layout: page

title: "Security of Home Assistant"

description: "Security of Home Assistant."

date: 2017-02-13 12:50

sidebar: true

comments: false

sharing: true

footer: true

As Home Assistant is like every other service or daemon that is running on a computer system that allows access over a network connection, certain measurement were taken to increase the overall security while still staying operational.

[Secure your installation](/docs/configuration/securing/) once you've finished with the installation process regardless of your use case.

Home Assistant is NOT able to change the configuration of your router or firewall. This means that you need to setup [port-forwarding](/docs/configuration/remote/) and adjusting firewall rules if you want to allow access from the internet. By default your frontend and your Hass.io add-ons like Mosquitto, SSH and your Samba shares are only accessible from your local network.

Further [details about the fingerprint/server banner](/docs/security/webserver/) of a Home Assistant instance are available.

The default port of Home Assistant is 8123. This is the port where the [`frontend`](/components/frontend/) and the [`API`](/components/api/) is served. Both are depending on the [`http`](/components/http/) component which contains the capability to adjust the settings like `server_host` or `server_port`.

See the [open ports](/docs/security/porosity/) of a Hass.io instance with various add-ons.

Home Assistant is following the [Mozilla's Operations Security team recommendations](https://wiki.mozilla.org/Security/Server_Side_TLS) for Server side SSL/TLS settings. To allow the users to access Home Assistant with most devices the target is **Intermediate compatibility**.

The SSH connection for [debugging](https://developers.home-assistant.io/docs/en/hassio_debugging.html) on port 22222 is not enabled by default and can only be used with keys.

Is SSH used with the [SSH server add-on](/addons/ssh/) then the user is responsible for the configuration and security.

Due to the lack of resources we are not able to review all of our dependencies and inspect them for malicious behavior, leakage of information or compliance with GDPR. But we have a keen interest in the development of our dependencies are try to work closely with the upstream developer.

layout: page

title: "Home Assistant/Hass.io porosity"

description: "Use nmap to scan your Home Assistant instance."

date: 2016-10-06 08:00

sidebar: true

comments: false

sharing: true

footer: true

As a large amount of users are running [Hass.io](/hassio/), here we are using a Raspberry Pi 3 B and Hass.io 0.70.0 to show how Home Assistant looks from the network side. This is not a full blown investigation, just a quick overview.

The IP address of the Home Assistant machine is 192.168.0.215. The system which is the source of the scans is a machine running Fedora 27 and Nmap 7.60 is used to preform the port scans. Both systems are in the same network.

To get access to Hass.io in secure way, SSH is provided by the [SSH server add-on](/addons/ssh/).

$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215

Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:08 CEST

Nmap scan report for 192.168.0.215

Host is up, received arp-response (0.00051s latency).

Not shown: 65532 closed ports

Reason: 65532 resets

PORT STATE SERVICE REASON VERSION

22/tcp open ssh syn-ack ttl 63 OpenSSH 7.5 (protocol 2.0)

| ssh-hostkey:

| 2048 e3:a2:2d:20:3a:67:68:b9:b1:9e:16:fa:48:80:82:96 (RSA)

| 256 92:f0:f4:be:4f:44:60:0e:c4:92:8a:cb:34:9e:c5:c2 (ECDSA)

|_ 256 09:da:a2:14:cd:c4:69:e9:13:e6:70:64:98:d0:55:0c (EdDSA)

8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)

|_http-open-proxy: Proxy might be redirecting requests

| http-robots.txt: 1 disallowed entry

|_/

|_http-server-header: Python/3.6 aiohttp/3.1.3

|_http-title: Home Assistant

22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)

MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.8

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

1 0.51 ms 192.168.0.215

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 726.23 seconds

That port 22 and 8123 are open was expected. On port 22222 is an additional SSH server running. This port is for [debugging](https://developers.home-assistant.io/docs/en/hassio_debugging.html) and supports only a login with a key. This means that you would need to remove the SD card from your Raspberry Pi, create an `authorized_keys` with your SSH public key in it and put the SD Card back in your Pi to get access.

