There’s a few threads here, but I’d summarise it as:
- Run it on a dedicated system if possible
- Keep your system up to date
- Ensure that the home directory for the Home Assistant user (usually
homeassistant), and everything under it don’t have world write, ideally no world access at all (sudo chmod -R o-wrx ~homeassistant) - Don’t set a password, or add a shell, for the Home Assistant user
- Ensure your password is randomly generated, and long (12+ characters), and you don’t use it anywhere else (use a password manager)
- Enable the IP ban option, and set the failed logins to something that works for you. I’d whitelist your LAN IP range, and set the failed logins to something low if you’re using a password manager (one if you’re paranoid, 2 or 3 otherwise)
- Consider running a VPN for remote access, so that the only thing accessing your system remotely is for OwnTracks HTTP, Google Assistant, etc.
Now, I don’t set a password for the front end, or use an SSL certificate inside Home Assistant. I hand those over to an NGINX proxy, so that my “internal” access is open, and my remote access requires a username and a password. That’s a trade off, I’ve added some complexity, but made it harder to brute force/guess the authentication details.