diff --git a/source/_docs/configuration/securing.markdown b/source/_docs/configuration/securing.markdown index 664acbe217b..85117013ff5 100644 --- a/source/_docs/configuration/securing.markdown +++ b/source/_docs/configuration/securing.markdown @@ -12,24 +12,47 @@ redirect_from: /getting-started/securing/ One major advantage of Home Assistant is that it's not dependent on cloud services. Even if you're only using Home Assistant on a local network, you should take steps to secure your instance. -### {% linkable_title Checklist %} +## {% linkable_title Checklist %} -- [Choose a strong password](/docs/authentication/). -- Secure your host. Sources could be [Red Hat Enterprise Linux 7 Security Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Security_Guide/Red_Hat_Enterprise_Linux-7-Security_Guide-en-US.pdf), [CIS Red Hat Enterprise Linux 7 Benchmark](https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.0.0.pdf), or the [Securing Debian Manual](https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html). -- Restrict network access to your devices. Set `PermitRootLogin no` in your sshd config (usually `/etc/ssh/sshd_config`) and to use SSH keys for authentication instead of passwords. -- Don't run Home Assistant as root – consider the Principle of Least Privilege. -- Keep your [secrets](/topics/secrets/) safe. +Here's the summary of what you *must* do to secure your Home Assistant system: -If you want to allow remote access, consider these additional points: +☐ Configure [secrets](/topics/secrets/) (but do remember to back them up) +☐ Regularly keep the system up to date -- Protect your communication with [TLS/SSL](/docs/ecosystem/certificates/lets_encrypt/). -- Enable IP Filtering and configure a low [Login Attempts Threshold](/components/http/) -- Protect your communication with [Tor](/cookbook/tor_configuration/). -- Protect your communication with a [self-signed certificate](/cookbook/tls_self_signed_certificate/). -- Use a [proxy](/cookbook/apache_configuration/). -- Set up a VPN -- Use a [SSH tunnel](/blog/2017/11/02/secure-shell-tunnel/) to connect to your frontend. +If you only want to use components supported by [Home Assistant cloud](/cloud/) then you don't need to enable remote access. This is obviously the most secure option, but does mean that you're relying on a cloud service for that functionality. + +☐ For remote access to the UI, use a [VPN](http://www.pivpn.io/), [Tor](/docs/ecosystem/tor/), or an [SSH tunnel](/blog/2017/11/02/secure-shell-tunnel/) +☐ For remote access for components, use a [TLS/SSL](/docs/ecosystem/certificates/lets_encrypt/) certificate + +### {% linkable_title You should %} + +As well as the above we advise that you consider the following to improve security: + +- For systems that use SSH set `PermitRootLogin no` in your sshd config (usually `/etc/ssh/sshd_config`) and to use SSH keys for authentication instead of passwords. This is particularly important if you enable remote access to your SSH services. +- Lock down the host following good practice guidance, for example: + * [Securing Debian Manual](https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) (this also applies to Raspbian) + * [Red Hat Enterprise Linux 7 Security Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Security_Guide/Red_Hat_Enterprise_Linux-7-Security_Guide-en-US.pdf), [CIS Red Hat Enterprise Linux 7 Benchmark](https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.0.0.pdf)

- If you've forwarded any ports to your Home Assistant system from the Internet then it *will* be found by others. Whether through services like Shodan, or direct port scanning, all systems on the Internet are routinely probed for accessible services. If you fail to set a password then it is simply a matter of time before somebody finds your system - potentially as little as a few hours. + If you've forwarded *any* ports to your Home Assistant system from the Internet, then it *will* be found by others. Whether through services like Shodan, or direct port scanning, all systems on the Internet are routinely probed for accessible services. If you fail to set a password then it is simply a matter of time before somebody finds your system and starts abusing it - potentially as little as a few hours.

+ +### {% linkable_title Remote access for just the UI %} + +If you only want remote access for access to the web UI then we advise that you follow the **All installs** section, then set up one of: + +- A VPN such as [PiVPN](http://www.pivpn.io/) or [ZeroTier](https://www.zerotier.com/), which will give you access to your whole home network +- [Tor](/docs/ecosystem/tor/), which also avoids the need for port forwarding +- An [SSH tunnel](/blog/2017/11/02/secure-shell-tunnel/) to connect to your frontend + +### {% linkable_title Remote access for components %} + +For remote access for a component, for example, a device tracker, you have to enable access to the API by: + +1. Following the steps in **All installs**, then +2. Forwarding a port and protect your communication with one of: + * A [TLS/SSL](/docs/ecosystem/certificates/lets_encrypt/) certificate (you can use one from Let's Encrypt, or any commercial SSL certificate vendor) + * A [self-signed certificate](/cookbook/tls_self_signed_certificate/) - be warned though, some services will refuse to work with self-signed certificates +3. Optionally use a proxy like [NGINX](/docs/ecosystem/nginx/), [Apache](/cookbook/apache_configuration/), or another. These allow you to provide finer-grained access. You could use this to limit access to specific parts of the API (for example, only `/api/owntracks/`) +4. Enable IP Filtering and configure a low [Login Attempts Threshold](/components/http/) +5. If you use a proxy then install [fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) to [monitor your proxy logs](https://www.home-assistant.io/cookbook/fail2ban/) (or Home Assistant logs) for failed authentication