c464056402
* 🔥 Removes octopress.js * 🔥 Removes use of root_url var * 🔥 Removes Octopress generator reference from feed * 🔥 Removes delicious support * 🔥 Removes support for Pinboard * 🔥 Removes support for Disqus * 🔥 Removes support for Google Plus * ↩️ Migrate custom after_footer to default template * ↩️ Migrate custom footer to default template * ↩️ Migrate custom header to default template * 🔥 Removes unused template files * 🚀 Places time to read directly in post template * 🚀 Removes unneeded capture from archive_post.html template * 🔥 🚀 Removes unused, but heaving sorting call in component page * 🚀 Merged javascripts into a single file * 🔥 Removes more uses of root_url * 🚀 Removal of unneeded captures from head * 🔥 🚀 Removal of expensive liquid HTML compressor * 🔥 Removes unneeded templates * 🚀 Replaces kramdown with GitHub's CommonMark 🚀 * 💄 Adds Prism code syntax highlighting * ✨ Adds support for redirect in Netlify * ↩️ 🔥 Let Netlify handle all developer doc redirects * ✏️ Fixes typo in redirects file: Netify -> Netlify * 🔥 Removes unused .themes folder * 🔥 Removes unused aside.html template * 🔥 Removes Disqus config leftover * 🔥 Removes rouge highlighter config * 🔥 Removes Octopress 🎉 * 💄 Adjust code block font size and adds soft wraps * 💄 Adds styling for inline code blocks * 💄 Improve styling of note/warning/info boxes + div support * 🔨 Rewrites all note/warning/info boxes
4.0 KiB
title, description, redirect_from
| title | description | redirect_from |
|---|---|---|
| Securing | Instructions on how to secure your Home Assistant installation. | /getting-started/securing/ |
One major advantage of Home Assistant is that it's not dependent on cloud services. Even if you're only using Home Assistant on a local network, you should take steps to secure your instance.
Checklist
Here's the summary of what you must do to secure your Home Assistant system:
- Configure secrets (but do remember to back them up)
- Regularly keep the system up to date
If you only want to use integrations supported by Home Assistant cloud then you don't need to enable remote access. This is obviously the most secure option, but does mean that you're relying on a cloud service for that functionality.
- For remote access to the UI, use a VPN, Tor or an SSH tunnel
- For remote access for components, use a TLS/SSL certificate
You should
As well as the above we advise that you consider the following to improve security:
- For systems that use SSH set
PermitRootLogin noin your sshd config (usually/etc/ssh/sshd_config) and to use SSH keys for authentication instead of passwords. This is particularly important if you enable remote access to your SSH services. - Lock down the host following good practice guidance, for example:
- Securing Debian Manual (this also applies to Raspbian)
- Red Hat Enterprise Linux 7 Security Guide, CIS Red Hat Enterprise Linux 7 Benchmark
If you've forwarded any ports to your Home Assistant system from the Internet, then it will be found by others. Whether through services like Shodan, or direct port scanning, all systems on the Internet are routinely probed for accessible services. If you fail to set a password then it is simply a matter of time before somebody finds your system and starts abusing it - potentially as little as a few hours.
Remote access for just the UI
If you only want remote access for access to the web UI then we advise that you follow the Installation section, then set up one of:
- A VPN such as PiVPN or ZeroTier, which will give you access to your whole home network
- Tor, which also avoids the need for port forwarding
- An SSH tunnel to connect to your frontend
Remote access for integrations
For remote access for a component, for example, a device tracker, you have to enable access to the API by:
- Following the steps in Installation, then
- Forwarding a port and protect your communication with one of:
- A TLS/SSL certificate (you can use one from Let's Encrypt, or any commercial SSL certificate vendor)
- A self-signed certificate - be warned though, some services will refuse to work with self-signed certificates
- Optionally use a proxy like NGINX, Apache, HAproxy or another. These allow you to provide finer-grained access. You could use this to limit access to specific parts of the API (for example, only
/api/owntracks/) - Enable IP Filtering and configure a low Login Attempts Threshold
- If you use a proxy then install fail2ban to monitor your proxy logs (or Home Assistant logs) for failed authentication