Securing Your Home Assistant Instance

Community Guides
,
3

Securing Your Home Assistant Instance (Basics)

Passwords

Home Assistant requires a password be setup upon installation. Practice good Password Hygene.

Using strong and unique passwords goes for each user that has access to your HA instance. You are only as secure as yoru weakest password.

Multi-Factor Authentication (MFA)

Should your password or another user on your HA instance have a weak or comprimised password, MFA will provide another layer of security to stop a bad actor from accessing your HA instance. See the link to the HA docs below on setting up MFA.

The same controls should be employed for MFA as for passwords. You and any user on your instance should have MFA setup. Again, your security is only as strong as your weakest link.

Visiblity / User Access

As of writing this, restricting views and changing admin rights doesn’t provide a lot of added security. Limiting views is more security through obscurity but it can’t hurt.

User Levels

HA currently offers three User Account levels. Owner, Admin and general user. As noted above and in the docs, this currently doesn’t provide any real added security but it is a good thing to have setup. Any user that isn’t required to be an admin, remove that privilege by visiting their user account page and clicking the toggle for admin to off.

View Access

Anyone who knows what they are doing with HA can bypass this easily, however changing the Visibility will stop a layman. This just limits what a specific user can see and can allow you to restrict visibility of certain views on your HA instance to only those who need them.

Limit Access Attempts

Home Assistant, by default, will let someone pound on the proverbial front door until they give up or gain access. Failed login attempts are documented on the HA frontend via persistent notification, however, unless you are looking at your instance regularly someone could be making attempts for a long time before it gets noticed.

IP filtering and banning

Setup the IP filtering and banning tool in HA, this will block someone from making further attempts after a set number of failed logins.

Note1: Make sure you have another way in should you accidently ban yourself through this method. As someone who may have done this before, ensure you have another way in. You will need to access HA from another IP address or modify the ‘’‘ip_bans.yaml’‘’ file and restart to remove the restriction.

Note2: The Nabu Casa Remote UI and possibly other configurations (Reverse Proxies) may not pass the unique IP of the computer trying gain access through to your HA instance. This means if you are away and get banned you will be banned from using that connection regardless of the IP you are accessing from as the same IP address is always presented to HA.

Get Notified of Failed Login Attempts

As noted above, by default, HA presents failed login attempts as a persistent notification on the frontend. My preference is to have these automatically sent to me so I am aware immediately that they are happening. Adding the following automation to your instance will notify you of any failed attempts and remote the persistent notification.

- alias: "Send notification upon failed login attempt"
  id: 04e7a1c2-5c61-47d7-9731-afa883742c09
  trigger:
    - platform: state
      entity_id: persistent_notification.http_login
  condition:
    - condition: template
      value_template: "{{ trigger.to_state.state != 'None' }}"
  action:
    - service: notify.home_assistant
      data_template:
        title: "{{ states.persistent_notification.http_login.attributes.message }}"
        message: 'url: https://whatismyipaddress.com/ip/{{ states.persistent_notification.http_login.attributes.message.split ("from ") [1]}}'
    - service: persistent_notification.dismiss
      data:
        notification_id: "http_login"

Hosting Files

This is covered in the Home Assistant HTTP docs but is often overlooked and I have seen a number of people post about it on the forum as a concern when they discover it.

Files included in the www folder in your main configuration directory are available to anyone to view. Anyone with a web connection can view these files even without being logged in or otherwise authenticated. Don’t put anything in this folder you don’t want anyone in the world to see.

Keep Everything Up To Date

Keep your Operating System, Home Assistant, Add-Ons and anything else associated with your instance or network up to date. A lot of security vulnerabilities are discovered on all kinds of devices every day, an equal amount of fixes are rolled out on a frequent basis.

To my knowledge, there have only been two direct security vulnerabilities for Home Assistant (these have been patched a long time ago) However, Home Assistant uses a lot of other sources of code/packages/etc. which are also updated and may be patching a security hole. Keep it all up to date and you will have the latest fixes for any security issues.

Check your router/firewall/modem (box witch connects you to the internet) for updates also.

Avoid Exposing Personal Information

Don’t set the Name/Location of your home assistant instance to include any Personal Identifiable Information. See this thread for more information.

Additionally, don’t use any personally identifiable information for your domain name.

3 Likes