Remote Access: Best practice

Configuration
1

Hello

I have just recently successfully configured my HA to be accessible remotely…

I have followed the following Step By Step guide (thank you to the author - DuckDNS - It's not just me - it's you!):

  1. Install DuckDNS
  2. Install NGINX (from the core add-ons)
  3. Portforward 443 external to YourHAInstanceIPAddr:443 internal (careful of your routers intracacies bearing in mind the above post, this was my stumbling block)
  4. (Not sure this is necessary but … ) Portforward 80 external to YourHAInstanceIPAddr:80 internal
  5. Find out what your router’s WAN IP address is (make sure this is not via CGNAT (basically NAT layering) as it won’t mean anything on the www.
  6. Goto duckdns.org and enter your WAN IP Address and generate your token … [all solution i link]

now I was wondering: how safe is it? can it be easily hacked?

the only configuration I did into my router was to create a port forwarding rule… that was it… how can I be sure that this is not opening my LAN to possible attacks?

Thank you all!

2

Use a strong password for all your home assistant users.

Enable ipban to prevent dictionary attacks.

3

I’m not quite sure why you copied (almost entire) the solution post

  1. That’s plagiarism
  2. Unless you maintain it, that too will become out of date.
  3. Please edit your post merely to include a link to the said post
4

sorry I didn’t realize that… already fixed :slight_smile:

1 Like
5

thank you for your suggestions… my fears are:

  • Someone Accessing Home Assistant and from there “snooping my LAN” (I am not a security expert, therefore please pardon my ignorance in terms of language)

  • Someone Accessing Home assistant and form there playing around with my devices (e.g. smart lock in front door)

there must be a best practice for this… no? how you guys prevent these scenarios? (I feel unsafe that installing two add-on and set a port forwarding is “enough” :stuck_out_tongue:

6

Turn on multi factor authentication

1 Like
7

Thank you for this! I immediately did it :slight_smile:

How can I force the other users to activate it? at the moment in HA I have the following users:

  • Hass.io (system generated / Admin)
  • Home Assistant Cast (system generated / Admin)
  • my User (Admin)
  • my wife user (User - not admin)
  • mtqquser (User - not admin)

I guess I can only activate MFA for my wife… but I need to do it in her phone/user account or I can force it from the setting/configuration?

what about the other users (system generated)? are they needed? and how can I be sure that they are not hacked?

any suggestion on this? just a port forwarding is safe enough?

thank you

8

Opening a port on your router is always a possible angle for an attack :wink:

There are an endless amount of things regarding security of your home network.
Does the Home Assistant instance have access to the whole network or is it in a separate VLAN? Do you have a firewall in your network? Is the firmware for all your devices in your network up-to-date and all security patches applied? Do your IOT devices have access to the internet?

9

Seems like you have configured NGINX as a reverse proxy and opened up only port 443 on your router which limits your exposure the outside world.
In your NGINX configuration seems like you are only forwarding to the HA web interface i.e. port 8123. So the outside world can only get to your HA web interface on port 443 i.e HTTPS.
When you enable muli-factor authentication (MFA) - you require anyone accessing the HA web interface via HTTPS to provide the second auth in addition to their password. The internal system users (I’m quite sure…but someone else can correct me if I’m wrong) don’t use the https interface. The only users you need multi-factor auth for are the ones that use https access. You can force them to use MFA by changing their password and/or letting them know how to use the authenticator app on their phone when prompted on login.
If all the above is true, your HA and LAN exposure to the outside world is very small. My recommendation is to add a good firewall like pfSense on the Internet/LAN border.

1 Like
10

Just to add, port forwarding does not add any security. It does the opposite. The point of these other technologies (SSL, reverse proxy, Mfa, etc) are measures to manage the resulting risk.

1 Like