I week ago i followed the guide here to set up let’s encrypt.
I have opened port 80 and 443 -> 8123.
I am getting connections from different IP’s on port 8123 and 80 to my machine when i check my log in my router.
I am running HA on a lubuntu wich i also use as a NAS and media player. So i got everything on this machine.
HA is installed in an virtual environment but i really don’t remember how i did with let’s encrypt.
Is it safe to leave those ports open or should i close them?
When you go to your ip outside your network, are you prompted for any kind of credentials? Unless you are doing some sort of reverse proxy and authenticating, I’m guessing no.
That means, anyone with a network/port scan is going to find that open port and control your HA instance. There is no such thing as security thru obscurity when it comes to ips and ports.
→ devils advocate ←
Yes to an extent. HA is not a hot endpoint for automated scripts right now as the user base is very small. So a decent password for the frontend should keep you pretty well secure. Also make sure you’re not running the HA instance as sudo… Not to say someone isn’t doing it, just playing the odds against the normal ssh/telnet/vnc scripted bruteforce attacks that make up most of the hacker traffic. Most people aren’t going to be actively targeted unless they are a publicly known target.
I know tools like masscan can theoretically scan the whole internet in minutes, but realistically at 1000000 packets a second (more than most consumer networks can handle) it would still take 7.5 years to get all the ips and ports back on the public ipv4 address range… Not to mention you’d then probably be blocked from large parts of the internet…
Also make sure you’re not running the HA instance as sudo…
Is that an option? My reading of stage 4 of the let’s encrypt installation instructions requires us to make the home assistant user a sudo account. Am I mistaken?
I am running HASS under Ubuntu 16.04 using a virtualenv with a “homeassistant” user setup by following these instructions.
I would love to open up Hass so I can keep an eye on things while I’m out, but have been too scared what a hacker might do to the rest of my network if I give my Homeassistant user sudo powers.
It is easy to make oneself a target.
Op, who is your internet provider? Cable? Unless things have changed (which they may have, I’m a bit dated) it is fairly easy to port scan others on your cable modems subnet.
Do you torrent? Your IP is handed over to all your peers. Do you trust all those peers to not, for shits and giggles, port scan you and see what you got?
No, you are not going to get any state sponsored hackers turning your bedroom light on in the middle of the night to annoy you. But, those aren’t who you protect yourself from really anyway.
Do you lock your doors at night or when you leave the house? Door locks keep the “honest people honest”. Leaving HA open without any sort of authentication, is like leaving your house unlocked (and if you have integrated door locks, it is the same thing).
If you don’t have any control mechanisms, or sensitive information in HA, sure, go for it, otherwise, I’d ensure there is some sort of authentication mechanism before it.
If you router supports a reverse proxy, try implementing it there. I’d love to see the HA web have a login/password and really love it to include OAuth support.
Of course you should have a password. I figured that was a given for an external facing HA instance. I meant more protection than that might be a bit overkill. Are you under the impression that HA doesn’t have this feature?
Not sure about the Linux setups as mine is running on OS X. I need to run in sudo after an upgrade so that dependencies can install correctly but after that I restart without sudo and that’s how I run my instance 24/7.
First time I ran without sudo I did have a few errors pop up. I just fixed permissions on the files that threw those errors specifically and have been fine ever since.
I was under that impression. When I skimmed the documentation, I saw api_password and my brain turned off and never associated it with the actual gui. Thanks for making me reread that.
So, @xydix I’m guessing you are smarter than I am, and are actually utilizing the password?
I am using password for the front end.
Checked my router logs again today and there are a lot av connections, port scans i guess.
Of course, i don’t think any hacker will visit my home and enter my house after turning my alarm of through home assistant.
But i don’t want someone in my network or in my “server” (The same machine running hass).
I don’t use duckDNS, i use no-ip (dns service) in my router.
The thing is, i am about to set up ip cameras and add them in hass.
Reading online about remote view on the cameras everybody say, do NOT expose your camera to internet. Use VPN ONLY.
I have been using VPN to access hass but it is annoying to first open my vpn app (wich drains my battery) and then open hass.
And now i can use locative for presence detection.
Really annoying to not access my stuff in a safe way without being an computer science. =)
EDIT:
I’ve got the same questions, although I’m only accessing hass via SSL at the moment. Where did you find instructions for setting up the VPN? (I’ve got a TP-link D9)
https://home-assistant.io/cookbook/fail2ban/
I’ve set this up as well, at least that way they only get a few guesses before they are blocked for a day.
Some more ideas here
@xydix, you should be able to close port 80 after you set up Let’s Encrypt, unless you need it for something else.
My router has an OpenVPN server. But then i first need to connect to the VPN with an app in my phone, then i can access hass as i was home on my wifi/lan.
But it’s not as convenient as open ports.
If i understod it right I need it for renewal of the cert.
Some kind of reverse proxy with a cert. on my phone to only let units with that cert. connect, sounds like a good solution but seems too complicated for me to set up. Really don’t know what it takes
You do, but only when Let’s Encrypt is actually renewing your cert. So you could probably open the port once every 10 weeks or so, restart Let’s Encrypt and then close the port again after renewal.
You don’t really need to though - if you leave the port open on your router and no service is listening to port 80 on the destination machine, there is no real security risk - the OS will simply refuse any connections on that port. Let’s Encrypt only has the port open during renewal. Try it and see. If you try loading http://your-ip:80/ it will connect on port 80 and should be refused