Home Assistant security concern

Securing webapps, presenting webapps to the internet, should only be done for apps that absolutely must have an internet presence. Home automation and IoT are things that need to be protected and should not have an internet presence. If you want access to that from remote locations set up a VPN. Even if HA has a major security flaw, and I’m not saying it does, it won’t matter if your infrastructure is implemented securely.


Your system is only ever as secure as you make it.

A lot of advice here tends to be stuff that “gets things working” (i.e. turn off your firewalls, open all ports, bind to all interfaces, install every damn docker image that someone mentions), but has no considerations for security other than a single phrase like “make sure you think about security!” without any actual advice as to how.

HASS is a great tool, but was clearly never designed to be secure in anyway. Do you really think protecting something that has full access to everything in your home with just one password is sufficient?

The internet is a dangerous place, unless you have absolute confidence in your ability to secure your installation, I suggest NOT making it public. Otherwise, yes you can get in, but most likely you’ve also just opened the door to let everyone else in.

1 Like

You have a port open for Node Red. Have you made sure to password protect node-red?

It goes against common sense to expose smb to the internet at large.

Certainly. I clearly stated only 8123 open. SAMBA not even installed…

@jwelter thing is with these kinda threads is that everyone has an opinion and then people want to share their experiences and then the thread becomes flooded with irreverent information.

what you should do is to pop on to the discord server and talk to tinkerer or arsaboo and share the logs with as much information as your comfortable giving away.

we have been discussing possible attack vectors in your case during today but logs would help.

1 Like

This probably has something to do with it.

Home Assistant uses the aiohttp python library as its webserver. This was published yesterday.


I’ll mess around with it this evening if I have time and see what I can do to reproduce.

Edit: In theory, a weak password would allow pretty easy work of a bruteforce as well.

We do not use aiohttp-session

1 Like

discussed in the discord channel today along with other libs, had the same question got the same answer :slight_smile:

here are the libs it uses

the only known lib to have a vunerability on that list is PyYaml that will be fixed in next version of HASS


was confirmed that no failed auth or like entries were logged, so it’s looking like it wasn’t brute forced.

For those wanting to conceal their origin server ip whilst still allowing external access to their HA instance checkout Cloudflare Access. This will enable 2fa and use Cloudflare’s IP as a proxy.


Has anyone who’s been hacked uploaded their config to a public git repository (e.g. Github)? You could have inadvertently leaked your credentials and public URL.

I’m using pfBlockerNg on my network as an alternative to PiHole, but one nice feature of it is blocking incoming traffic from known bad IPs via a real time block list (updated hourly in my case). This should prevent Shodan from being able to index your system and keep other bad guys out.

I have heard of people uploading their config to github, realising they have leaked their passwords, then fixing it by excluding secrets.yaml from the github. However github remembers everything (as it should, it is a version control system!)

So if you have EVER leaked your passwords to github, change them, all of them - api keys as well.

Yes, and there are also bots that troll Github looking for leaked credentials. Maybe someone has added HASS credentials to the list of things they look for.

Using the same thing, which block list are you using?

I’m using BinaryDefence, EmergingThreatsDShield and firehol3.

1 Like

Could you paste the url’s – also a PFB user and will add these. Right now just the easy lists as well as the GeoIP top spammers.

The URLs that @robconnolly mentioned are listed on this site -

Yep, that was one of the guides I followed when setting it up.

Also good to run a scan of your git repo and remove any files/credentials you accidentally uploaded.