Secure remote access to my hass.io

Dear all,

I’ve been playing around with a hass.io installation on RPI for a few months, and so far I’m really enjoying it. Due to security concerns, I’ve just briefly tested the duckdns solution and opening my router with a ssl-certificate as suggested in the guides. It works perfectly, but I’m not 100% convinced, so I close it down unless for testing.

I’ve read all/most of the official guides, and tried searching around a bit. Nevertheless, the following doubts still remain, and I would really appreciate your valuable input on it:

i) I’ve setup Duck DNS with Let’s Encrypt through the official add-on, tested and working fine when opening the router. Doubt: Is it safe?? What security level is really reccomended to assure your home/hassio is safe?

ii) I’ve setup two-factor authentification with both Google Auth app and Telegram, seems to be working great. Does it help on the security level with regards to question i)? Secondly, is it enough in addition to duckdns and let’s encrypt??

iii) My hass.io will, as for most people I suppose, include family members (WAF etc). Is there any way to setup forced two-factor auth for all users? I cannot seem to find it, and if it doesn’t exist it seems quite weird to me. I would expect that I could force it as an administrator of my system, otherwise I suppose it doesn’t help at all if one of many users have it disabled??

iv) Any further suggestions on the most secure way of opening for remote access is greatly appreciated. I’ve read the guides, but I can’t seem to get my head around to find the best solution.

Please bear with me for possible lack of detail knowledge on the security stuff - I believe I have a grasp of the basics, and I get everything working. However, I prefer not to leave my home wide open for more intelligent people than myself.

Thanks in advance. Cheers!

i) Safe depends on your authentication. If you’ve chosen the password password with the username admin and not enabled 2FA then you’re horribly insecure. If you’ve picked a reasonable password and enabled 2FA, don’t worry.
ii) No - how you secure other services has nothing to do with how secure HA is. Think about it, did enabling 2FA on Google make Telegram automatically more secure?
iii) No
iv) There’s been a few dozen threads on the topic already that have covered this in depth, however…

1. Use a strong password and 2FA
2. Don’t enable remote access if you don’t need it
3. Consider using a random, high numbered, external port - it’s not true security, but it cuts down on the noise. Think of it as the equivalent of moving your front door to the side of the house, if somebody is just walking down the street trying doors they’ll walk past because you “don’t have one”. Obviously clued up people will still find it.
4. Enable IP bans and set a reasonable value for the threshold

so use HA Cloud.

Hi guys,

Thanks for your replies. I prefer to not have HA in the cloud, and I would really like to open up for remote access to make the system really useful.

What I meant with ii) is exactly using 2FA where Telegram or Google Auth is the second factor, not that these services have 2FA themselves

For me it seems strange that I cannot force all users to use 2FA, because if only one user has it disabled, then it doesn’t help all that much that some use it. Also, there should be a way to enforce password strength from admin side. Anyway, I guess that might be features coming in future releases as HA matures maybe?

Remote access doesn’t make the system “really useful”. There are enough people with “really useful” setups and no remote access. What it does is allow you to interact with it remotely. Don’t confuse the two

Similarly the Nabu Casa service doesn’t make your HA system “in the cloud”, it simply provides you with an alternative way of remotely accessing your system.

There is built in MFA support - use what you want.

Sure, if developers provide those functions. This is an open source project, many of the changes come from people going I wish it could… and then providing that support. If you can’t, then feature requests are the main way of indicating your interest, but it still needs somebody to make it happen.

Huh? If you enable 2FA it is forced for all users.

Hum, how so? I have two users, where only one of them is (manually) set to two-factor auth on the profile page for that user. With the other user I can login without any two-factor (although I only tested on my internal network, not from outside). Do you know a way to force it for all users?

I guess useful depends on the user

Anyway thanks for your replies. I’ll check into Nabu Casa a bit more. The 2-factor is already setup in my system and working just fine, I just expected it to be a ‘global’ setting valid for all users. I’ll consider a feature request, but I think I’ve read somewhere that multiuser and more admin-things are items they seem to be working on towards 1.0.

In my opinion, security is very important for home automation, and I’m quite sure a lot of people are opening up a lot of things without really thinking about it. Not everybody can be network experts

I’m using 2FA on my vbox-based hass.io. Upon a reboot, the system was not accepting my generated 2FA token. Luckily, a reboot restored the 2FA token access.

For future reference, I read the only way to regain access would be to delete authentication-related files from the config folder. The problem here is that since its a VM, I don’t have easy access to this folder. Is there another way to get access back if 2FA tokens are not accepted?

This is false. It is on a per user basis.

This is what is expected. If you set it up on one account it only applies to that user account.

I am not aware of a way to force it for all users.

The samba addon would give you access to the auth file to delete it.
The ssh addon would give you access to the auth file to delete it.
One of the editor addons (configurator/vscode) would give you access to the auth file to delete it.

Ah, thank you; good to know.

A VM doesn’t mean you don’t have access to the folder. Why would it?