Secure remote access

Installation
1

Hi,

During the last few days I was working on a secure and “Nabucasa-free” solution to able to remote access HA instance and I think now it is almost complete, so let me share my experience in this thread

Remote access using a VPN was already working, but it is not always convenient/possible to establish VPN connection when I want to access my HA instance, so I decided to open it a bit, but use a clever and hopefully secure way.

The information below coming from the forums and from my previous experience as security professional. I don’t think the solution is perfect, so any additional suggestions are more than welcome

  1. I needed a domain name with let’s encrypt cert and the easiest way to do it is duckdns addon, so I used this BUT and here the first layer of security, choose a domain name which is not obvious. I personally used my favourite passphrase generator to create one :blush:

  2. Thankfully HA authentication supports 2F, so it is enabled and I also configured a notification for failed login events

  3. It is always better to expose a web interface through a reverse-proxy, so I’m using nginx within HA for this. The big advantage of this, the exposed port will not answer to anything else than the random domain name created in the 1st. step. Of course if someone is more paranoid, it is possible to run a reverse proxy as a separate machine/docker container and add some addition level of security in it (like modsecurity)

  4. Expose the reverse proxy using a random port (this is not a big protection, but at least something)

+1 if you have some kind of advanced firewall at home with IPS, DOS protection and so on, the policy exposing this port should be configured appropriately

++1 obviously HA and components should be regularly updated

So, what do you think? Is there anything important is missing from here?

L:

2

Good news, the moment you get an SSL certificate for that domain it’s public knowledge.

Say it with me. Obscurity is not security!

Also, it does nothing to stop people finding your service with a port scan.

That keeps you off the radar of (most) port scans, if you picked something high enough. It’s also not security, just obscurity.

1 Like
3

What do you mean “public knowledge”? Is there any database where you can find the certificates issued by Let’s encrypt?

Do you have any other suggestion to make the site more secure? I’m thinking on put Cloudflare WAF in front of this to add some additional layer

L:

4

I agree in that it’s a PITA having to launch a VPN on my phone to then access HA when not home. I am not a security expert by any means but looking forward to this discussion!

5

Yes, there’s databases where you can find any commercially issued cert. You can even get feeds of them. This was heavily discussed in another thread here on the forum.

  1. SSL
  2. Strong passwords
  3. MFA
  4. Reverse proxy and/or WAF (though 99.999999999999999999999999999999999999999% of what the WAF detects will be irrelevant)
  5. Monitor the logs and worry
2 Likes
6

check, check, check, check maybe later just for fun I’ll add Cloudflare WAF

I’ve tried to find public database for the certificates as you mentioned, but I can’t find any reliable one. It seems all of the “transparency” services either defunct or very outdated, so maybe some security by obscurity also useful :slight_smile:

L:

8

You’re off to a good start but the obfuscation in the random domain name is no protection, it won’t take long for someone to find your open port.

The bit missing is nginx mTLS where you don’t just authenticate the server (nginx), nginx authenticates the client too. Hence you don’t need the obscurity part and can use a much more human friendly FQDN as nginx will simply reject any client that doesn’t present a valid certificate.

There are guides on these forums if you search for ‘nginx mTLS’.

9

Try https://crt.sh.

10

Yes, most of you are right. Obscurity is not security. However in this case where you get a totally random hostname under duckdns.org where you can find hundreds of thousands host names and when you search you’ll get this

truncated
It is not currently possible to sort and paginate large result sets efficiently, so only a random subset is shown below.

Of course it is possible, to get a list every minute, build a database from it, then bruteforce ports (or just try obvious 8123), so our beloved black hat guys will figure out my HA server is on xxx.duckdns.org on port 8123, then they can start brute-force login and/or exploit some vulnerability, but the chance is already small. If ppl. follows other recommendations mentioned above (2F, strong password, random user, alert on failed login, ip ban etc.) the chance are really minimal.

However it is much better to give a chance to Nabu casa or Cloudflared solution because in this case we can mitigate more threats and to be honest it is not more complicated than duck + nginx and seems quite stable

L:

11

The hostname isn’t the problem, as someone else said earlier your endpoint is searchable on the internet via sites like shodan so any vulns associated with HA (or firewall/nginx misconfigs) mean you’re exposed irrespective of what random FQDN you’ve got.

HA 2FA is no bad thing but there’s no way I’d expose HA to the internet without mTLS or a VPN, but my risk tolerance may be lower than yours.

12

And what about exposing by not exposing like using nabucasa or Cloudflared? :slight_smile: Do you see any security risk in this?

L:

13

Those still expose it, and you’re still discoverable by mining the SSL certificates. The only thing that removes is finding you through port scans.

14

I don’t think so. For example cloudflare issues a wildcard cert for your domain, so there is no explicit certificate for your HA host, so if you keep hostname for yourself it is quite difficult opening the web interface.

I’m not sure how it works with Nabu casa but probably the same

L:

15

It kinda feels pointless replying now but try this simple search on shodan.io ssl.cert.issuer.cn:R3 home-assistant. That searches for the letsencrypt inter CN (R3) and a generic text string of home-assistant; could do the same for cloudflare certs or whatever nabucasa uses just the same. Could even refine the search to focus it even more specifically. But what that shows is that your FQDN is irrelevant, the top result being a wildcard home assistant instance for the domain .saca16vti.[hu] along with the ports it has open, the location and a bunch of other stuff that can be used in general open source intelligence gathering. TL;DR obscurity is not security. But I get that you don’t want to hear that.

16

I don’t think it is pointless especially for ppl. cares about security :slight_smile: and thank you for your time and effort fighting with me

Yes, if you exposes something it will be seen by Shodan and other services like this. I’ve checked Shodan trying to find any HA site using reverse tunneling (cloudflared, nabu casa) but I can’t

For sake of curiosity I’ve filtered out everything using Let’s encrypt certificate and it seems majority is not even on this level and exposing HA directly…

I’m really curious how to find for example my HA instance when nothing is exposed and the only way to connect is by knowing the hostname because there is no dedicated certificate issued, it does not reflect in any DNS.

Obviously it can be sniffed from my traffic by specialised agencies, but I think in general the security level is similar to the VPN. Anyway, VPN is dead, long live Zero Trust :blush:

L: