Is my HA Secure?

Hey lovely people,

I keep getting attempted logins from random IPs outside my network (see photo)

For a long time I have only ever used LAN access and a VPN for remote. However, I wanted to link devices on my HA raspberry pi 4 to Google home.
So followed this guide: Easy & Free Remote Access For Home Assistant!

So I now access via a domain name over HTTPS. It works great.

However, I keep getting login attempts. Is this normal? How can I stop this from happening? Is there a filter I can add to block them, while I’ll still be able to send lights from HA to Google Home so I can control via its speakers etc.

I know there are a few topics on this already. But I couldn’t see anyone with my exact issue.

Thanks, any help or advice is appreciated.

If you exposed your setup to the outside world then yes the world can see it. And yes bots try to hit all known ip addresses all the time. So yes it’s normal and no there’s nothing to do about the attempts. You can’t stop someone from knocking on your door.

If you’re going to do that then you need to make sure it’s safe. What is safe. Well some would say not exposing it at all. Some would say you need state inspection on all inbound traffic firewalling all inbound traffic using a reverse proxy. You’re about to get a ton of suggestions I’m sure. But you can’t keep someone from knocking the door.

As long as your router is forwarding to ha you will have this.
Maybe your router can whitelist google, but google tends to use a wide range of IP’s

But as long as you use a strong password, you should be ok :wink:

But you can keep them on the outside of the yard fence before they can reach the door to knock :wink:

I’ve been using a reverse tunnel for various things for a while now and added aggressive IP blocking at the firewall on the entry of the tunnel. That works surprisingly well, the amount of drive bys is zero now. I blacklisted the entire IP pool by default and only whitelist our provider IP ranges (home and cell) as well as the static IP at work.

Of course this won’t help against someone specifically targeting you (but nothing really will) or against the script kiddie that happens to use the same ISP than you. But still it only opens the port to like 0.02% of the possible IPv4 attack address space. It’s an easy to do low hanging fruit, always worth a try. Whitelisting Google should be doable too if you find the IP range they’re using for Google home. Maybe start here ?

It is pretty much impossible.
Their CDN change all the time. They add new servers around the world with new IP address and remove old ones without refusing the IP.
Each time you hit a blocked IP you will have to go on a hunt and it will quickly become very tiresome.

Reverse proxies can help, but only if you know how to set them up correctly. A faulty configured reverse proxy can make it much worse, because it can make it look like traffic is local and thereby bypass much of your filters.

1 Like

Hmm, okay. I figured with a random gibberish domain name I might not get hit often but this was the second I put it live. :joy:

Maybe I go back to a VPN and setup home assistant voice for local chat.

Router forwarding TOY?

What is that?

How annoying. Oh well.

But for those not using voice (like me), IP filtering is still a good and very easy way to massively reduce drivebys.

Okay.

I’ll try whitelisting IPs. Not sure how that’s going to work for my phone though. Surely that changes a lot?

I don’t want to end up in a situation when I can’t access my own HA.

So far moving back to a VPN and the new self hosted voice option sounds the best.

Depends on your ISP. Mine (Orange) seems very consistent, I just added several /22 subnets that are used by the specific offer I have with them. I never had an issue being self blocked, but YMMV. It’s less of a hassle if you use a wider allowed range to get all their IPs, possibly even an entire country. It will still lower the amount of random intrusion attempts if you block like 95% of the global internet.

And always keep a VPN access available just in case you get self-blocked.

Your ISP probably have a way smaller rang of IPs than Google (unless you have Google as ISP ;))
IANA or RIPE or one of the other IP authorities might have a list of the ranges given to your ISP.

1 Like

sorry, big fingers on a small phone… corrected now😉

Unless you are using some kind of tunneling the only way to completely avoid bots is by whitelisting the IP of your external clients using your firewall/router. But this is almost always impractical because your phone changes IP all the time when outside.

A workable option without going broke with an advanced Web Application Firewall or Intrusion Prevention System is to put HA behind a decent firewall than can can do IP geo-blocking, recognize port scanning, leverage reputational awareness and ideally, have web application protection capabilities.

Many people implement this with OPNSense on dedicated hardware.

Make sure you are using 2 Factor Authentication. That’s pretty much the best security option you have. Also - don’t expose Home Assistant directly to the internet, use a reverse proxy.

I recommed using MTLS (mutual TLS). This way, only cliënt (ha companion app, Chrome browser,…) with a valid certificatie can connect to home assistant. Have a look at
Protecting Home Assistant with Cloudflare Access and mTLS on Android or Search on this forum for more info.

1 Like

Short answer NO

HA afaik has never been penetration tested. My default for SW is if it ain’t tested it doesn’t work. So I’d expect security vulnerabilities and the ability of sophisticated hackers to penetrate the system. And since it identifies itself as HA they also know the stack and have all the source code. VPN, reverse proxies, pfsense firewalls - all that stuff has been pen tested and should be the first layer of defense.

The question might not be so much HA itself, but all the extras, like third-party add-ons and integrations.
These add-ons and integrations might have interfaces that also becomes available through a reverse proxy with default setup.

In fact this is one the best security measures. I had always just assumed that the Companion didn’t support client certificates. Setting this up this week…

I automate my firewall rules based on location. Since the vast majority of time we are home, then the vast majority of time the firewall rules are disabled. Decreases my attack surface.

Just set up mTLS following the cue from EnjoyLife above. I had no clue the HA Companion supported this (assumed it just didn’t) and kudos to the devs from having implemented it.

Mutual TLS is one of the strongest auth mechanisms you could use.