’s worth it for them.

On top of that, there are fundamental misunderstandings with people setting up a “cool” application like this for the first time. Like “SSL makes me secure”. Or a VPN is the be-all-end-all for all security. Those do different things to protect different aspects of communicating to your server and network, but by themselves they don’t make things suddenly “secure”. That I think is something the documentation could certainly improve distinction on, but at the same time I don’t think that’s the job of the HA developers.

Look at some of the biggest web applications out there, like Wordpress. Half of the tutorials will tell you to install things as root, chmod everything 777 and use a root database user or otherwise use full administrative rights because it’s not the application developer’s job to explain to you how to set up permissions correctly. It’s their job to make sure the application works, and the admin to decide how to make it run in a secure way.

So long as the HA devs ensure that the application doesn’t have any security HOLES, i.e. backdoors/oversights that allow control of HA without ever asking for a password or token or whatever the expected method normally is, that’s pretty much that’s all that is expected of any developers really. Asking them to arbitrarily throw “secure plugins” or something on top and allowing users to just think they can add pieces make themselves magically secure would just give people a false sense of security.

4 Likes

In what way does a properly set up VPN reduce the usability dramatically?

I use VPN to connect home. My iPhone knows automatically that it has to open the VPN connection when I try to open the URL of my HA instance or equally the HA app. It is a simple and convenient. I just set up my wifes phone the same way and she doesn’t even notice it. It just works. You might have a slight delay because the VPN connection needs to be established first, but that is negligible.

Well it precludes using Google Assistant and Alexa for a start

Isn’t this where HA cloud comes into play? Sorry, I simply don’t know as I neither use Google Assistant nor Alexa.

you can use cloud if you choose that route. It will be a paid service. There is also a non-cloud integration.

I did…

I gave a number of options…

I could have gone into depth about how to secure their network, taken them step by step and then simply used this to take advantage.

Forums are a group of strangers, some of whom have common goal(s).

I will not take responsibility for exposing someone else’s network to the world. Will you?

All I wanted was to understand what the OP wanted to achieve and help find a better way. I even offered to help with getting them up and running. You have offered???

Your statement

“The easy solution for other devices being exposed on your LAN would be simple VLAN setup. Segregate the IOT traffic away from personal. That way in the case your HA instance and/network become compromised they have access to only what the user has conneted to IOT VLAN.”

Depending on the users understanding, ability and equipment could be a very dangerous. It’s not “easy” to do this correctly and a blanket statement regarding the level of security is wrong.

I understand the OP’s frustration. He/She is wanting the same level of access to this great bit of software wherever they are in the world. But thankfully decided to move away from this.

Within 2 mins (most likely under a min) you could have access to someones HA system, who has exposed it to the internet… Have a quick search… What else, now your on their network, can you now access? How many exposed IP cameras can you find, test web servers / services, email servers, routers, shares etc, etc…

The message here should be simple. Don’t expose your HA to the outside world.

1 Like

Well, if you use Let’s Encrypt it will probably show up here somewhere: https://crt.sh/?Identity=%25&iCAID=16418
I do exactly the same as you with random subdomains, but for that extra bit of anonymity I’ve purchased a wildcard certificate. Hence I can randomize the subdomain however I want without that being leaked. That way I can consider my HA-subdomain fairly secret.

1 Like

Which I am perfectly fine with since HA is a true blessing in my household. Kick a little coin back to the main devs is a good thing.

1 Like

We use iOS. In our case, batteries drain quickly, iOS will sometimes deactivate the VPN, and the iOS HASS app doesn’t properly work when connected.

I should have noted that I, too, am using a wildcard cert. :+1:t2:

2 Likes

Do you turn on the VPN manually? iOS closes the VPN connection when the phone is locked, it does not persist. I never found any problems with the HA iOS app over the VPN connection. What issues did you have?

Well your statement basically said if u dont know dont bother. I did see your other suggestions which is why i found that statement to be wrong. We are all here to help one another. Not exposing your instance is not what people want and really not a good answer. For example i have plenty of smart devices that can be utilized via their native app or my HA instance. My goal is to not rely on the vendor for security… as most people goal should be. This includes things Such as nest, myq garage opener, etc. So you say do i want to be responsible for someone else setup. Well at what point would i be. Just because we suggest a solution does not make it your responsability for the end user. If they paid your for the info yes otherwise absolutely not. I didnt go beyond vlans because other valid pieces of the solution were already discussed should one read through the messages. You are correct vlans may not be easy for some and obviously most low end networking doesnt support them. However again thats up to the end user… they need to decide their knowledge level and acceptable risk. They may also choose to learn amd buy the proper equipment. So the answers to the question are there should one have enough determination and willingness to do so

1 Like

Well your statement basically said if u dont know dont bother

I think I said if you have to ask on an Internet forum. Don’t do it. - But I get your point.

Most people in IT spend years learning how to setup networks/servers/coding/designing/implementing. You can then spend another few years learning security/pen testing, passing relevant exams, being exposed to “industry practices” on a daily bases. Going to conferences, keeping up to date again in the industry… Even then you end up specialising in certain areas.

This is simply not something you can tell someone how to do on an internet forum in an afternoon or even over the span of a year or two.

I am sure someone could explain to how to take a gear box apart and put it back together… This does not mean that I
a) could do it.
b) should do it
c) have it work correctly at the end…

When my starting point in a car is putting water in and pressing the start button. (Which it pretty much is :slight_smile: )

The same is true for any industry…

The trouble with IT is that “some” people feel that they are experts. They are “safe and secure” so pass on the steps they have taken… Its a case of Chinese whispers that inevitably leads to disaster.

You see it all over this forum and others… This is how I set up mine, here are the settings. This is all you need to do install X and Y.

The message I have said is simple. Dont do it. There are better ways.

Exploring the better ways and improving best practices for those who “need” to have access is something I am very much open to and happy to give my time to.

1 Like

Put in that context i completely agree. I too am in the Industry as an Engineer… so I know all to well what you are referring to in the years it takes to aquire the knowledge and skills to be able to apply them in a proper/logicql manner. If i misunderstood your initial statement i apologize… you seem very knowledgable so i hope to come across move of your responses as I traverse HA in facets that I too am a noobie on haha

1 Like