How to protect Home Assistant against hackers

If you’re connecting your HASS directly to the internet for remoting purposes you can install CrowdSec on it to protect against hackers. CrowdSec is FOSS IDS/IPS and now available as a HASS add-on. HAOS 8 is a requirement. Here’s a few screenshots.
It consists of two parts: the agent which detects attacks and the bouncer which blocks them. Here’s instructions on how to install both the agent and the bouncer:

Disclaimer: I am head of community at CrowdSec so if that’s a problem feel free to remove this.



6 Likes

Thanks for posting this information, I’ve been aware of Crowdsec for a while now so it’s great to be able to put it to use. Is there a way to run the Crowdsec dashboard under home assistant (I couldn’t locate any information on this) at this point?

@klausagnoletti great information and plugin, my only question is there additional documentation indicating if the product is working as intended eg blocking certain IPs etc.

Also thanks for shedding some light on this plugin as you can never have too much security these days.

1 Like

Sorry for the late reply. I missed your post. Yes, check out https://doc.crowdsec.net for additional information or join our Discord at CrowdSec for any additional questions.

Sorry for the late reply. Which dashboard are you talking about?

For us running HA core on docker, what are the configurations needed in the crowdsec config and the acquis file to read the home-assistant.log?

It’s not clear to me when I read this page. It doesn’t define the parameters for acquis.yaml:
https://hub.crowdsec.net/author/crowdsecurity/configurations/home-assistant-logs

I’m currently getting no parsing while trying to bruteforce login to my HA:

my acquis.yaml is defined as such:
image

and my docker variables:
docker run -d --name='crowdsec' --net='proxynet' --cpuset-cpus='1,2,5,13,14,17' -e TZ="America/New_York" -e HOST_OS="Unraid" -e HOST_HOSTNAME="UnraidNAS" -e HOST_CONTAINERNAME="crowdsec" -e 'COLLECTIONS'='crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors LePresidente/authelia Dominic-Wagner/vaultwarden crowdsecurity/home-assistant-logs' -e 'PUID'='99' -e 'PGID'='100' -l net.unraid.docker.managed=dockerman -l net.unraid.docker.webui='http://[IP]:[PORT:8080]/' -l net.unraid.docker.icon='https://raw.githubusercontent.com/ibracorp/app-logos/main/crowdsec/crowdsec.png' -p '8081:8080/tcp' -v '/mnt/user/appdata/crowdsec/data/':'/var/lib/crowdsec/data':'rw' -v '/mnt/user/appdata/crowdsec/':'/etc/crowdsec':'rw' -v '/mnt/user/appdata/swag/log/nginx':'/var/log/nginx':'ro' -v '/var/log':'/syslog':'ro' -v '/mnt/user/appdata/Authelia/log':'/var/log/Authelia':'ro' -v '/mnt/user/appdata/bitwarden/log':'/var/log/vaultwarden':'ro' -v '/mnt/user/appdata/homeassistant':'/var/log/homeassistant':'ro' --restart unless-stopped

nevermind found it! collection should be: “crowdsecurity/home-assistant”!

works now

@klausagnoletti interesting that it won’t ban brute force login attempts from internal LAN hosts but it will ban those coming from outside? Is that expected behavior. I have not set any whitelist for the private IP range in /parsers/s02…

Second issue: I keep getting http probing banned from my own house when I’m accessing home-assistant through the iOS app outside of the home over LTE.

I believe this is mainly triggered when I go to my camera page which streams rtsp feeds through home-assistant.

If I understand correctly from here: CrowdSec Hub it’s guarding against 400/403/404 errors, namely bad request, forbidden or page not found…

Should I just adjust the capacity or leak speed of the scenario bucket (allow more 400/403/404s, or forget about them faster) or is there a way to fix the problem.

I believe this is the page causing issues on my dashboard:

  - title: Cameras
    path: cameras
    icon: mdi:camera-outline
    badges: []
    cards:
      - show_state: true
        show_name: true
        camera_view: auto
        type: picture-entity
        entity: camera.uvc_frootdoor
      - type: picture-entity
        entity: camera.uvc_backyard
        camera_view: live
      - type: picture-entity
        entity: camera.uvc_driveway
        camera_view: live
      - type: picture-entity
        entity: camera.uvc_patio
        camera_view: live
      - type: picture-entity
        entity: camera.uvc_sidefence
        camera_view: live
      - type: picture-entity
        entity: camera.uvc_sidegate
        camera_view: live

but it only seems to happen when I have limited LTE signal I believe.

Also if I refresh my home-assistant too much I get this ban: http-crawl-non_statics CrowdSec Hub
which I assume is just a guard on hitting my site too much.

I believe both these are being detected from my nginx logs rather than my home-assistant.log, but I think its worth mentioning here. @klausagnoletti let me know if you have any sugggestions.

1 Like

that’s some nice addition, thank you! just enrolled.

Could you give other users a hint how to enable it also for nginx-proxy addon? :slight_smile:

2 Likes

This is for Home Assistant OS.

What if I am running a supervised install over debian, can I still use it, or do I install it disreclty on debian?

Hi All,

I am running home assistant as a docker container side by side with crowdsec also with frigate and a few RSTP cameras .

Whenever I access home assistant from a public IP within seconds that IP is banned similar to the original poster .

Reason : crowdsecurity/http-probing

Is there anyway to prevent this ?

Thanks in advance for any assistance offered.