Hi,
TL;DR: What are some tips to protect openhab from intruders on the local network? (besides advices on protecting local network itself)
I read this documentation article about securing the access to the openhab, but it mostly focuses on securing the remote access to the openhab. For remote I use myopenhab.org so that is “solved”. However, I would like to improve security for local network, so that if someone gets f.eks. wifi password would not be able to do some damage or manipulate the system.
I read/saw local Norwegian article where a tv show was showing dangers of dumb “smart devices”, and a known guy that has “norwegian smartest home” was the target. He later discussed the topic explaining that security expert tried everything he could in a short time, but eventually the owner had to give the keys and open access for “a good show”. However his homeseer automation software still had protected access, so even though the expert connected to the wifi, he couldn’t control anything in the home. I see that the article I linked to describes nginx as reverse proxy for controlling access, but there are some limitations :
**Note:** There is currently an issue with Proxy Authentication and HABmin when using some browsers. If you require HABmin, consider connecting locally or using Safari for now"
So this also assumes that local network is safe.
Not openhab related, but I remember my landlord sharing a internet subscription with me, and one day he just connected some nas where he backed up all photos, and they all appeared in my picasa image organizer. This just reminds me that I cannot trust my local network and users that much.
I am considering using firewall on the linux pc where the openhab would be installed, but that introduces a bunch of rules due to device discovery for every binding etc. I also read on some topic that it might be basically pointless to have firewall running on linux, as no other ports are open/being listened to. First I was thinking to manually open IPs that can access the openhab itself, but running openhab in docker makes local firewall rules obsolete as docker goes around it basically, allowing all ports to the container. I know that Traefik could be used for docker containers, but man it all suddenly becomes very very complicated to set up and maintain.
Also node-red and perhaps grafanna etc that will live on the server, but I guess that is where nginx (or Traefik) would help with basic authentication.
Ahh… difficult topic for me, anyone that can simplify it please?
Perhaps improving existing documentation with more focus for local network?