Seems that the best answer here lies in a combination of several answers. Segregating your networks, physically and logically, will go a long ways towards providing some peace of mind on the local front. There are excellent comments above from security experts as well as excellent advice here and here.
As to your specific question raised above - how do you mask your public IP address?? I use a combo of Cloudflare (the free version) with DNS-O-MATIC. It works as long as you have the HTTP proxy (CDN) active for the relevant A records.
In my case, if you ping, dig, tracert or search my URL on whatsmydns, you see the public IP for the cloudflare account. There is no visibility of my ārealā public IP. I would be curious as to others experience with Cloudflare and if there are tools that allow you to snoop the real IP from that service.
Of course, these are only two services, there are others and possibly better options. YMMV.
My setup involves OpenResty (NGINX + Lua) along with an OAuth2 proxy. This allows me to setup roles in which different users have access to different services. I honestly donāt think I could easily replicate my setup, as I have changed soooo many things to get it working the way it does right now.
The only drawback Iāve faced with this is that iOS webapps and apps do not work with the Google OAuth implementation.
New vulnerabilities are announced daily and some exploits hang around for years before theyāre made public and patched. The latest NSA leaks are proof of that. The safest (simple) setup right now is VPN.
Just remember that security is relative - I would not trust somebody telling me that āthis solutionā is 100% secure.
Risk assessment is key here.
Personal I would tend to use a VPN over running a web server. But if you have to run your own webserver like in the Christmas tree example, then I would spend an afternoon firing up something like Kali Linux, and see if the server was vulnerable to the most basic script kiddy attacks (just to ease my mind).
I like ssh, so I use ssh tunneling.
There are multiple iPhone/Android apps that support ssh tunneling, where you setup a ssh connection to your Home Assistant server and tunnel some local-port to the port on which HA is running. Then you connect with your browser to http://localhost:local-port.
Off course, this means that you need to open ssh to the world. I would recommend changing the port sshd on your HA server as an additional security trough obscurity measure.
Here is the actual ssh command
forward local port to HAās port on your home server
I wonder in which case one would need the āsafestā configuration? I would think if you have door lockās, cameraās and maybe presence detection?
As there is no such thing as true security, for me itās about how difficult do you want to make it for the intruder?
First the intruder has to know you have Home Assistant in your home, secondly isnāt there an easier, old fashion, way to intrude/break in.
Isnāt a strong password and ssl encryption enough? I just started with Home Assistant about a month ago, so if Iām totally naĆÆve in this Iād love to hear.
I do like the idea of 2 factor authentication mentioned above.
I very much agree with you this is THE way it should be setup.
But what Iāve found out so far is that in real life you run into too much problems ā¦for instance:
Only devices in the subnet of your HASS device will be discovered.
Wake on Lan will only work on devices in the same subnet as your HASS
Iāve got a Daikin airco with wifi adapterā¦the Daikin App works great but only if you use it in 1 subnet because the App does some weird broadcast to detect the airco and that udp broadcast doesnāt work over vlans.
Only thing in my house that does seem to work well in this setup is Google Nest protect.
So far Iāve not been brave enough to connect my HASS to the internet, I use OpenVPN with password and OTP which gives me more security but I in return I canāt use the HASS IOS App for presence detection
So we have have a long way to go to find the right balance between security and usability.
The safest is to buy a router that can accept DD-WRT as a operating system then set it up behind a VPN. Most phones can easily be set up to automatically connect to that VPN.
I use a netgear nighthawk 8000 and installed DDWRT to it. then set up the VPN account. The other advantage here is that you are not subject to typical router backdoors and security holes that hackers use.
If you need publically accessible services, then you pay for an external web server at a service and then you set up youy HASS system to connect to that external server and pull information back and push information out. but that would only be if you want everyone in the world to have access like a halloween display and let them turn lights on and off.
To me really itās security by obscurity. We are low payoff targets. So we generally wonāt be targeted directly. So that leaves automated scripts in the wild. These go for the simplest options (most bang for the buck). They target standard vnc/ssh/telnet ports with common passwords. I have multiple ports open web/vnc/ssh/ha/mediaportal etcā¦ I employ āfail2banā to prevent bruteforce attacks (most common in scripts). Then just use decent passwords. Frankly if someone is keen enough to start scripting against 8123 and happens to get a hit on my external ip and then cracks/bruteforces into my ha assistant instance, they can screw with my lights and tv (oh boyā¦). Then iāll notice the invalid attempts and change the passwordā¦
Another obscurity step would be to change the port forwarding to have say 58123 on the WAN side forward to 8123 on the LAN side. Ports above 32k are regularly opened and closed by apps, browsers etc. so there isnāt much point in scripting a scan on those.
Yep, same goes for all common ports. I leave them as defaults because I have a few cases that expect the standard port and I canāt change away from it.
If someone got into your HASS box more than likely theyāll sit there for weeks and pull your usernames/passwords from your local network. Theyāll probably use your box on a botnet too. Donāt give someone direct access to HASS from the internet. Itās simple to apply basic security principles and prevents most intrusions. Donāt join the IOT botnet.
Ok not sure how they will get local user names/passwords from hass. Itās just a website. If hass has some backdoor that installs packet sniffers/attempts to do something other than what we as a community think it does and know it does based on open source code then we are all in a world of hurt as that makes it a virus/trojanā¦ Thatās like saying if you crack someoneās gmail you can get google exec domain accounts. To each their own I guess. Cheers!
Im currently using the pihole + openvpn setup - instructions for RPi here.
It gives me control over pretty much my VPN, ports, etc and I dont have to expose HA 8123, SSH, etc.
However, you are able to actually see my public IP.
I have other services running:
-Apache (to host HASS) and a āstationary diversion pageā
-zoneminder for cameras
-mqtt for owntrack and other fun stuff
-OpenDNS for DNS control, protection on top of pihole (I knowā¦excesiveā¦definetely agreed!)
I would like to try spoof or hide that lovely public IP of mineā¦ any guide, step-by-step, walk through you may have? @freedog96150
Brother from another motherā¦ if you havent tried pihole + openVPN setup from here
My setup:
RPi 3
Linux debian jessie
LAMP
pihole + openvpn
mqtt
zoneminder
You probably have the most videos about security ever! (i have asked a couple of times here and there for helpā¦thank you!) Let me know if this is something you would be interested, I have several step by step guides (pretty much I write everything I do, so I can reproduce if everything goes southā¦has happened a couple of times with the RPi1ā¦ )
)