It was only a matter of time until the first queries for tools like https://www.shodan.io to search for Home Assistant instances showed up.
To get an idea about how your Home Assistant instance looks to a network scanner, you can use
nmap tool is already available if you are using the nmap device tracker.
$ nmap -sV -p 8123 --script=http-title,http-headers 192.168.0.3 Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 18:16 CEST Nmap scan report for 192.168.0.3 Host is up (0.0058s latency). PORT STATE SERVICE VERSION 8123/tcp open http aiohttp 3.1.3 (Python 3.6) | http-headers: | Content-Type: text/html; charset=utf-8 | Content-Length: 3073 | Date: Tue, 29 May 2018 16:16:50 GMT | Server: Python/3.6 aiohttp/3.1.3 | Connection: close | |_ (Request type: GET) |_http-server-header: Python/3.6 aiohttp/3.1.3 |_http-title: Home Assistant Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.13 seconds
We don’t have an unique server banner but in combination with the HTML title
Home Assistant, is it simple to identify Home Assistant instances.
$ nc 192.168.0.3 8123 GET / HTTP/1.1 host: localhost HTTP/1.1 200 OK Server: Python/3.6 aiohttp/3.1.3 [...]
One option to avoid this exposure is using a reverse proxy.