I always suggest to use a VPN connection in front of HA instead.
HA is built with functionality as a goal and not internet security, where as a VPN only have security as a goal.
Remember that HA is not the only thing running on that port 8123.
Node-Red, Studio Code Server, HACS, Glances, Grafana and many other addons use it too and they can also make errors and allow an intruder in by accident.
And your server are probably hit with several hundred, if not thousands, failed logins everyday from scripts that check your site, both friendly statistic sites and the like and evil hacker servers.
VPN is the best way. Nabucasa provides remote access without opening ports directly. You can also look at using cloudflare as a proxy. That will thwart bot attacks and direct attacks against your public IP if you set it up properly.
If you notice, all the ways above try to not have HA directly facing the internet without layers…
Personally, I use cloudflare (not the cloudflared addon but that may be an option. I preferred setting it up myself)
@WallyR and @calisro - Thank you, these are really valid points. I will explore the VPN route.
I have had HA exposed for some time now…I’m sure I’m being constantly scanned but have never seen any instances of actual intrusion/compromise. I’m trying to understand the attack vector…if someone gets in via the HA port…and the HA box becomes compromised, I’m not sure the data on it is that personal to me that I’d care. I’m more so concerned with lateral movement off of the HA box to another server in my network…it feels like this would be difficult and low risk - am I underestimating this?
Well haha. Considering in my environment, HA has access to many MANY devices I think it’s a larger risk if it were compromised. There’s all kinds of credentials stored in HA as well.
Have you hardened your other servers?
Remember that once HA is compromised, then all ports and protocols might be available on other machines for attacks.
thank you for raising this , as I have the same question myself.
I have HA running on a RP4 using the standard build, it is behind a double NAT (Internet modem and my own router). How do I add VPN? I am on a 30-day trial with HA Cloud, is that safe enough, What if I turn off external access all together?
HA Cloud (NabuCasa) is a VPN, but it is a purpose-specific VPN and they monitor HA’s security state, so in fact is probably the best secured access you can get for HA.
Just saw that guide and the swiss cheese analogy.
I have to say it is quite a bit misleading.
All the things listed is on the HA installation, so it is in fact not layers, but a single cheese. A single error in the code on the HA installation and the cheese crumbles.
It looks like you are trying to show security in depth, which is the best practice, but you are relying entirely on the HA team to ensure that inside HA and the HA team is not really focused on that subject. Functionality is their main focus.
The problem with many of these guides is that they are having an old view on today’s world.
They focus on securing the traffic from point A to B, but not on who is actually sending the traffic.
That focus is put solely on the single layer of defense at HA’s login screen, which is then tried to be extra monitored by software like fail2ban and notifications and other stuff, but the hacker world today is distributed hacking and the machines that try to scan for security holes or brute force only do a few tests before the process is handed over to the next machine in the hacker’s distributed botnet.
Right exactly…sounding more and more like the VPN approach is the way to do it. Other servers are “hardened” but as we all know it only takes 1 vuln. It’s a cat and mouse game regardless. Seems like the effort is just not worth it and NabuCasa or VPN would offer the peace of mind.
Just saw that guide and the swiss cheese analogy. I have to say it is quite a bit misleading. All the things listed is on the HA installation, so it is in fact not layers, but a single cheese. A single error in the code on the HA installation and the cheese crumbles.
Notice how HA is represented after all the cheese
Why do those tools have to be in a single point item in the connection? A lot of the items in that pic aren’t even on my HA instance and reside somewhere else in my network or in every peice in the chain.
The problem with many of these guides is that they are having an old view on today’s world.
Please feel free to contribute with a modern view of security and I will link it.
Keep in mind with Nabu Casa that all the URLs to access every instance are published and anyone in the world can roll through that list and access any instance.
Nabu Casa is not like a VPN where the connection itself is secured. Nabu Casa only provides a means to connect remotely without opening ports.
Yeah and that is what is wrong with the picture.
All the things listed on the cheese slices is your HA installation.
You only got one layer and you might have a lot of features built into that layer, but you also have some really deep holes, that makes the cheese paper-thin in those places, like the only relying on HA to the the authentication and also opening the HA installation to the internet.
I am not good at making such guides, because I always end up writing too much in an attempt to cover all aspects and explain everything.
A modern approach is defense in depth with VPN, reverse proxy, SSL everywhere, also on the local network, 2MFA and non-standard usernames (no root, administrator, admin and the like) and good non-reused password.
And not to forget offline backup or offsite encrypted backup combined with logging and monitoring that are actually checked regularly, so you can discover, stop and recover fast from an incident.