Risks by opening my HA installation to the web via Letsencrypt and Duckdns?

Hi Everyone

I started my home automation journey last night and got my Raspberry Pi 3 setup with Hassbian and got remote access setup via Letsencrypt and duckdns.

  • Paranoid mode=on - :slight_smile:
    My question is: How hard would it be for someone to get access to my local network?

If someone had the duckdns address and knew I ran HA, he / she could therefore rather easy find out that I would have opened port 80 on my router. Is that knowledge enough for them to gain access to my local network ?

Thanks in advance :slight_smile:

Hi,
since you forwarded port 80 to your hass port. the only thing what will answer is your hass,
Be sure to change port 80 to 443 since you only want to accept ssl connections. Same goes for hass, this needs to get set to ssl only as well.
Make sure to set a strong api_password if you expose to the internet.

-Dennis

There are a couple of long threads on the subject, it’s worth a search.

That said:

  • Follow the securing checklist - don’t expose any service to the Internet without SSL and authentication
  • Nobody needs to know you run HA, or use DuckDNS, to find you’ve opened port 80 by doing a port scan. Those go on all the time, and by using a random high numbered port (from say 10,000 to 65,000) you’ll avoid being trivially found (you can still be found though)
  • Keep your system updated. Security vulnerabilities are found in software all the time (just watch this twitter feed for details of the public vulnerabilities). Running outdated software increases the chances that you’ll have something exploitable.
  • Don’t be tempted to give your Home Assistant account access to sudo - that makes it trivial for anybody who does compromise your HA system to get root access on your Pi (aka full control).

Letsencrypt / SSL does not do anything in security terms here.

A possible attacker does not need to know your duckdns name, these can be automatically scanned. If you use standard ports the scanning is even easier (Not implying that using a non standard port will increse security).

If there is a security flaw in home assistant, the attacker has access to the host running home assistant with the user rights of the home assistant service.

Thank you for all the responses, I am really loving this great community so far - It is greatly appreciated.

I will look into all the info this weekend, to make sure im as secure as can be. :slight_smile: