One major advantage of Home Assistant is that it’s not dependent on cloud services. Even if you’re only using Home Assistant on a local network, you should take steps to secure your instance.
Here’s the summary of what you must do to secure your Home Assistant system:
- Configure secrets (but do remember to back them up)
- Regularly keep the system up to date
If you only want to use integrations supported by Home Assistant cloud then you don’t need to enable remote access. This is obviously the most secure option, but does mean that you’re relying on a cloud service for that functionality.
- For remote access to the UI, use a VPN, Tor or an SSH tunnel
- For remote access for components, use a TLS/SSL certificate
As well as the above we advise that you consider the following to improve security:
- For systems that use SSH set
PermitRootLogin noin your sshd config (usually
/etc/ssh/sshd_config) and to use SSH keys for authentication instead of passwords. This is particularly important if you enable remote access to your SSH services.
- Lock down the host following good practice guidance, for example:
If you’ve forwarded any ports to your Home Assistant system from the Internet, then it will be found by others. Whether through services like Shodan, or direct port scanning, all systems on the Internet are routinely probed for accessible services. If you fail to set a password then it is simply a matter of time before somebody finds your system and starts abusing it - potentially as little as a few hours.
If you only want remote access for access to the web UI then we advise that you follow the Installation section, then set up one of:
- A VPN such as PiVPN or ZeroTier, which will give you access to your whole home network
- Tor, which also avoids the need for port forwarding
- An SSH tunnel to connect to your frontend
For remote access for a component, for example, a device tracker, you have to enable access to the API by:
- Following the steps in Installation, then
- Forwarding a port and protect your communication with one of:
- A TLS/SSL certificate (you can use one from Let’s Encrypt, or any commercial SSL certificate vendor)
- A self-signed certificate - be warned though, some services will refuse to work with self-signed certificates
- Optionally use a proxy like NGINX, Apache, HAproxy or another. These allow you to provide finer-grained access. You could use this to limit access to specific parts of the API (for example, only
- Enable IP Filtering and configure a low Login Attempts Threshold
- If you use a proxy then install fail2ban to monitor your proxy logs (or Home Assistant logs) for failed authentication