I have now read every single post since I am very curious to know how people got hacked.
What surprised me though is that so many are suggesting using a VPN, but there is no mention of the fact that you can make a reverse HTTP proxy require a client certificate that you install on your devices (phone, desktop computer…) that will access Home Assistant. That’s how I have secured my Home Assistant, which is accessible from outside my LAN.
It’s probably because a VPN is a generalizable setup and more popular because it can protect everything on your network without specific configuration for each service. I have mine protected with ssl client certs too, but even I’ll admit that configuring a proxy for ssl auth and generating and managing certs and CAs is a bit of a pain in the butt that I don’t expect the average HA user to be able to wrap their head around.
Ritte88, can you please point me to documentation on how to setup 2fa please.
In general I think we should recognize that Home Assistant could use more out of the box security.
Like others I have had a lot of effort in securing Home Assistant. Why isn’t this out of the box available?
For instance the Let’s Encrypt with a closing port 80 is something I like a lot.
Reverse Proxy, how hard would that be to have integrated?
I can’t find the link right now, but there is a Github thread on getting the framework for user management, 2fa, and other things requested here. No idea on when it will be deployed, but it is a work in progress.
An user has to enable access to Home Assistant from the outside. This means that a Home Assistant instance is secure by default. Home Assistant doesn’t change router’s settings nor is it bypassing the security measurements which are in place
Because there are multiple ways to allow secure access to something inside a local network, people have different requirements/skill levels and Home Assistant’s focus is to automate your home not secure the local network.
Support for Auth providers was introduced with 0.69
I may have missed it mentioned in the thread but also ensure that if you are using a reverse proxy and also using trusted networks with an entire subnet included, or the IP of the reverse proxy then it becomes open to the world. I accidentally did this the other day but luckily noticed it the next day and after rereading the docs for trusted networks saw the line warning about reverse proxies.
Can we also get homeassistant to do my homework after they secure it against nuclear war and alien attack?
come on, you should also mention in the same breath:
This is an experimental and unfinished API introduced in Home Assistant 0.69 and later. This is not enabled by default, it's not persisted to disk and should not be used in production.
An user has to enable access to Home Assistant from the outside. This means that a Home Assistant instance is secure by default.
This is an invalid argument. I did not open any SMB ports. My system got hacked via an open SMB port and because guest access enabled by default. There are many HA instances out there with open SMB, are you seriously saying that users with enough experience to even know which ports to open are actually opening them and leaving guest access enabled?
Home Assistant’s focus is to automate your home not secure the local network.
Nobody is asking for HA to be a network security device, just for it to be as secure as possible out of the box.
Well how do you suggest the ports are being opened?
There is an open PR for this: Disable guest access for Samba by default by balloob · Pull Request #311 · home-assistant/addons · GitHub
HA 2FA still be under experimental. Hope it will be released soon
Hi,
I’m using Nginx and proxy the traffic to my Hassio.
I would like to know how to implement this:
Things to add to your checklist:
most important!! set up HA to know it’s receiving requests from a proxy. Without letting HA know that it’s getting requests from a proxy and to look for the x-forwarded header, HA will think ALL requests come from just your proxy’s IP on your network. This means both legit and abuse requests will come from that IP, and if you set up HA to block failed attempts it’ll end up blocking your legit logins as well. Or worse, outside logins will look like they’re coming from internal, since HA can no longer tell what the original IP was.
Now I’m using this configuration in Nginx:
location / { proxy_pass https://address.to.my.local.ha; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }
Is there something else I need to add to the Home Assistant HTTP configuration beyond this?
Thanks!
hey guys have a ASUS ROUTER that supports openvpn server and i use the openvpn app for ios it was really easy to get it to work my question is this secure i searched on the web and i did not see any problem but im not sure is good enough thanks for your help in advance
I use the same and ensured I do not run any open ports. I have asked a certified ethical hacker to try to get into my network an he failed doing so (OK, not definitive, but for me it is good enough)
it’s a vpn so it should be fine. The biggest issue with that route is that if they push out a bigfix or update to openvpn then Asus needs to push an update as well which may or may not happen in a timely manner if it even happens at all.
To people who have quoted me or PMed me, this what I use for 2FA:
The biggest issue I see with a VPN solution is that things like Google Assistant etc (non-cloud) aren’t going to work.
I also have some Yeelights, Xiaomi, Wemo and LimitlessLED devices - they all have their own app as well as being able to be controlled via home assistant.
So today for instance when Home Assistant Beto 0.73.0b0 screwed over my entire HA Hassio, I can still control my devices and lights.
In addition, I think using a strong password and not having guest access is pretty much going to do it for security for most people. Using a reverse proxy so you don’t have 50 ports forwarded and using a random high 30xxx port number is going to prevent most issues for most people. We aren’t protecting Fort Knox and a lot of what’s on here is knee jerk reactions and totally over the top. Maybe that’s just me…
I do use a VPN on my LAN for other things where I want more secure connections but I want functionality as well… Google Assistant functionality (non-cloud) and I’m prepared to take that risk.
Nope, it’s not just you. I totally agree.