Securing the SSH & Terminal Add-on from remote access

Hi folks!

Wondering if anyone has come across this. I use HA on a Pi using the homeassistant O/S. The HA instance is not directly SSH’able from my local network, but I can use the Add-On called SSH & Terminal to access the console.

My question is I am wondering if there’s a configuration option or something else that can restrict access to this add-on from the local network only (i.e. same subnet as HA) vs. external access?

I use Nabu Casa to access my HA instance from my phone when I’m out, and that works great, but I’d prefer the SSH add-on not be available from outside my home, for security reasons.

Yes I know there’s a username/password, and the traffic is probably encrypted, etc., but I’d rather not have a portal into my local network from this add-on.

I am hoping there’s something I can do to limit access to it, or figure out how I can just putty/ssh directly to the HA setup from my laptop instead. Then I’ll just remove the add-on.

Thanks!

I do not know how Nabucasa works. Like if Nabucasa also forward the ssh port. I do not think so, but you can research.

Depending on your setup of course… But normally ssh is not exposed to the outside world. Either way if via LAN or WLAN, the router “usually” would not expose the host on port 22 to the internet. To expose this host with port 22, you have to setup NAT (or to be precise: PAT - Port Address Translation)
Given this information, if you did not change it and you have a typical router, it should not be reachable.

You could easily test this with an external server using nmap to check if the port is open, or even to scan more to check what you expose to the public

example: nmap -sSV -p 22 "your external ip without quotes"

EDIT: There are several ways how you can secure ssh itself. port-knocking, iptables/nftables, pubkey and forbid password etc…

Thanks for the info - I do understand that the system’s ssh is not open to any host either external or internal, this I’ve confirmed. And I don’t have any nat/pat set up to do that from the internet either, so I’m not concerned about that.

My main concern is that the app running on my smartphone has access to all the HA features and such, including the add-ons like SSH & terminal. This in addition has access to my local network, so I consider it a bit of a security risk.

Now I also understand that there are credentials in use, encryption over HTTPS, etc., I’m just wondering if there’s a way to lock it down a bit (i.e. some setting in the add-on or in HA itself) to prevent access to this add-on from anything outside my local network (i.e. a public IP from my phone).

FIXED! I was doing something unrelated and discovered the solution.

I was working on users for the system and noticed that on my phone I had been logged in as the owner account. I created a regular user account for my phone and re-logged in as that user, and now these features are hidden:

  • Terminal & SSH
  • Settings section

So it’s not secure because the Terminal add-on and the ability to turn that on via settings are both hidden, so problem solved!