I have some terrible wemo devices I am afraid of, alexa, and the nvidia shield all belong in the dirty IOT vlan because they are far too chatty for my liking. I could see some not bothering with segmented vlans and wifi… leave this until later as being exposed to the internet is your primary threat. Dump your terrible consumer router and never look back.
#Stunnel tomato software
Second priority would be pfsense, what a wonderful piece of free open source software and packages. However take a look at either a VPN or Cloudflare first and get started, buy a domain from a reputable reseller like gandi and not godaddy, then configure HASS and NGINX… big win and free TLS/Certificates.
#Stunnel tomato Patch
OS, Packages, Libraries, patch it all and constantly.Ī full writeup of that would be quite the saga, and there is probably something I missed. Shodan should only show ports you expect (Like TCP 443 for HTTPS/TLS). Lastly, sign up for a free shodan account and search your own IP. Then check your headers using securityheaders.io. Make sure you test and run scans on your domain using SSLabs or HTbridge. Homeassistant with a good password, and make sure you read the components to setup cors_allowed_origins, use_x_forwarded_for (critical for correct proxy functionality), ip_ban_enabled, and login_attempts_threshold. (5a) If you didn’t want to go with Cloudflare, you could also setup your own NGINX mutual auth using your own self-signed certificates. I kinda-sorta compensate with some snort web app rules, but I should get around to this… I have been lazy, but want to get around to running mod_security as a module here if you wanted to BYO-WAF instead of paying Cloudflare. Combined with authN origin pulls from #1. NGINX running locally as a reverse proxy using TLS and a certificate provided by Cloudflare. Block by default and use the firewall logs to figure out what is the minimum set of ports (if any) you need back into the LAN.
Dump everything in the IOT vlan and setup very specific firewall rules between your vlans. Previously mentioned by others PFsense as a router on a stick, and Unifi wireless/switch run three networks: LAN, IOT, and Guest. Talos (Cisco), Bambenek, binary defense systems (bds) and other well known threat intelligence are out there for free. Why let an attacker try all your doors and windows when you know they are bad after one knock. If an ip address ends up sending you a packet of any kind and it is known by these feeds… they generally don’t need to continue and get blocked. Then add pfblockerng with cherry picked threat feeds from FireHOL.
#Stunnel tomato pro
PFsense 2.4 running dynamic dns updates to Cloudflare, Snort pro rules with custom tuned rules for the WAN interface and ‘balanced’ rule set on LAN/IOT. Don’t forget to enable websocket support in the CF console! Be careful with the caching settings, I have had a few problems with HASS when those settings were enabled.
#Stunnel tomato upgrade
Even if you don’t upgrade to Pro (for the WAF) there are great features like DNSSEC and Certificates. This is all free, and they have excellent documentation and tutorials. Hosted DNS, TLS/Certificate, and proxied through Cloudflare using Authenticated Origin Pulls. My current setup consists of, following the flow of a packet from Internet -> Cloudflare -> Firewall -> NGINX -> HASS: If you don’t really know what you are doing, a VPN is usually a great first step instead of exposing HASS to the internet. The internet is a dangerous place for anyone, especially your house and private lives. The best way? Depends how savvy you are, family approval factor, and how much pain and suffering you are willing to put up with.
0 kommentar(er)
