Help - Newbie setup, security questions and checks

Hey all,
so ive setup Hassio with the following from the addon store:
Duck DNS
SSH Server (using an RSA token and private/public key)

I now only able to access Hassio via HTTPS. (http doesnt work)
Also, i can access my Hassio externally, via my DuckDNS domain name.
this is both on and off my network, using https://duckdnsname.duckdns.org.

However, 4 questions please…

Question1
I’m a little nervous about security and so is there a way to confirm all the steps i have done, with opening ports and stuff, is all good?

On my router, i have
External Port 80 → Internal Port 80 → IP of Hassio internally
External Port 443 → Intrernal Post 8123 → IP of Hassio Internally

I have a static IP address set internally for Hassio

I have the following in my configuration.yaml file

http:
base_url: https://xxxx.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
ip_ban_enabled: true
login_attempts_threshold: 4

Question2
I have configured a “secrets.yaml” file, as noted and i have all main “secrets” in my “configuation.yaml” file pointed to it (which works great and performs as expected).
Im still unsure as to the point of doing this oveall, as if you can access “configuration.yaml”, then you can also, easily, access “secrets.yaml” as they live in the same location?
so is this more about being able to share your config file with others easily and not have to worry about people seeing stuff you dont want them to see, rather then actually hiding your secret stuff from someone who gains access?

Question3
Whenever i access my internal Hassio deployment (within my network), via either:
https://hassio.local:8123 or
https://myinternalIP:8123

i get the following error on Chrome, before i can access.

Your connection is not private

Attackers might be trying to steal your information from 192.168.0.122 (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID

Is this expected? or do i need to change something to resolve this?
as mantioned, i dont get this if i go via DuckDNS internally or externally to my network.

Question4
When I access Hassio extenrally, off my network via DuckDNS, it has saved the password and so passes my directly to the UI.
IS this sensible? i assume for external access, i should really force a password check each time? if so, how do i configure that sorry? or is there a better more secure way i should be setting up my external access sorry?

Q1 - with duckdns addon you don’t need to PF port 80. It doesn’t use that for letsencrypt.
Q2 - secrets is useful if you share your config on github… you just put secrets.yaml in .gitignore and share away…
Q3 - it’s expected as the ssl cert is for your domain, not your IP address.
Q4 - the stored token for logon is unique to that instance and is not a concern.

1 Like

For Q3 you may be able to acccess HA using your duckdns.org name when at home. That is what I do to avoid the certificate error.

the biggest thing to be aware of in all of this is that you have a commonly known port open on your router forwarded directly to your HA install.

All anyone needs to do is scan your computer for open ports, finds 443 open on your router, connects to it and then tries a brute force on your HA.

It’s a lot better now than things were before since HA now uses a username/password combination instead of just a password so getting in is way harder now.

Many people think that using an SSL certificate protects them from stuff like this but in reality only protects you from snoopers listening in on the communications between your browser and your home router so it can’t pick up any passwords, etc. And DuckDNS doesn’t provide any security whatsoever. It just makes sure that your domain always points to your public IP address. It’s simply a convenience for you but doesn’t secure anything.

So, the bottom line is that DuckDNS/Letsencrypt is not really any help at all in preventing someone from trying to get into your HA by figuring out your username and password. So make sure your username/password is strong.

Or, better yet, add another layer of security by using something like a VPN or the HA cloud, or even a reverse proxy will provide a bit more security if you force that to also use a different username/password.