I’d like to access my Home Assistant from outside the house. I know there are at least 3 ways of doing this:
Pay $5/month for Home Assistant Cloud.
Use Nginx and forward port 443 on my router.
Use a VPN or SSH tunnel. No need for HTTPS.
Option 1 means the port is open to the world, so security relies completely on the strength of Home Assistant’s password authentication. I’m looking for details on what type of password is used here, i.e. how hard would it be for someone to hack in? I do have 2FA enabled which of course helps.
The official docs recommend using VPN or SSH tunnel, which seems to imply that the authors don’t trust the built-in password auth.
I mean assume the authors do trust it, they’re still not going to recommend option #2. Forwarding ports on your router is universally considered bad security practice. You can be certain that someone will find that port and poke at it. Whether they get in or not depends on the security of the software behind it. But the risk is certainly lower if there’s no port forwarded at all and therefore no ability to poke.
Also I would guess you’re running this on some low powered device like a raspberry pi. Which probably isn’t going to stand up to a DoS attack if someone wanted to mess with you, even if they couldn’t get in.
Option #1 is better then option #2 but it is obviously possible for someone to find that URL if they happen to be on the same wifi as you. This is significantly reduced to the point that most are likely comfortable with it (odds of getting in x odds of being on the same wifi as a nefarious person).
But has HA been battle-tested in the same way popular VPN and SSH software has? Absolutely not. So if your goal is to absolutely maximize your security then #3 is going to be your winner hands-down. Since your only entry point is that VPN or SSH software.
Well, you are the one who controls the “type of password” (the encryption behind the scenes is irrelevant to this part).
Of course, even if you have hunter2 for your password, with 2FA enabled it’s going to be pretty hard for people to use that password to log in. As long as you keep the token secure you’ve not got a lot to worry about.
I’ve had HA exposed to the Internet for over 5 years now, and never had a problem. There are two things I’ve done that’s helped that (beyond good passwords):
I don’t use port 443 or 8123, or any other common port. No, it’s not security, but a little bit of obscurity has kept my HA host off the radar of the scanners and brute forcers. I’ve averaged less than one probe a year.
I use a proxy server, NGINX in this case, and only expose the bits of the API that I need for apps to interact with HA remotely - which is mostly bits of /api/webhook/...
For full remote access I use Wireguard. Trivial to set up, a much smaller attack surface than HA, and well tested. It’s always possible that a security issue will be found with a Python package HA uses, or with a custom component, that could cause a problem in the future. That’s why I limit what’s accessible, and why when last year’s security issue was found I didn’t have to worry about it.
Good points. Currently the only thing open on my router is a non-standard port for SSH. My previous home server I used fail2ban, and I see HA has this as an add-on too.
To connect from iOS, I guess I would have to make the SSH connection and port forward using an app like Termius, and then use http://localhost:8123 in the HA iOS app configuration. This is a bit clunky for regular use so maybe I’ll look into the Tailscale add-on instead.
Fail2ban is really close to obsolete today.
Earlier it made sense, but today scanners and brute forcere use distributed attacks, so 2-3 attempts will come from one IP and then the next one IP in their Bitnet will take over and so on.
Fail2ban will have no effect here.