[SafeIP 2.0.0.422 Serial Keys
Abdul Soumphonphakdy
I was reading a post about a security issue on another home automation platform and was going to provide a few links in the thread as people often read these threads and look for advice on how to ensure they are secure. I found my own past post on the issue lacking and the HA docs somewhat lacking or the information was really dispersed. This is my attempt to put a guide together and collect the information in one location.
Note: I am far from a security expert and I have no formal training in this area. The information in this guide is what I have gathered from my own use of Home Assistant and my research to secure it and other web services on my network. I am expecting the community to correct me where I am wrong or where the guide could be improved and will do my best to keep it up to date.
This guide will focus on securing a Home Assistant (HA) installation exposed to the greater internet. There are a number of ways to accomplish this but they all expose your HA front end/User Interface (UI) to anyone with an internet connection.
This guide will cover the core of HA and access to the HA Frontend/User Interface. There are other areas to be considered but I have a feeling this guide is going to be big enough as is without going into securing other services that can be exposed via HA.
This should be obvious, however, anyone with a connection to your instance can control your lights (low risk/annoyance) or change your Heating/Cooling settings (higher risk) or depending on your setup, unlock doors or open a garage door (high risk). Furthermore, with some of the addons and the option to use Ingress someone could have access to your HA configuration files or shell access and therefore access to your entire network. Given that HA requires storing of a number of passwords or other security keys to interface with other services, you could easily expose a number of your passwords very quickly.
Should your password or another user on your HA instance have a weak or comprimised password, MFA will provide another layer of security to stop a bad actor from accessing your HA instance. See the link to the HA docs below on setting up MFA.
Anyone who knows what they are doing with HA can bypass this easily, however changing the Visibility will stop a layman. This just limits what a specific user can see and can allow you to restrict visibility of certain views on your HA instance to only those who need them.
Home Assistant, by default, will let someone pound on the proverbial front door until they give up or gain access. Failed login attempts are documented on the HA frontend via persistent notification, however, unless you are looking at your instance regularly someone could be making attempts for a long time before it gets noticed.
Note2: The Nabu Casa Remote UI and possibly other configurations (Reverse Proxies) may not pass the unique IP of the computer trying gain access through to your HA instance. This means if you are away and get banned you will be banned from using that connection regardless of the IP you are accessing from as the same IP address is always presented to HA.
As noted above, by default, HA presents failed login attempts as a persistent notification on the frontend. My preference is to have these automatically sent to me so I am aware immediately that they are happening. Adding the following automation to your instance will notify you of any failed attempts and remote the persistent notification.
Keep your Operating System, Home Assistant, Add-Ons and anything else associated with your instance or network up to date. A lot of security vulnerabilities are discovered on all kinds of devices every day, an equal amount of fixes are rolled out on a frequent basis.
To my knowledge, there have only been two direct security vulnerabilities for Home Assistant (these have been patched a long time ago) However, Home Assistant uses a lot of other sources of code/packages/etc. which are also updated and may be patching a security hole. Keep it all up to date and you will have the latest fixes for any security issues.
A Note On DuckDNS
DuckDNS is a service that turns a IP address that is hard to remember (eg. 95.214.19.127) into something simple to remember like quackquack.duckdns.org and if setup properly can be automatically updated to always send quackquack.duckdns.org to your HA instance even when your IP address changes.
Using DuckDNS or any other dynamic DNS provider does not add a lick of security. I have often seen DuckDNS credited when people discuss securing their instance and just want to ensure people understand what these dynamicDNS services do and that they do not add to your security.
Opening and Forwarding a port are used interchangeably in this guide. To allow access from outside your home network you forward a port and tell your router/firewall to forward anyone who knocks on that door to wherever you prescribe within your network. This can be seen as the equivalent as leaving a door/window open on your house as anyone can come in.
Typically port 443 or 8123 is forwarded to your HA instance (also on port 8123). This directs anyone from outside your network that specifies your IP address or domain and the proper port to your HA instance.
A Note on Port 443: Port 443 is the default port of HTTPS (encrypted) traffic. Most modern web browsers default to HTTPS and therefore port 443 when you type in a web address or IP address. Port 443 is also heavily scanned by the services previously mentioned in this guide as it is the default port for many websites.
Only open the port(s) you need to and using a less common port will reduce the amount of traffic that open port sees. As mentioned previously port 443 is the default for a HTTPS traffic and is scanned rather heavily. 8123 is likely to be scanned less unless someone is specifically looking for HA instances as that is the primary port opened for HA according to the previously mentioned Shodan Search.
Picking an uncommon port, say something above 20K, provides no actual security. It does however keep you out of view of many scanning tools and most scans. This significantly cuts down on attempts, and noise in the logs. It makes it much easier to see things of concern. Credit: Tinkerer
When accessing any site or your HA instance without encrypting the traffic means that everything is passed in plain text for anyone with access to see. Anything you enter into the browser (passwords for example) are sent in plain text and anyone can view/read it.
Install the DuckDNS add-on by visiting the Supervisor Page, and then the add-on store. The instructions for configuring the add-on and your HA instance to encrypt the traffic are included in the add-on configuration page for each add-on. Here is a video which provides a walkthrough of setting things up.
A Virtual Private Network (VPN) is basically your private tunnel back into your home network from anywhere with an internet connection. This is an alternative to opening a port (although some VPN setups need an open port) and can be utilized without the need for a separate encryption setup as all the VPN traffic is encrypted.
Below are some examples of secure and relatively easy to setup VPNs that are available as add-ons. There are a ton of other examples out there and your router/firewall/modem (box that connects you to the internet) may have a built in VPN tool that can be utilized.
Running a few of my regular searches on Shodan and to my surprise I showed up. Even though I have ports open, they are limited to IP address that I specify. Generally, this means that scanners like Shodan do not see anything active on the open ports as they are not one of the specified IPs.
From an public computer try accessing your instance from a browser, see what happens, see what the response looks like. Test your passwords (if it connects) and confirm you are getting a failed login notification. If you have a limit on incorrect passwords, confirm you get locked out after the limit.
Periodic checks on Shodan. Check for your domain, IP and look for results under home assistant, homeassistant or any other key words you can think of to see if you show up. Note that this can lag a bit as Shodan has to scan your IP which may not be very frequent.
There are phone based apps that can do some of these scans also, however, I have gotten some false positives when on a LTE connection due to the way the connection is made. This seems to be the case for others to with the ports that were showing open.
If shodan, the shields up test or nmap show an open port, there are two things to think about. First did you intend to have that port open? If not, then that needs to be addressed. If you did intend to have it open the test is just confirming that. What this means is anyone in the world with an internet connection can see that open port to. Whatever service you have running on that port better be secure as anyone can access it. Test that security, use strong passwords and 2 factor authentication when possible.
Basically, you can go through this guide again and confirm that each step is still setup in the manner you intended. We all make changes to our configuration, sometimes in making those changes, we forget to apply the security rules we have in place. Its a good idea to periodically check up on everything.
That is not correct, people can snoop even when https/ssl is used. This is why it is so important to not use free public wifi for example, just because you see a lock icon and https does not mean you are safe.
GRC SSL TLS HTTPS Web Server Certificate Fingerprints
On the VPN section, do we want to mention other alternatives for readers to decide which works best for his/her situation? I can think of a couple: ZeroTier One, Tailscale, or Tor, even. All three of those are part of the Community Add-ons, just like WireGuard.
795a8134c1