Security Best Practices

Well haha. Considering in my environment, HA has access to many MANY devices I think it’s a larger risk if it were compromised. There’s all kinds of credentials stored in HA as well.

That’s fair, I see your point.

Have you hardened your other servers?
Remember that once HA is compromised, then all ports and protocols might be available on other machines for attacks.

thank you for raising this , as I have the same question myself.

I have HA running on a RP4 using the standard build, it is behind a double NAT (Internet modem and my own router). How do I add VPN? I am on a 30-day trial with HA Cloud, is that safe enough, What if I turn off external access all together?

Adding a VPN is really out of scope of this forum. It doesn’t have anything to do with HA itself.

Do you mean nabucasa? If so, then that is a safe way of exposing it to the internet.

Did you open ports on your routers directly? If no, then it isn’t exposed.

What external access are you referring to?

HA Cloud (NabuCasa) is a VPN, but it is a purpose-specific VPN and they monitor HA’s security state, so in fact is probably the best secured access you can get for HA.

Just saw that guide and the swiss cheese analogy.
I have to say it is quite a bit misleading.
All the things listed is on the HA installation, so it is in fact not layers, but a single cheese. A single error in the code on the HA installation and the cheese crumbles.
It looks like you are trying to show security in depth, which is the best practice, but you are relying entirely on the HA team to ensure that inside HA and the HA team is not really focused on that subject. Functionality is their main focus.

The problem with many of these guides is that they are having an old view on today’s world.
They focus on securing the traffic from point A to B, but not on who is actually sending the traffic.
That focus is put solely on the single layer of defense at HA’s login screen, which is then tried to be extra monitored by software like fail2ban and notifications and other stuff, but the hacker world today is distributed hacking and the machines that try to scan for security holes or brute force only do a few tests before the process is handed over to the next machine in the hacker’s distributed botnet.

1 Like

Right exactly…sounding more and more like the VPN approach is the way to do it. Other servers are “hardened” but as we all know it only takes 1 vuln. It’s a cat and mouse game regardless. Seems like the effort is just not worth it and NabuCasa or VPN would offer the peace of mind.

Thanks!

Just saw that guide and the swiss cheese analogy.
I have to say it is quite a bit misleading.
All the things listed is on the HA installation, so it is in fact not layers, but a single cheese. A single error in the code on the HA installation and the cheese crumbles.

Notice how HA is represented after all the cheese

Why do those tools have to be in a single point item in the connection? A lot of the items in that pic aren’t even on my HA instance and reside somewhere else in my network or in every peice in the chain.

The problem with many of these guides is that they are having an old view on today’s world.

Please feel free to contribute with a modern view of security and I will link it.

Keep in mind with Nabu Casa that all the URLs to access every instance are published and anyone in the world can roll through that list and access any instance.

Nabu Casa is not like a VPN where the connection itself is secured. Nabu Casa only provides a means to connect remotely without opening ports.

I don’t think that i correct.

I’m pretty sure it provides an encrypted connection to your HA instance just like a VPN.

from the front page of the Nabu Casa website:

HOME ASSISTANT CLOUD

The missing cloud piece for Home Assistant, by the founder of Home Assistant. Control your Home Assistant from anywhere. Fully encrypted.

It is encrypted, but that doesn’t mean if I have your URL I cannot access your instance.

1 Like

Oh, I understand what you are saying…

So yes, I agree to with that…

Yeah and that is what is wrong with the picture.
All the things listed on the cheese slices is your HA installation.
You only got one layer and you might have a lot of features built into that layer, but you also have some really deep holes, that makes the cheese paper-thin in those places, like the only relying on HA to the the authentication and also opening the HA installation to the internet.

I am not good at making such guides, because I always end up writing too much in an attempt to cover all aspects and explain everything.
A modern approach is defense in depth with VPN, reverse proxy, SSL everywhere, also on the local network, 2MFA and non-standard usernames (no root, administrator, admin and the like) and good non-reused password.
And not to forget offline backup or offsite encrypted backup combined with logging and monitoring that are actually checked regularly, so you can discover, stop and recover fast from an incident.

1 Like

Maybe in your network or how you interpret the diagram but HA is the last item in the chain. There are lots of tools that can do each slice of cheese.

yes

not that I am aware of, I do not even have port forwarding

I mean access from Internet, which I am using HA Cloud or Nabuscasa. I’ll see whether that is worthwhile to keep my monthly subscription, if not, then I just cut off remote access from Internet all together

Spent some time exploring yesterday. What VPN do you use? I tried Tailscale and Wireguard, both open just a different port in the router. Tailscale seems to do this automatically but it’s still opening something. When you use VPN, are you just using HTTP for all URLS or are you somehow issuing a cert on the LAN?

When using VPN, I think I would also loose google home capabilities. Pretty sure this needed an internet facing access. I have since put nginx proxy manager in front of HA which is giving me a bit more visibility into access logs. My thought process was to keep an eye out here for suspicious IPs that get successful web page loads passed logins. I’m in search of a tool that may do this for me. It would seem any attack would need to originate here, am I misunderstanding? There would have to be some vulnerability on 443 that would allow an attacker the initial compromise. cross side scripting, sql injection, non web based exposure, ect.

I use StrongSwan VPN.
It is a commercial VPN, but it is included in my router firmware and it is handle at the router.
I do not know about Google, since I avoid using cloud based services, so it is Rhasspy for me as Voice Assistant.

The advantage of VPN is that is a separate piece of code from HA which only does encryption and authentication, so it is so much easier to harden both for the developers and for you as an user.
And if the VPN is penetrated, then you still have HA’s authentication as a layer, provided you did not use the same credentials. :slight_smile:

It is likely it will be a standard attack and probably also automated by one of the many penetration kits available you will experience.
The problem is that many of the security holes, like lacking input validation/buffer overflow, SQL injection and so on do circumvent the normal login process so you might not get any warnings in logs.