Avoid brute force attack using CAPTCHA or maximum possible failed login attempts every 24 hours

randomusername123 · March 2, 2023, 12:15pm

Hi,
HA settings:

Login to HA administrator account is possible only as a localhost.
Login to wifi (same network as HA is working) is possible only using password (WPA2).

It can be said that it is a safe system. But the problem is if intruder logged to my wifi (however he did - irrelevant). Then intruder can brute force HA login. Do you have any idea how to block this possibility? My first idea is to use captcha, but to be honest I prefer less plugins in my HA. So I think about maximum (in example 5) possible failed login attempts every 24 hours. If somebody will use 5 times wrong password, then login as administrator is blocked for 24 hours. Maybe there are other solutions against brute force login.

The same problem will be for non-administrator user (I will use tablet to display dashboard with only simple buttons such as open/close shutter etc.).

Thank you.

Pippyn · March 2, 2023, 1:07pm

You can set that is the http section of your config. Set ip_ban_enabled to true and set login_attempts_threshold to for example 5.

amaximus · March 2, 2023, 1:17pm

Some type of captchas can be bypassed quite easily:

github.com

Hartman5/recaptchaV3-Bypass/blob/b635f1453bd2ad276b3d6a412118c7dd20847d11/index.js

const axios = require('axios');

const anchor_url = 'PUT ANCHOR URL HERE'
var url_base = 'https://www.google.com/recaptcha/'
var re = new RegExp('([api2|enterprise]+)\/anchor\?(.*)');
var matches = anchor_url.match(re);
url_base += matches[0]+'/';
params = matches[1]
axios({
    method: 'GET',
    url: url_base + 'anchor',
    headers: {'content-type': 'application/x-www-form-urlencoded'},
    params: {params}
}).then(response => { 
    var re = new RegExp('"recaptcha-token" value="(.*?)"');
    var token = response.data.match(re)
    params2 = ""
    for (var pair of params.split('&')) {  
        params2 += pair.split('=')
    }

This file has been truncated. show original

randomusername123 · March 5, 2023, 9:21pm

Thank you, it looks close to my idea (the need of 24 hours is not necessary). What if I will write wrong password 5 times? Then probably only way is clear some file where bans are written, am I right?

EdwardTFN · March 5, 2023, 9:25pm

Exactly. You can manage the banned ip address on the file ip_bans.yaml under your /config folder.
But be aware that if your IP address is blocked then you have to use another IP address in order to access that file.

randomusername123 · March 5, 2023, 9:38pm

To be honest, I though about just removing sd card from raspberry pi, connect card to PC and there modify this file. But the file name (ip_bans.yaml) is now written in this topic and this information is valuable. Thank you all for support!