The getting started guide and the top level of the install page now have a warning banner to nudge people towards securing their install.
The securing page now also points out that there’s no security through obscurity.
Hopefully those will make it less likely that people overlook securing their systems, and instead make it a deliberate choice (at which point, that’s your problem). Oh, and don’t forget that you can add trusted networks that are exempt from authentication, so you can require authentication from everything other than your home network.
I think this thematic might me anyway handled by the creator of HA as we speak.
He is creating a structure that will allow user creation in the future, to better handle different user role (admin, simple user, …).
This will certainly also require the creation of a root user by first start, or at least the modification of the default user password by first start.
And it seems 2 steps auth or support for other auth service will be supported too
i have nginx installed as proxy server in front of HA, AD, my FTP etc.
a few weeks ago i did go through the logs from nginx, when i was looking at other logs that i normally dont look at.
and there i saw some strange entries. i really never thought about looking there before and was always thinking that noone would be interested in looking at my server.
the strange entries i looked up, and it were attempts to hack a php server (which i dont have)
i wrote an appdaemon app to create a new log with unique visitors from my nginx server.
i never suspected that it would be like that, but since that moment (about 3 weeks ago) it registered almost 1000!!! unique visitors!!
it makes me look at my log regularly and i see that its mostly the same. attempts to hack php, or other default hacking attempts.
so dont think you are invisible on the web, when you are exposed. every day there are people trying to open your door!
Hopefully not. I use a random 16 digit alphanumeric string together with a wildcard certificate. So in my case even that string doesn’t show up on crt.sh when I search for my domain. And HASS sits behind a reverse proxy, so only the correct hostname gets me forwarded to HASS. I’d almost say I wouldn’t even need an API password with this setup. But of course the Hostname is set in the DNS, and I won’t rely on that data not leaking.
I never understood why everyone thinks they have to use port 80 or 443. You don’t. You can have SSL on ANY port you choose as long as its not being used by another service. There are 65535 ports available. 99.9999% of port scanners only check the top 1024. 80 and 443 are in there. Add your PW for HA, change the port to something obscure that is not in use, add SSL, close down everything else and you have reduced the odds of your server being touched by magnitudes. It’s that simple. If you must have any other ports open, change those default ports to something else and forward those. Same logic. For any port scanner/knocker they would have to scan 65k+ ports on every single IP/fqdn and even on my i7 it takes significant time just scanning 1 IP. It’s just not going to happen that way. Yes 1024 ports is low and pretty fast to scan an entire /8. But honestly, increase your changes by doing basic port changes and you will see a reduction in scans/knocks and ultimately hacks!
I think most things are discovered by “scanning” the entire internet… It’s relatively easy to try every ip on the internet for port 8123 for example to see who has open ports there and then go back and try to hack them.
The website shodan.io has results of these scans. Go look up your home IP there. If you have ports forwarded, they probably have it listed.
Honestly, most problems occur from unpatched servers, unpatched routers and unsecured/default password. Most scanners are looking for known(usually already fixed) vulnerability that someone didn’t update for.
No need to hide or do supersecret stuff.
Just update you stuff occasionally and add a password. I like moving of standard port idea so don’t let me knock that.
Thanks for the website. I looked up my current public IP address and found a port that isn’t used in any of my HA setup nor is it a forwarded port in my router. Why would that be?
Am I correct in assuming when you install the extension in chrome that when you are in your HA page in your browser it shows the open ports? Because mine is blank… Other web pages show details.
not that I know of. I looked through all my HassIO add-ons and checked what ports they use (because those are what I have forwarded in my router) but I cant check my router until Tuesday as I’m not at home. It just seems rather strange
I agree that most problems are from security vulnerabilities but in order to find hosts with these conditions the end user hacker has to find them. Scanning subnets is the only way. Unless of course they find a database of URL’s. So scanning well known ports is an old age practice.
But of course the Hostname is set in the DNS, and I won’t rely on that data not leaking.