Securing access to Zigbee2MQTT, ESPhome and SQlite web

WJ4IoT · August 26, 2023, 9:04am

Hi,

This a general question about securing our IoT environment

I am using Home Assistant in a docker container, consequently Zigbee2MQTT, ESPhome and SQlite web are also running in a container.

My question: if you know the port of Zigbee2MQTT, ESPhome or SQlite web you have instant access because there seems no access control like in other applications (Influxdb and Home Assistant itself).

What kind of options do i have to do this?
or are firewall rules in my router the only solution?
Appreciate your feedback of this completely side question of HA.

anon63427907 · August 26, 2023, 9:52am

Are you interested in securing the frontend of zigbee2mqtt or backend?

You can anytime disable the frontend and fully rely on mqtt commands for all functionality.

For device updates, Zigbee2mqtt is responsible sending messages to mqtt server and it is also listening commands from the mqtt server, right?

The question is, can you send any mqtt commands to zigbee2mqtt from any mqtt server or only allow listed mqtt server can do it? If the second is valid, it should be ok to some extent.

nickrout · August 26, 2023, 10:18am

Zigbee2mqtt can be secured. As usual, read tfm Frontend | Zigbee2MQTT

WJ4IoT · August 26, 2023, 11:16am

Thanks, missed that part in the RTFM, glad you pointed me in the right direction. Would like to remark that it works better when you delete your cookies on exit browser (does this already but excluded HA which has the same IP-address). Inside HA I already found “require_admin: true” when included in the panels.

WJ4IoT · August 26, 2023, 11:25am

Frontend, which I use for initial setup of devices and fallback.
@nickrout provided me already with the desired solution for Zigbee2MQTT, perhaps I missed simular solutions for ESPhome or SQlite web. Proper reading is an art on its own

nickrout · August 26, 2023, 8:58pm

When you start the esphome dashboard you can set a username & password

However how you fit that into docker, I dunno.

What are you protecting against? Don’t trust the family?

WJ4IoT · August 27, 2023, 1:36pm

Thanks (again) for giving the answer it could be possible.

To answer your question: Don’t trust the family? I do, but the situation where a family guest appears to be a whizz kid and it was easier for someone to give him/her the QR of the main WiFi and not the guest WiFi is a rather likely scenario. In other words “extra layers of security” is always good.

What is the best layer in this case? Likely activate ESPhome dashboard ONLY when you need it.

Is there a Docker username/password solution? I could not find it in a copy and paste solution on the internet (no doubt it will be out there) but enough inspiration, some trial and error to find the solution and share my fresh “docker compose -d” example for ESPhome:

# https://peyanski.com/complete-esphome-installation-guide/
# https://albert.nz/esphome-arm
# https://esphome.io/guides/cli

version: '3'
services:
  esphome:
    container_name: esphome
    image: esphome/esphome
    volumes:
      - /opt/esphome/config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: always
    privileged: true
    network_mode: host
    command: /config dashboard --username userid --password usersecret

last line does the desired trick! Hope it will also be of use for someone else (please like if you do/use it).