Home Assistant Hardening
Exposing your Smart Home to the Internet without some level of protection, is not a good idea. Bad things can and will happen! That’s why you should invest some time in hardening Home Assistant. Let’s dig into it.
Home Assistant Basic Hardening
Home Assistant offers some basic functionality to secure the access to your Smart Home. To achieve the maximum in built access security, you need to do the following:
If you’re fine with accessing your Home Assistant instance only from LAN or over a VPN, you don’t need the following solution. But if you plan to expose Home Assistant to the Internet, then it’s worth to spend some time, to implement the following solution.
How it works
The core of the solution is Cloudflare Access, which was built to offer a service which can secure, authenticate, and monitor user access to any domain, application, or path on Cloudflare. And everything without a VPN connection. There are two types of login-options available:
- Single sign-on based on providers like Google, Github, Facebook and some more
- Secret code sent by Cloudflare to your mailbox
I’m using Google, as I have enabled two factor authentication for my Google account, which leads to two factor authentication security for Home Assistant.
Cloudflare Access is nothing different than a HTTP / HTTPS proxy sitting between your Home Assistant instance and the internet. With the only difference, that Cloudflare Access adds authentication mechanism.
Cloudflare also provides CDN caching, ddos protection and much more. I’ll not cover the basic Cloudflare setup here, but you can have a look on the official guide on how to set it up.
How to set it up
It’s important to note, that you still need a SSL certificate to run HTTPS between your Home Assistant instance and the Cloudflare proxy. Otherwise bad guys can use man in the middle attacks, to sniff and modify the HTTP traffic. Besides that, some IP blacklisting rules have to be implemented on the local proxy or even the firewall, to only allow traffic coming from the Cloudflare IPs. I’m running Nginx as reverse proxy to expose my web services to the internet over HTTPS. Tha’t why I’ve implemented the IP blacklisting in Nginx, but I’m currently thinking about already blocking it at the Firewall. Nginx IP blacklisting can be achieved in the following way:
- Create a blacklist.conf file with the following content
allow 220.127.116.11/22; allow 18.104.22.168/22; allow 22.214.171.124/22; allow 126.96.36.199/12; allow 188.8.131.52/18; allow 184.108.40.206/22; allow 220.127.116.11/18; allow 18.104.22.168/15; allow 22.214.171.124/13; allow 126.96.36.199/20; allow 188.8.131.52/20; allow 184.108.40.206/20; allow 220.127.116.11/22; allow 18.104.22.168/17; deny all;
My web services are not available through IPv6, that’s why just IPv4 addresses are in the blacklist.conf file. IPs used by Cloudflare can be found on the official webpage.
2. Include the created blacklist.conf file in the Nginx config with
To setup the Cloudflare part, log into your account and switch to the Access tab. Under login methods you have to choose the identy provider you want to use. Additionally you can specify the login page domain or customize it. In order to reach your Home Assistance instance through Cloudflare, it’s requiered to setup a Acess Policy.
If your Home Assistant instance is running under a subdomain or different path then root, adjust the Application Domain. Under Application Name you can put a name for the application which will be shown on the login screen. Session Duration defines how long you will be logged in, until you have to login again. To allow a user to login, it’s necessary to create a property which includes the email address of the user. In my case, it’s the email address of my Google account. That’s all, now yhou should be able to access your Home Assistant instance through Cloudflare, easy and secure!
If you’re even afraid of opening ports on your Router or Firewall, maybe Cloudflares Agro Tunnel is something for you.
Let me know in the comment section or at Twitter how you like this solution.