Hi, we all know (or think we know) how dangerous direct exposure to the internet can be. This of course also applies to home-assistant.
To protect ha from the internet itself is relatively easy but what if family members, friend, friends of family member etc. has access to the network where ha is located (turning off the lights on a stairway, while it’s used may seem funny but can actually be rather dangerous). The same goes for other IoT devices on the internal network, they may have become compromised.
But that aside, does anyone know how much effort is actually made to make HA and Node-Red more robust fending off this kind of thing.
It sounds like everybody is warning about protecting HA, but I very seldomly see any information about hardening HA.
Can anyone shed a little light on this topic.
I know that you can try to protect HA with VLANs etc., but if anybody in the family besides you must also have access, the tech-savvy kids of the family will ALWAYS also find a way to get access to your HA.
First, you don’t need to expose NodeRed to the internet. It can connect locally to HASS so exposing it to the internet is completely unnecessary. So that should answer that.
Regarding HASS being exposed, no more dangerous I would say than any other piece of software out there. HASS is open source so you can vet the security yourself, it has 2FA, and you also really don’t need to expose it to the internet, it’s just convenient. You could use a VPN, you could use NabuCasa, etc.
Nothing you do can prevent a tech savvy kid (or an attacker) on your local network from getting access to something other than making sure you have good passwords.
You probably don’t find any guides, because the security of your network is not directly related to home assistant this is a question for a network security forum. Also there are so many differwnt setups of networks that you can’t write a guide that fits all. Also there’s not a lot you can do from HA side to secure your network except for MFA and steobg password.
What kind of hardening? You can set up Fail2Ban, you can use 2FA, you can create users and use strong passwords. I’m not sure what other kind of hardening you’re looking for but those 3 things should keep out the vast majority of bad guys. You do that and the person is likely to look for other targets that are easier. Remember, you don’t have to outrun the bear, just the other guy.
