Security tips for improve HA access from outside

Hi,

I would like to collect security tips for improve HA configuration that is opened for outside access. In my case, in the past I was using ha through VPN but now i’m using:

  • set a complex api_password
  • SSL (for https)
  • automation for notificate failed access (event persistent_notification).
  • use non-default 8123 port

I would like to explore other configurations like:

  • authenticate using client certificates (from iOS devices).

What are you HA security setups? Thanks!

Thanks, regards

I didn’t expose HA to the web for a while too. But to make use of the Google Assistant integration I had to. The way I’m doing it:

  • Bought a domain, but only use subdomains so nslookup mydomain.com returns no results (in the hope that nobody tries to brute force subdomains because the base already shows no result - security by obscurity sort of)
  • Put HA behind a Reverse Proxy where the correct subdomain (something really cryptic) is required to reach the proper destination (so my HA won’t appear in bulk scans of random IPs)
  • Bought a wildcard certificate so my cryptic subdomain won’t be listed on crt.sh (without this the cryptic subdomain would be worthless)
  • Have some other uncritical destination behind the Reverse Proxy as a fallback-honeypot (when not using the correct subdomain) so attackers try cracking that instead of trying other subdomains
  • Added ModSecurity
  • Fail2ban to identify attacks and block access
  • And of course a complex API password

All that combined let’s me sleep quite well. :slight_smile:

2 Likes