While setting up the [Mosquitto MQTT broker add-on](/addons/mosquitto/) no settings very modified, the add-on was running with the default settings.

$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215

Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:52 CEST

Nmap scan report for 192.168.0.215

Host is up, received arp-response (0.0011s latency).

Not shown: 65532 closed ports

Reason: 65532 resets

PORT STATE SERVICE REASON VERSION

1883/tcp open mosquitto version 1.4.12 syn-ack ttl 63

| mqtt-subscribe:

| Topics and their most recent payloads:

| $SYS/broker/load/connections/5min: 0.39

[...]

| $SYS/broker/load/connections/15min: 0.13

|_ $SYS/broker/clients/total: 2

8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)

|_http-open-proxy: Proxy might be redirecting requests

| http-robots.txt: 1 disallowed entry

|_/

|_http-server-header: Python/3.6 aiohttp/3.1.3

|_http-title: Home Assistant

22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)

MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.8

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

1 1.13 ms 192.168.0.215

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 223.76 seconds

To secure MQTT to consider to use certificates and to specify users with password under `logins:` at least. Use port 1883 only in your local network.

The [Samba add-on](/addons/samba/) enables one to use a Windows system to access the configuration and other shares. Per default there is no user set. To increase your local security we strongly suggest that you set a username and a password and don't allow guests. A sample configuration could look like the one below.

A port scan for Hass.io with this add-on will give you the details.

$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215

Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 16:29 CEST

Host is up, received arp-response (0.00045s latency).

Not shown: 65523 closed ports

Reason: 65523 resets

PORT STATE SERVICE REASON VERSION

139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.7.3 (workgroup: WORKGROUP)

8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)

|_http-open-proxy: Proxy might be redirecting requests

| http-robots.txt: 1 disallowed entry

|_/

|_http-server-header: Python/3.6 aiohttp/3.1.3

|_http-title: Home Assistant

22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)

MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.8

Network Distance: 1 hop

Service Info: Host: HASSIO; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_nbstat: NetBIOS name: HASSIO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| smb-os-discovery:

| OS: Windows 6.1 (Samba 4.7.3)

| Computer name: \x00

| NetBIOS computer name: HASSIO\x00

| Workgroup: WORKGROUP\x00

|_ System time: 2018-05-29T16:41:05+02:00

| smb-security-mode:

| account_used: guest

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2018-05-29 16:41:05

|_ start_date: 1601-01-01 00:53:28

TRACEROUTE

HOP RTT ADDRESS

1 0.46 ms 192.168.0.215

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 727.43 seconds

139 and 445 are open and it's possible to enumerate the shares. With different tools you will get pretty much the same information.

$ smbclient -L //192.168.0.215 -U%

Sharename Type Comment

--------- ---- -------

config Disk

addons Disk

share Disk

backup Disk

IPC$ IPC

IPC Service (Samba HomeAssistant config share)

Reconnecting with SMB1 for workgroup listing.

Server Comment

--------- -------

Workgroup Master

--------- -------

WORKGROUP HASSIO

But without username and password you can't get access to the configuration file with the settings shown here.

[...]

"guest": false,

"username": "homeassistant",

"password": "homeassistant",

"interface": "eth0"

redirect_from: /docs/frontend/webserver/

We don't have an unique server banner but in combination with the HTML title `Home Assistant`, is it simple to identify Home Assistant instances.

$ nc 192.168.0.3 8123

GET / HTTP/1.1

host: localhost

HTTP/1.1 200 OK

Server: Python/3.6 aiohttp/3.1.3

[...]

One option to avoid this exposure is using a [reverse proxy](/docs/ecosystem/nginx/).

<li>

<b>{% active_link /docs/security/ Security %}</b>

<ul>

<li>{% active_link /docs/security/webserver/ Web server fingerprint %}</li>

<li>{% active_link /docs/security/porosity/ Porosity %}</li>

</ul>

</li>