Port forwarding - consequences?

I make no apologies for another post on security. I am still hoping for some more responses to this HA Security. Consensus? and I really want to keep that discussion focussed in order to make it useful.

So, is it possible to definitively state what opening port 8123 and directing it to hassio actually exposes you to?

By which I mean, does this ‘only’ allow a successful hacker to play with your lights or whatever else is exposed in your front end or would they also possibly have access to the actual config files too?

I suspect the answer will be that there is no definitive answer but some knowledgeable input would be appreciated.


I recently closed my port and to be honest for me HA is a bit rubbish without external access. Presence and location detection is a big part of it for me and I see no way of doing that successfully without opening port(s).

I am sadly very close to calling it a day and just using my current Pi based hassio as a standalone controller for my garden irrigation system (which works really well). I really see no future for HA if the security issue cannot be sorted out except for those who understand the very technical solutions - and don’t get me wrong, for those people HA is brilliant, I just don’t think it will reach a wider ‘market’. Which is perfectly fine if that is its ambition but in my opinion would be a shame because it has so much else going for it.

I guess uncertainty about security will be a point for all services you are going to expose to the internet. Regardless if it is HA, your cheap Chinese cloud-connected webcam or just a simple SSH service.

You could try it the other way - don’t open ports to the internet waiting for access but use HA instead to initiate connections. For example use Telegram to remote control your HA instance. Define commands and send notifications to control only the stuff you really need to when not at home.

Even if some bad hackers gain control of the whole Telegram infrastructure, they still won’t be able to completely capture your HA server (unless they find a way to run remote code execution via malformed Telegram packets … ).

“Yes, I’m paranoid - but am I paranoid enough?” :smiley:

2 Likes

@DrGrandios, This is a really good answer and I had indeed already half considered using Telegram as my ‘remote frontend’ long before all these hacking scares. I only half considered because it seemed like a daft solution to a problem that at that time I didn’t know existed. It does have the extra benefit of being able to give access to some features to other people without them having unrestricted access to the whole config (something I know will soon be addressed with HA user level login).

Maybe I’ll go for it, or at least consider it as an option. It would be a lot of code but hey, that’s part of the fun with HA, right?

But, (there’s always a but), what about presence and location? I don’t know of a way to enable that piece of the pie without at least one open port - I currently use Owntracks HTTP for remote location and combine it with NMAP when at home.

And are you paranoid enough? Probably not if you want to be as paranoid as me :stuck_out_tongue:

And thanks a for a thoughtful and constructive response.

I don’t know how sensitive your location data is, but you could put a cloud MQTT service in-between - for example https://www.cloudmqtt.com/plans.html

It is free for max. 5 users and limited to 10 kbit/s - should be enough for some location JSONs.

Owntracks publishes to cloudmqtt, HA gets notified from it.

I think you need to look at the way you have set things up. The purpose of Home Assisstant is home Automation, if you are having to access it frequently you may want to review what you have set up, sounds like remote control, not automation. I can go weeks without touching the front end.

Ok, sorry for the rant, onto your question.

Home Assistant is like any other device on your network that is connected to the internet, it’s exposed in some way. How long it would take someone to get in and get anything damaging is the question.

As @DrGrandios said, I would worry more about what devices you have and what they expose. The internet of things (iot) has a bad reputation for a good reason.

From everything I have read about the breaches users have had, it seems to be poor setup/understanding of their network that exposed them. That in addition to not reading the docs and associated warnings.

There have been a few things HA could do to tighten security a bit, however, (again from what I have read) it seems the users are leaving the front door to their home open, which in turn exposes a lot.

3 Likes

I don’t disagree and I didn’t see it as rant :wink:

I don’t often want to access it but when I do it is brilliant (e.g. when on holiday to check my garden is being watered enough/not too much!). But I have already been thinking that maybe I should look at things differently.

Anyway, thanks for your constructive reply. The only thing I would respond directly to is:

That is all true and good advice in as far as it goes. I’d like to see the docs and associated warnings all in one place though with a big banner pointing to them!

As an aside I started my journey with home automation using OpenHAB but I didn’t like it half as much as I do Home Assistant. However I went to look at their website again a few days ago and I’m not saying anything about the quality but their guide to security seemed a lot more complete and well signposted than anything on the HA website.

I think a list of all the possible pitfalls related to security isn’t a good idea. How does one filter out what they need? The warnings should be highlighted where the configuration option is given. That said, I didn’t notice that the one I was expecting isn’t highlighted very well. I plan to make it a stand alone warning when I get some time.

The below provides generic info on security

Got a link? A quick scan of the site didn’t pop it up.

The risk comes down to what the person attacking your system can do.

If they can hack HA, that’s probably not such a big deal, but what if they can find a flaw in the webserver being used, and can use that to get access to the computer HA is running on?

If they do that, can they get access to other computers/devices? How about the NAS that has your honeymoon pictures?

If you want to be serious about security, you cannot just look at one system in isolation, the question you have to ask is "what could someone do if they hack this? where could they get to? what is now exposed?

If your HA system is running on linux (native, or in docker) and it’s being run as a low privilege user, you’re in better shape than the guy who is running it on windows, as an admin because they couldn’t figure something out, and sharing credentials with other systems on their home network.

1 Like

It’s found by clicking ‘Documentation’ from the top menu of the home screen and is the last section of the installation guide, visible on the right hand pane. So, to be fair it is two clicks form the home page and should be unmissable for those installing OpenHAB. As I said it looks quite well featured but I am neither qualified to say nor experienced in following it’s suggestions / recommendations.

I’ve been looking into Cloudmqtt. I’ve got Owntracks publishing to it but I can’t see how…

I have hassio and am using the Mosquitto add-on to control my sonoffs. From what I’ve read I have to bridge Cloudmqtt to my Mosquitto but I can’t find out how to do that.
I’d be grateful for a pointer.

EDIT: I found this [solved] Mqtt over internet? aka: "How to set up cloudMQTT bridge with Hassio mosquitto broker" but following it gives the following Mosquitto error log - I must be putting the config file in the wrong place?

starting version 3.2.2
Error: Unable to open include_dir '/share/mosquitto'.
Error found at /etc/mosquitto.conf:19.
Error: Unable to open configuration file.

Tor is a secure remote access method that requires no port forwarding. I do believe there is an Hassio add-on. It is a very quick setup and with stealth mode enabled, your site is invisible. There are Tor clients for every platform imaginable.

If MQTT bridging fails for you, it should be possible to use AppDaemon in combination with (for example) paho-mqtt as standalone MQTT client.