How do you all handle security and monitoring for your publicly accessible services?
-
Set up a VPN to get back inside your network if you're outside it. Then you don't need HA (or anything else for that matter) to be public.
-
I've been playing around with the voice assistant stuff in homeassistant and it seemingly needs a public url to get all the features. I could be wrong about that though?
I put authentik in front of immich to handle authentication so that I would need need a 2FA code
-
If you have access to all devices, why not just use your own self signed certificates to encrypt everything and require the certificate for all connections?
Sounds like you are describing a VPN. I was using that setup before but small stuff like immich album sharing via a link won't work properly. Also, having to ensure a vpn is on and connected is a little to much to ask of my partner; they would turn it off and forget about it and then ask why their app wasn't working
-
We expose about a dozen services to the open web. Haven't bothered with something like Authentik yet, just strong passwords.
We use a solid OPNSense Firewall config with rather fine-grained permissions to allow/forbid traffic to the respective VMs, between the VMs, between VMs and the NAS, and so on.
We also have a wireguard tunnel to home for all the services that don't need to be available on the internet publicly. That one also allows access to the management interface of the firewall.
In OPNSense, you get quite good logging capabilities, should you suspect someone is trying to gain access, you'll be able to read it from there.
I am also considering setting up Prometheus and Grafana for all our services, which could point out some anomalies, though that would not be the main usecase.
Lastly, I also have a server at a hoster for some stuff that is not practical to host at home. The hoster provided a very rudimentary firewall, so I'm using that to only open necessary ports, and then Fail2Ban to insta-ban IPs for a week on the first offense. Have also set it up so they get banned on Cloudflare's side, so before another malicious request ever reaches me.
Have not had any issues, ever.
-
Most definitely does not need a public URL for Assist in HA. Not sure where you read that.
It sounds like you need a VPN to your internal services if you're concerned about security.
-
I feel weird about having those apps on the internet and basically being blind to threats. I mean yeah, I'm not a target on anyone's list and most IPs visiting the site are bots. But I would still like to know what's going on.
I don't work in tech for a living, this is just a hobby for me so I have limited time to work on this stuff and do research. It's very possible I fucked something up and don't know it. I figured if I at least got an alert that said "hey, your immich server db was dumped and sent to <insert IP>", I could at least turn it off
-
Most definitely does not need a public URL for Assist in HA. Not sure where you read that.
You're probably right. At one point, I had a subscription to homeassistant cloud a few years back to use a google nest speaker at the time. I was just going off that I guess. I'll do some testing and will probably put it back behind tailscale. thanks for the heads up
It sounds like you need a VPN to your internal services if you’re concerned about security.
I'm more so concerned that I set something up incorrectly and would like to be made aware of it in the event someone else noticed
-
Have also set it up so they get banned on Cloudflare’s side, so before another malicious request ever reaches me.
How did you end up setting that up?
-
That's very specific to individual services
-
I mean more like a self signed TLS certificate with your own host manually set in the browser. Then only make the TLS port available, or something like that. If you have access to both(all) devices, you should be able to fully encrypt by bruit force and without registering the certificate with anyone. That is what I do with AI at home.
-
Fail2ban allows you set different actions for different infringements, as well as multiple ones. So in addition to being put in a "local" jail, the offending IP also gets added to the cloudflare rules (? Is that what its called?) via their API. It's a premade action called "cloudflare-token-multi"
-
oh, my mistake. tbh, I don't know enough about it but I'm interested. Why set up a TLS cert for AI at home? How is that benefiting you and your setup?
I've seen some people set up SSL certs for self hosted services and not make them publicly available but I didn't get around to seeing why they were doing it
-
that's awesome. thanks!
-
I don't know much about certificates, but doesn't that just alert the browser that the certificate is not trusted and you can decide if keep going or not?
-
Beside the fact that you would like to understand if you've done everything properly (that's good, but I can't help you here), a VPN on a smartphone can be always active. Mine is always on and I've never noticed any battery problem. If you prefer something simpler there's Tailscale.
-
If it were only me using the apps, I'd be using a VPN. Over the years, I've used OpenVPN, Wireguard, and now Tailscale. In my experience, they work like 99% of the time. That last 1% though is weird connection issues; usually when switching between WiFi and cellular (or vice versa) but sometimes it's my server or ISP and I havr to turn the VPN off and back on to troubleshoot. My partner will either turn off the VPN and forget to turn it back on or they will forget about the VPN completely and not be able to use their phone. Ideally, I'd like to set something up that doesn't require any potential troubleshooting on their part so I can avoid hearing "why can't we just use Google photos?" or "what's wrong with Google home?"
-
I live with family and have an extra network, but I'm not sure exactly what can leak out of my own and onto theirs. It could be just my paranoia here, but I noticed at night when I am alone in the living room chatting with my AI over my network, the new smart TV has a mechanical relay when it switches from standby to mains power. I never watch TV or connect to the same network as the TV, however the relay was clicking every 15-20 minutes when I was chatting over http. It doesn't do that when I am on Lemmy or other stuff. So I tried setting up the certs and the TV never clicks. It did click if I used words with the cats or watched Piped video. Now I intentionally speak gibberish to the cats, mostly use headphones, and never hear that relay clicking any more.
Anyways, in my half ass quest to eventually self host some stuff, in abstraction, I only want a setup where I manually transfer my keys and everything is always encrypted between devices with those keys. I never want the functionality of login, key transfers, or anything like that. My phone has a key, my computer has a key, and my server has a key. Breaking one of those keys is the only way into that connection, and those keys are made and shared offline over hardware connections in person. If I was really serious, I would also use the TPM chips for even more secure keys that cannot be accessed even within each device's OS for the private key.
I think this methodology is less well documented in easy to find searches and sources because it ostracises cloud services as the oddity. Most guides and info assumes you do not have physical access to all devices so you must transfer keys over a public network or assumes you will want to connect from random extra sources or devices. This is what opens you up to other people also connecting. If everything is encrypted with certificates and no one else has those certificates, problem solved, your password is your certificate... As far as I understand it.
-
Sorta, you have to install your certificate authority into the browser and it might complain about verifying that but it will still connect with the encryption.
-
No no, what I meant is that if I connect to your server without the certificate installed don't I just get the warning and I can still get through?
-
Not unless an http port is open too. If the only port is https, you have to have the certificate. Like with my AI stuff it acts like the host is down if I try to connect with http. You have to have the certificate to decrypt anything at all from the host.
