I recently switched over to HA from Smartthings (so glad I did!) and have everything working extremely well. But I keep wondering if my system is really secure from someone trying to hack into it remotely.
I currently have HassOS 4.15 installed on a pi4 and am using the DuckDNS Add-on with Lets-Encrypt. Port 8123 is forwarded in my router to 8123 internally. I also have 2-factor authentication enabled. Both my internal and external URL’s are http, not https (http://xxxxxxxxx.duckdns.org:8123).
My limited understanding is that anyone in the world could point a browser at my network, either by using my ISP’s IP or the DuckDNS IP, along with the 8123 port, and be presented with the HA logon screen. But with the 2-factor authentication they would be unlikely to be able to log in. My understanding of the Let’s Encrypt feature is that it would just encrypt the traffic between my iPhone’s HA app and HA itself, which protects against the unlikely event that anyone tries to sniff the packets to get my password when I’m accessing the system remotely.
So my questions are: Is this secure enough or is there something else I should be doing? Is there some other way someone could hack the open/forwarded port to gain access? I did try enabling HTTPS, but ran into an issue where I could no longer access the system using the app on iPhone, so I reverted it back to to http. My understanding of https is that just like Let’s Encrypt, it’s simply encrypting the traffic when I access it remotely, but does nothing to prevent an attack on the port?
Thanks in advance!