Securing HA

Hi all,
The main question is: what steps do you have to do/set to secure remote connections. I want my app on my phone to be able to contact HA, but no one else.

I want my new installation to be secure. So I have installed Duck DNS (with Let’s Encrypt to create a SSL (HTTPS) connection. But still a password to login. Have an port forwarding rule in my router. It works #happy.

Now I installed the Terminal & SSH add-on to have a terminal within the browser. But I can’t make up if this is secure. I want to disable remote SSH, only local terminal from within the browser. That works. But no password is needed and I am “root”. That doesn’t sound secure.
Putty from a local device not necessary. my phone also can browse from the app to a terminal and that works. That is not necessary and not desirable.
All different advises. Some say I have to generate key-pair from a local device and put the private key in the configuration setting. Others say to leave it empty to disable the feature.
Any advises for a newbie?

1. Enable multi factor for your account
2. That add-on uses the fact that you’ve authenticated to the UI to log you in via the browser. Of course, if you break your install so the UI can’t start, you’ve now got no way of fixing it. Better to leave local SSH connections (with a key and passphrase) enabled. The public key goes to HA, you keep the private key

Thank you. I’ve enabled MFA. But my fear is that a hacker is able to use root acces via the opened port via shell. Not via the browser. Or other paths I don’t know off. Look like root has no password and that is not strong. However if I set a password, I don’t know what other processes will not work anymore.
So a guide or help on how to secure an image is appreciated.

Only if you forwarded the SSH port and somehow managed to configure the add-on to accept no password for root (which is likely impossible).