Add firewall / IPTABLES function to HA to block particular IPs from outside address?


There are times I get “Login attempt failed” messages. Most of these are my own IP address, which I’d like to fix. The existing components/http/ should at least have an option to record the userID and password that is being attempted) and this may also identify what is being attempted when it comes from my own IP(s). I will take a look at the routine to see what can be done.

But this question really relates to legitimate bad-actors trying to get to my HA from their own subnets on the Internet.

What I’d want is a way to say <Bad login from IP= login attempted with user=“badloginuser”, with password=“123abc”. Do you want to silently block these attempts from this IP or give a netmask to block?> (maybe block after X attempts?)

If I say “Yes, block”, or “Yes, block /24” I’d have a firewall-type / IPTABLES-type entry added that drops the connection attempts, either from that particular address, or from the stated netmask (/24 in the example).

What the bad-actor would see is no TCP SYN-ACK come back, HA would drop the SYN as soon as it came from the identified IP or network. To an attacker, this just seems like an IP that doesn’t respond, as if I put a firewall / IPTABLES entry in, or configured my outside firewall to drop the attempts. This could even block it for X hours until allowing it again.

Please let me know what you think.



You shouldn’t expose your HA instance to the internet. It isn’t secure and it never will be.


Thanks for your feedback! So, I guess you don’t go out much? :smiley: At least if you want info your HA has.

I respect that sentiment. I could get all my iphones/ipads to use a VPN into my RPi running HA. Sure. but isn’t a private dynamic DNS provider issuing me >2048-bit DigiCert or GlobalSign certificates secure? That’s what my banks do.

And, certainly, I can block this IP or range on my firewalls…heck, I can even intercept the SYSLOG message that indicated when it throws the bad-login error and generate the syntax for the real firewall to block the IP/range. But I prefer to leverage the recipient of the bad login (HA) to deny and block itself. My HA is hanging on its own DMZ, so I’m not worried about cross-contamination.

HA is basically a Linux distro anyway, isn’t there an IPTABLES component somewhere? Even “underneath the HA OS kernel/container”, on the native Pi?



Their is “normal” Linux as underlying OS. But. The development of HA is core business. Development of an UI for the underlying Linux distro and it’s IP tables isn’t.
I do use HA outside of my home. With a VPN and it’s always on. It works perfectly smooth and I’ve never had any complaints. Also I don’t have any outside unknown visitors.
You could also look into NabuCasa.

1 Like

I just switched to a vpn because I didn’t want HA exposed. There is an ip ban where you can set the amount of failed attempts before the ip is banned. It doesn’t tell you what login was used though.

It does create a file with the IP ip_bans.yaml. If there is a way to send an IP to your firewall rules then you could use that.

Inside bad attempts are, in my experience, from bad web links from your browser history, For instant like I had mentioned I moved away from https, my old links were all https.

I got a quite a few warnings from inside. This was the same when I first set up https.

That’s good info, I’ll give the banning a try!