Safest Home Assistant Configuration Setup Possible?

Seems that the best answer here lies in a combination of several answers. Segregating your networks, physically and logically, will go a long ways towards providing some peace of mind on the local front. There are excellent comments above from security experts as well as excellent advice here and here.

As to your specific question raised above - how do you mask your public IP address?? I use a combo of Cloudflare (the free version) with DNS-O-MATIC. It works as long as you have the HTTP proxy (CDN) active for the relevant A records.

In my case, if you ping, dig, tracert or search my URL on whatsmydns, you see the public IP for the cloudflare account. There is no visibility of my ā€œrealā€ public IP. I would be curious as to others experience with Cloudflare and if there are tools that allow you to snoop the real IP from that service.

Of course, these are only two services, there are others and possibly better options. YMMV.

2 Likes

My setup involves OpenResty (NGINX + Lua) along with an OAuth2 proxy. This allows me to setup roles in which different users have access to different services. I honestly donā€™t think I could easily replicate my setup, as I have changed soooo many things to get it working the way it does right now.

The only drawback Iā€™ve faced with this is that iOS webapps and apps do not work with the Google OAuth implementation.

New vulnerabilities are announced daily and some exploits hang around for years before theyā€™re made public and patched. The latest NSA leaks are proof of that. The safest (simple) setup right now is VPN.

Youā€™re presuming thereā€™s not a decade-old exploit in your VPN :stuck_out_tongue:

True. Inherently VPN has a smaller attack footprint than an entire os though so I would gauge the risk lower.

Just remember that security is relative - I would not trust somebody telling me that ā€œthis solutionā€ is 100% secure.

Risk assessment is key here.

Personal I would tend to use a VPN over running a web server. But if you have to run your own webserver like in the Christmas tree example, then I would spend an afternoon firing up something like Kali Linux, and see if the server was vulnerable to the most basic script kiddy attacks (just to ease my mind).

2 Likes

I like ssh, so I use ssh tunneling.
There are multiple iPhone/Android apps that support ssh tunneling, where you setup a ssh connection to your Home Assistant server and tunnel some local-port to the port on which HA is running. Then you connect with your browser to http://localhost:local-port.
Off course, this means that you need to open ssh to the world. I would recommend changing the port sshd on your HA server as an additional security trough obscurity measure.

Here is the actual ssh command

forward local port to HAā€™s port on your home server

ssh -f -N -L <local-port>:127.0.0.1:<remote-port> <user>@<server>

2 Likes

I wonder in which case one would need the ā€˜safestā€™ configuration? I would think if you have door lockā€™s, cameraā€™s and maybe presence detection?

As there is no such thing as true security, for me itā€™s about how difficult do you want to make it for the intruder?
First the intruder has to know you have Home Assistant in your home, secondly isnā€™t there an easier, old fashion, way to intrude/break in.

Isnā€™t a strong password and ssl encryption enough? I just started with Home Assistant about a month ago, so if Iā€™m totally naĆÆve in this Iā€™d love to hear.

I do like the idea of 2 factor authentication mentioned above.

1 Like

I very much agree with you this is THE way it should be setup.

But what Iā€™ve found out so far is that in real life you run into too much problems ā€¦for instance:

  • Only devices in the subnet of your HASS device will be discovered.
  • Wake on Lan will only work on devices in the same subnet as your HASS
  • Iā€™ve got a Daikin airco with wifi adapterā€¦the Daikin App works great but only if you use it in 1 subnet because the App does some weird broadcast to detect the airco and that udp broadcast doesnā€™t work over vlans.

Only thing in my house that does seem to work well in this setup is Google Nest protect.
So far Iā€™ve not been brave enough to connect my HASS to the internet, I use OpenVPN with password and OTP which gives me more security but I in return I canā€™t use the HASS IOS App for presence detection :frowning:

So we have have a long way to go to find the right balance between security and usability.

The safest is to buy a router that can accept DD-WRT as a operating system then set it up behind a VPN. Most phones can easily be set up to automatically connect to that VPN.

I use a netgear nighthawk 8000 and installed DDWRT to it. then set up the VPN account. The other advantage here is that you are not subject to typical router backdoors and security holes that hackers use.

If you need publically accessible services, then you pay for an external web server at a service and then you set up youy HASS system to connect to that external server and pull information back and push information out. but that would only be if you want everyone in the world to have access like a halloween display and let them turn lights on and off.

To me really itā€™s security by obscurity. We are low payoff targets. So we generally wonā€™t be targeted directly. So that leaves automated scripts in the wild. These go for the simplest options (most bang for the buck). They target standard vnc/ssh/telnet ports with common passwords. I have multiple ports open web/vnc/ssh/ha/mediaportal etcā€¦ I employ ā€˜fail2banā€™ to prevent bruteforce attacks (most common in scripts). Then just use decent passwords. Frankly if someone is keen enough to start scripting against 8123 and happens to get a hit on my external ip and then cracks/bruteforces into my ha assistant instance, they can screw with my lights and tv (oh boyā€¦). Then iā€™ll notice the invalid attempts and change the passwordā€¦

1 Like

Another obscurity step would be to change the port forwarding to have say 58123 on the WAN side forward to 8123 on the LAN side. Ports above 32k are regularly opened and closed by apps, browsers etc. so there isnā€™t much point in scripting a scan on those.

3 Likes

Yep, same goes for all common ports. I leave them as defaults because I have a few cases that expect the standard port and I canā€™t change away from it.

If someone got into your HASS box more than likely theyā€™ll sit there for weeks and pull your usernames/passwords from your local network. Theyā€™ll probably use your box on a botnet too. Donā€™t give someone direct access to HASS from the internet. Itā€™s simple to apply basic security principles and prevents most intrusions. Donā€™t join the IOT botnet. :slight_smile:

Sorry, no idea what you are talking about with regards to my postā€¦

^ commenting on this.

Ok not sure how they will get local user names/passwords from hass. Itā€™s just a website. If hass has some backdoor that installs packet sniffers/attempts to do something other than what we as a community think it does and know it does based on open source code then we are all in a world of hurt as that makes it a virus/trojanā€¦ Thatā€™s like saying if you crack someoneā€™s gmail you can get google exec domain accounts. To each their own I guess. Cheers!

1 Like

Im currently using the pihole + openvpn setup - instructions for RPi here.
It gives me control over pretty much my VPN, ports, etc and I dont have to expose HA 8123, SSH, etc.

However, you are able to actually see my public IP.
I have other services running:
-Apache (to host HASS) and a ā€œstationary diversion pageā€
-zoneminder for cameras
-mqtt for owntrack and other fun stuff
-OpenDNS for DNS control, protection on top of pihole (I knowā€¦excesiveā€¦definetely agreed!)

I would like to try spoof or hide that lovely public IP of mineā€¦ any guide, step-by-step, walk through you may have? @freedog96150

2 Likes

Brother from another motherā€¦ if you havent tried pihole + openVPN setup from here

My setup:
RPi 3
Linux debian jessie
LAMP
pihole + openvpn
mqtt
zoneminder

You probably have the most videos about security ever! (i have asked a couple of times here and there for helpā€¦thank you!) Let me know if this is something you would be interested, I have several step by step guides (pretty much I write everything I do, so I can reproduce if everything goes southā€¦has happened a couple of times with the RPi1ā€¦ :wink: )

1 Like

Very nice. Would your setup work on one RPi2 with HA running on a different one?