But I can also think of other examples, like opening up web ports for letsencrypt validation or other services that require a port open (such as VPN).
Having a port always open for some services is convenient, however it does pose a security risk of some vulnerability being exploited to gain access to my home server. Reducing the time ports are open reduce that risk.
To use that same logic, if somebody “gets access to your HA instance” they’ll have control over a whole lot more than port forwarding (secrets.yaml contains tokens/keys to a lot of things). If anybody is upvoting this, and wants an immediate workaround, drop on by this thread and you’ll see what I’m doing for this
Not in my case. I don’t run a Supervised version, so no file editor in my HA instance, so no access to my secrets.yaml. the only thing an attacker could do in my case would be turning on some lights or play music or whatever other non-sense, which would certainly be annoying, but not harm me in any way and also not be useful for the attacker.
Interesting. So in your scenario if somebody were to have gotten access to your HA instance, were you assuming it was web UI access? or access to the machine that’s running HA?
Purely out of curiosity, when you’re modifying your HA config, whats your workflow? I assume you’re using something like remote-ssh vscode plugin? Are you saying that your host OS doesnt have VIM/less/cat/etc?
Web UI access, only this is exposed remotely and goes through a reverse proxy first.
I setup a samba share on the host OS and edit my files from a desktop in Visual Studio Code. I don’t edit files remotely, because the misses wouldn’t be happy when I mess something up that can only be fixed locally xD
It does, it’s a normal Ubuntu Server install.
Totally agree with you, if someone gets access to the host running HA, I’m f***
Right on, makes sense. This is exactly what I do as well. With the recent security incidents of HA, one of issues (iirc) was directory traversal and exposing secrets.yaml (for example, if you were using Dwains Dashboard). This scared me enough to basically just dump all custom stuff (unless I relied heavily on it), but I also assume now (get ready, put on your tinfoil hat, lol) that if somebody could get access to my web UI, they probably can get access to my HA instance itself.
It’s fair to make that assumption in my opinion in regards to the latest security issues.
I also have some other measures for protection.
I use GeoIP filtering (Unifi has this built-in as a beta since quite some time), so the attacker also needs to be able to use an IP of my country. Firewall rules to block shodan scanners and the like, fail2Ban, Ban on too many failed logins. Hardened my Reverse Proxy (if you are using NGINX as I do, this is a good starting point → Nginx server security - hardening Nginx configuration)
I don’t think an attacker would invest such a high amount of time and effort to get access to my machine, just to find some photos, movies and my tax papers , which are anyway backed with a good backup strategy.