One major advantage of Home Assistant is that it’s not dependent on cloud services. Even if you’re only using Home Assistant on a local network, you should take steps to secure your instance.
- Protect your web interface with a password
- Secure your host. Sources could be Red Hat Enterprise Linux 7 Security Guide, CIS Red Hat Enterprise Linux 7 Benchmark, or the Securing Debian Manual.
- Restrict network access to your devices. Set
PermitRootLogin noin your sshd config (usually
/etc/ssh/sshd_config) and to use SSH keys for authentication instead of passwords.
- Don’t run Home Assistant as root – consider the Principle of Least Privilege.
- Keep your secrets safe.
If you want to allow remote access, consider these additional points:
- Protect your communication with TLS/SSL.
- Enable IP Filtering and configure a low Login Attempts Threshold
- Protect your communication with Tor.
- Protect your communication with a self-signed certificate.
- Use a proxy.
- Set up a VPN
- Use a SSH tunnel to connect to your frontend.
If you’ve forwarded any ports to your Home Assistant system from the Internet then it will be found by others. Whether through services like Shodan, or direct port scanning, all systems on the Internet are routinely probed for accessible services. If you fail to set a password then it is simply a matter of time before somebody finds your system - potentially as little as a few hours.