I realize I added a security exception in my browser for https://homeassistant.local:8123/lovelace/default_view
Is that dangerous? It was the only way to get this working.
The same goes for my xxx.duckdns.org instance… I use the duckdns add-on.
I keep getting notifications of unsuccessful login attempts from strange IP addresses… Does this have anything to do with this?
Is my homeassistant at risk?
Your certificate seems to be malfunctioning.
The certificate is still capable of doing encryption, but it can not be authenticated.
Authentication is used to confirm that the site is who it says it is, but since it is your own site then you already know that so no problem with the security exception.
You should get your certificate looked after though.
The failed login attempts are just the reality of any port opened towards the internet.
The experts will recommend a VPN instead of port forwarding directly to HA, since HA sometimes weigh convenience over security.
One thing i would also consider is to enable 2FA. This way you greatly improve safety against these login attempts.
1 Like
What are these ‘strange IP addresses’, do you have any examples?
Are you actually forwarding port 8123 in your router to your HA instance?
How can I “get my certificate looked after”? I’m doing everything myself here.
sometimes it turned out to be my own IP adress. But others were from different countries, known for grooming around. I dismissed the notifications, so I don’t have an example for now.
And, yes I guess I’m forwarding port 8123 in my router, at least I have a rule in my router settings, and duckdns works, when I give that security exception in the browser. Also the iOs app works with the duckdns adress.
Check the guide you used to set it up.
It might just be that it needs a renewal.
you mean like Onboarding Home Assistant - Home Assistant ?
I used it years ago and again this year when I moved to a Pi4
Although I’m definitely not a security expert, I’d still recommend a VPN or the Wireguard add-on for remote access.
Even I managed to set up Wireguard and I’m also running the WG Tunnel app on my Android ( WG Tunnel - Apps on Google Play) which automatically connects me as soon as I leave my Home WiFi.
okay maybe I found something.
I deleted the refresh tokens under user profile, security. Got my own IP banned, deleted that in the yaml file. Restarted. Logged in again. Anyway, now the duckdns connection is secure, no exception in the browser needed anymore.
About the local connection, it’s still not secure, and when I look at the certificate (in the browser, adress bar, security info) it shows something with duckdns. So I guess ha has only one certificate which in my case is valid only for duckdns, not local connection.
As @WallyR said above, since it’s local I can trust it anyway. But is it really like that for everyone that uses duckdns and local connections, that there is just one certificate, which is only valid for one of them?
Thanks for all the input.
At the profile security page, I came across Multi-factor authentication modules, guess that is at least 2FA. Maybe I give it a try some day.
here’s the latest example of a strange IP: Login attempt or request with invalid authentication from 93.123.109.231 (93.123.109.231). See the log for details.
Logger: homeassistant.components.http.security_filter
Source: components/http/security_filter.py:87
integration: HTTP (documentation, issues)
First occurred: 9:17:29 PM (2 occurrences)
Last logged: 9:17:52 PM
Filtered a potential harmful request to: /assets…/.git/config
Filtered a potential harmful request to: /static…/.git/config
Looks like you got yourself somebody from Bulgaria who’s interested - and given that they’re scanning for port 8123 they are probably targeting it correctly as a Home Assistant Instance on the other side of the router.
If you want to keep the port forwarding despite the risk, AT LEAST use another, higher port to forward to your install.
1 Like
Sounds like you got it corrected now.
Free public certificates only work for domain names.
DuckDNS is your domain name provider and they only provide domain names for public IPs, so your internal IP can not be handled that way.
If you get your own domain name, then you can use that internally, but it might cost some money. Some domain name endings are cheap and others are really expensive.
1 Like
not sure I understand. You mean anything with xyz.duckdns.org is public? The security certificate is working for my duckdns now, and it is stored somewhere inside my homeassistant, since it is showing up when I connect locally.
It seems someone guessed my xyz or I exposed it somehow. @chairstacker suggests that I move to another port, so change 8123 to something higher (any number?).
Would it also help to get another duckdns adress that is more difficult to guess? Now I have 2 words and 2 digits as xyz…
It is working as intended, but you need to read up on it to get your answer, because I do not have time to explain how certificates, port forwarding, public vs local IPs and so on works.
You are on the internet and in order to make things work they have to be public accessible, so you changing port or getting another duckdns address will only postpone it a bit.
It is like changing the name on your mailbox and painting your front door in another color.
1 Like
And to stay with @WallyR 's image:
They don’t care about the name on your door (your xyz), they go straight to your (public IP) address.
Changing the port away from 8123 is generally referred to as ‘security through obscurity’ and it’s more about giving the user a (fake!) sense of security than actually providing real security. It will not fool a determined individual, it will just delay the obvious.
I wish people would stop using that expression.
Security is almost always obscurity. Pin codes, passwords, encryption and so on are only based on obscurity.
Some obscurity are strong, like the newest encryption methods. Some are weak, like using another port than the norm, but where the line goes between weak and strong are fluid. Earlier 3DES was a strong one, but today it is weak, simply because computers have increased in power and now can test al the possibilities in a relative short time.
Changing the port can up the security, if the attacker is going straight for that port, but in this case it might actually just be a checking all the 65536 available and therefore moving it will not do anything.
Respectfully disagree with this statement!
1 Like
There’s a difference between “publicly accessible” and “publicly known”. The door to your house is publicly accessible and publicly known—a third-party can certify that that door is indeed at that address and owned by you.
That third-party could also certify that “your address, bedroom, left nightstand, top drawer, small red box” also is at your address and belongs to you, even though it is not publicly accessible. <— This is what the duckdns integration allows you to do. It certifies that xyz.duckdns.org is controlled by you using Let’s Encrypt as the third-party, while xyz.duckdns.org points to a local address inside your LAN that is not publicly accessible.
Also, use a VPN instead of opening the port. The Tailscale Add-On makes this trivially easy.
1 Like
hm, so installed tailscale everywhere, and try to access https://homeassistant.tailxyz.ts.net:8123/lovelace/default_view and get the well known message again: Firefox does not trust this site because it uses a certificate that is not valid for homeassistant.tailxyz.ts.net:8123. The certificate is only valid for xyz.duckdns.org.
Guess I’ll spend another hour copy/pasting what some yt video tells me about getting a tls vertificate and proxy and what not. If they were some random hacker telling me to install ransomware, not sure I would notice.