Avoid brute force attack using CAPTCHA or maximum possible failed login attempts every 24 hours

HA settings:

  1. Login to HA administrator account is possible only as a localhost.
  2. Login to wifi (same network as HA is working) is possible only using password (WPA2).

It can be said that it is a safe system. But the problem is if intruder logged to my wifi (however he did - irrelevant). Then intruder can brute force HA login. Do you have any idea how to block this possibility? My first idea is to use captcha, but to be honest I prefer less plugins in my HA. So I think about maximum (in example 5) possible failed login attempts every 24 hours. If somebody will use 5 times wrong password, then login as administrator is blocked for 24 hours. Maybe there are other solutions against brute force login.

The same problem will be for non-administrator user (I will use tablet to display dashboard with only simple buttons such as open/close shutter etc.).

Thank you.

You can set that is the http section of your config. Set ip_ban_enabled to true and set login_attempts_threshold to for example 5.

1 Like

Some type of captchas can be bypassed quite easily:

1 Like

Thank you, it looks close to my idea (the need of 24 hours is not necessary). What if I will write wrong password 5 times? Then probably only way is clear some file where bans are written, am I right?

Exactly. You can manage the banned ip address on the file ip_bans.yaml under your /config folder.
But be aware that if your IP address is blocked then you have to use another IP address in order to access that file.

1 Like

To be honest, I though about just removing sd card from raspberry pi, connect card to PC and there modify this file. But the file name (ip_bans.yaml) is now written in this topic and this information is valuable. Thank you all for support!