New user question about hass.io out of the box security

voltronman · July 31, 2019, 4:41am

I am a new user who just set up hass.io on a raspberry pi, and I was just wondering about how secure it is out of the box. I am not running any add-ons or ssh, just the web interface to control some things locally. I have just flashed the card, connected it to my network with an ethernet cable, and installed. No modifications or creating configuration files for wifi or anything like that.

Should I turn on two factor authentication? I am the only person at my home.

DavidFW1960 · July 31, 2019, 4:46am

I actually would turn it on but also use trusted_networks and trusted_users so you will never need to auth again but if someone did manage to hack in it’s an extra roadblock. In all honesty probably no issues as long as you don’t expose to the net anyway.

voltronman · July 31, 2019, 5:03am

Thank you . I turned on 2fa just in case, I will also look to configuring the trusted networks and users.

voltronman · July 31, 2019, 5:29am

can I have your advice on my configuration.yaml file? I just downloaded the configurator to add the trusted variables.

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
# http:
#   base_url: example.duckdns.org:8123

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
homeassistant:
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 10.123.10.0/24
      trusted_users:
        10.123.10.0/24:
          - voltronman

DavidFW1960 · July 31, 2019, 6:15am

      trusted_users:
        10.123.10.0/24: voltronman
      allow_bypass_login: true

You could use this - no need for a list.
Then you won’t even get a login prompt if on the 10.123.10.0/24 network

AutoT · August 2, 2019, 10:05am

Disclaimer - I’ve not looked at this specifically on Hass.IO, but…

If someone gains access to your network, then they will probably have a DHCP address in your range (10.123.10.x)… so only trusted_users is protecting you here.

However, if you have your DHCP setup to give your device(s) fixed IP address(es) - usually tied to the device’s MAC address - then that would be more secure because only “you” would get the correct IP address AND username.

Of course, if you limit this to 1 device and that device breaks or is lost then you would be locked out… so maybe have 2 devices setup

DavidFW1960 · August 2, 2019, 10:23am

If someone malicious is on your local network you have bigger issues to worry about.

AutoT · August 2, 2019, 11:22am

I totally agree

Hence my advice: if anyone is going to start securing a system, it’s best to understand what adjustments will increase both external hardness as well as internal hardness… if someone does get in, you don’t want them wandering around and / or leaving things behind.

But, in this particular case, the 2FA will definitely help protect their HA

DavidFW1960 · August 2, 2019, 11:39am

If they crack your wifi key or have physical access nothing will help.