Hi, very intersting thread. Not great at security myself, but Shodan showed my MQTT port 1883 to be open, as well as Hassio port 8123. I reinstaled Hassio after starting to use Nabu Casa a while back and have not been thinking of the port forwarding rules that I created with DuckDNS, these have just lingered as a leftover from previous adventures. With Nabu Casa (as I have understood it) you dont need SSL certs, so for all add-ons SSL is set to false, something that is not a great combination (I think, sorry if Im wrong, still learning…). If anyone else have gone down the same route, I would guess (someone more knowledgable than me should ellaborate here), this might be worth checkig.
I for one have setup my home quiet tight. I run a VPN for any external connections from outside to my home. My home network is divided into separate vlans all firewalled so I can control all devices of what they can send and receive. As well as to the internet as to other devices on my network. Only one device has to get mallware to infect or sniff other local vurnabilities, so that is why I choose this route. And for that reason I also use ssl on local devices.
But to keep it simple and not as insane as my setup I would start by closing those ports on your router. Never let others use your wifi accept your own family. Maybe shield off everything from phone connections. So only connect through nabu casa (even when your at home). I know not totally local anymore, but phones are very often prone to get mallware these days.
Correct @firstof9 but Owntracks not needed any longer with the “new” Android app and locatioon included there.
I would have liiked to separate it into different vlans @frits1980 , but my router does not accept that and I have TV over internett from my ISP, so I have to use my more advanced router as an AP., otherwise Ill just end up wit an DHCP conflict. Havent tried to run my router on a different subnet, might be a solution to look into, but not got the time to look into it yet.
Relax folks. not everyone are programmers, network specialists or cosmonauts… Only thing you achieve with this attitude is drive people away from HA.
Every single thing with HA, I have learned from “random” videos from The Hook Up, JuanML, Frenck, Bruh and Dr.ZZZ. Before starting with HA I have never used Linux, never written YAML, never fiddled with MQTT etc etc. I think I speak for alot of people when I say there have been a few mistakes along the way. So stick the attitude somewhere, only thing you achieve with an attitude like this, is driving novice users away from the community and away from HA.
My post was meant as a help to other novice user that might read this thread in hope of securing their system, but like me, have to learn from someone else. @sjee, I have read alot on securing Debian, but much of this is way over my head. Would be good with a more detailed description from Nabu Casa on how to secure the system when using their solution, a best practice when using Nabu Casa/DuckDNS etc. I have struggled to find useful novice instructions on the topic, and I understand that making a general approach is most likely impossible, with the variety of setups around.
Ok, so if you want to start by securing your network let’s start with the simple task of closing those ports. Walk towards your internet modem / router and lookup the brand and model number for it. Google that combination and append ‘open ports’ to the query. You’ll then probably find pages explaining how to open ports, I hope you’ll figure out yourself how to undo those changes that way. I think that is about the most important security step you have to take right now.
That looking up about port forwarding just shouldn’t be needed, because the person concerned has already opened their ports, and closing them is just undoing what they did e assistant does not open ports on your router, mosquitto does not open ports on your router. By definition the person with opened ports did it themselves, and I assume can undo it.
That is true. Though if you would look up how to do this, while having no interest in it and no technical background whatsoever, and then not touch it for about a year you might have forgotten how you did it in the first place. Also (speaking from personal experience) people might not have a brain like yours and forget stuff (in my case due to some stupid disease).
This is an ancient thread, dating from back when authentication was optional, and many people ignored all the documentation and guidance about not configuring remote access until you’d enabled authentication.
If you’re coming across this thread since 0.77 was released back in August 2018 then you can ignore it. If you’re a time traveller, or running something older than that… I can’t really help you.