Ban by subnet in http component (with working code)

@ShadowFist I understand (and share) your frustration but I don’t want to get into an extended argument with tptb.

My first try at crowdsec was also frustrating as it seems opaque and clunky needing considerable technical knowledge about firewalls, routing etc.

Time to think about long term goals…
Options seem to be:
Keep lobbying
Keep maintaining this fork
Use (eg) crowdsec
Revert to no firewall (give up)

Is publishing via HACS an option?

Yes - but for me it’s the same as “keep maintaining this fork” as it depends on developers (currently me) outside the core team to repair it when there’s a breaking change to the core.

Has anybody got to grips with the crowdsec addon?

First pass through the crowdsec addon indicates it duplicates the HA core’s banning system for failed logins plus some other criteria I don’t yet understand.
It appears to read the HA logs looking for login fails and bans sites which exceed its rules on frequency of attempts.
Bans are temporary (4h default)

I still believe HA needs a better banning system than HA’s core’s banning system.
Take for example one day’s log on one of my systems.
These are mostly previous offenders which I’ve banned, with one new one (from 92.55.190.215 - Kazakhstan).
That’s an average of one an hour with one offender trying 13 times in as many seconds…

I’m not a security expert and I wonder if I’m right or just paranoid?

2025-09-11 01:36:25.595 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from ec2-43-203-157-60.ap-northeast-2.compute.amazonaws.com (43.203.157.60) which is in banned network 43.0.0.0/8
2025-09-11 01:36:26.593 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from ec2-43-203-157-60.ap-northeast-2.compute.amazonaws.com (43.203.157.60) which is in banned network 43.0.0.0/8
2025-09-11 03:33:51.929 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from ec2-43-203-115-211.ap-northeast-2.compute.amazonaws.com (43.203.115.211) which is in banned network 43.0.0.0/8
2025-09-11 03:33:53.255 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from ec2-43-203-115-211.ap-northeast-2.compute.amazonaws.com (43.203.115.211) which is in banned network 43.0.0.0/8
2025-09-11 04:31:40.876 WARNING (MainThread) [custom_components.http.security_filter] Filtered a potential harmful request from 92.55.190.215 to: /cgi-bin/../../../../../../../../../../bin/sh
2025-09-11 04:31:41.359 WARNING (MainThread) [custom_components.http.security_filter] Filtered a potential harmful request from 92.55.190.215 to: /cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
2025-09-11 04:31:53.503 WARNING (MainThread) [custom_components.http.security_filter] Filtered a request from 92.55.190.215 with a potential harmful query string: /index.php
2025-09-11 04:31:53.765 WARNING (MainThread) [custom_components.http.security_filter] Filtered a request from 92.55.190.215 with a potential harmful query string: /index.php
2025-09-11 06:25:43.917 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 167.172.79.198 (167.172.79.198) which is in banned network 167.0.0.0/8
2025-09-11 06:25:45.213 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 167.172.79.198 (167.172.79.198) which is in banned network 167.0.0.0/8
2025-09-11 07:16:50.007 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from security.criminalip.com (185.242.226.107) which is in banned network 185.0.0.0/8
2025-09-11 07:41:56.883 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from scan-90-0.shadowserver.org (64.62.156.222) which is in banned network 64.0.0.0/8
2025-09-11 07:51:50.016 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from scan-90-9.shadowserver.org (64.62.156.231) which is in banned network 64.0.0.0/8
2025-09-11 08:07:16.345 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from scan-90-0.shadowserver.org (64.62.156.222) which is in banned network 64.0.0.0/8
2025-09-11 09:01:32.538 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 109.239.79.34.bc.googleusercontent.com (34.79.239.109) which is in banned network 34.0.0.0/8
2025-09-11 09:04:01.649 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from colby.probe.onyphe.net (45.43.33.210) which is in banned network 45.0.0.0/8
2025-09-11 11:12:28.154 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 124.66.75.77 (124.66.75.77) which is in banned network 124.0.0.0/8
2025-09-11 17:10:22.141 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:24.090 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:25.247 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:26.434 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:28.059 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:28.210 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:28.306 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:31.218 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:34.532 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:34.636 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:34.737 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:34.834 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:10:35.041 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 185.177.72.38 (185.177.72.38) which is in banned network 185.0.0.0/8
2025-09-11 17:48:19.736 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 117.50.182.220 (117.50.182.220) which is in banned network 112.0.0.0/5
2025-09-11 17:48:20.906 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 117.50.182.220 (117.50.182.220) which is in banned network 112.0.0.0/5
2025-09-11 20:16:04.949 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from security.criminalip.com (185.242.226.107) which is in banned network 185.0.0.0/8
2025-09-11 20:37:13.333 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 167.172.28.83 (167.172.28.83) which is in banned network 167.0.0.0/8
2025-09-11 20:37:15.886 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 167.172.28.83 (167.172.28.83) which is in banned network 167.0.0.0/8
2025-09-11 21:53:00.159 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from 167.94.138.180 (167.94.138.180) which is in banned network 167.0.0.0/8
2025-09-11 22:57:36.425 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from undefined.hostname.localhost (196.251.81.194) which is in banned network 196.0.0.0/8
2025-09-11 23:59:18.738 WARNING (MainThread) [custom_components.http.ban] Prevented access attempt from zl-amsc-nl-gp1-wk146a.internet-census.org (185.226.197.52) which is in banned network 185.0.0.0/8

Just tested with 2025.10.0 and still seems to load/work

I used to have this problem, too. The simple solution is to wildcard SSL your domain/subdomain, especially using a vast public DDNS service like DuckDNS. What I did was use nginx proxy manager and issue wildcard certificates. DuckDNS allows a subdomain on a subdomain using their token, so for those that still use them, you’re in luck. This cut out 99.9999% of wannabe hackers running wild.

I still use the ip_ban option and CrowdSec add-on, but having a wildcard domain severely decreases hacker attempts because they’re focused on simple domain names.

Hi. It seems like Ban by subnet doesn´t work with the latest version 2026.4? I had to remove it in order to start HA.

@martinmg1212 Thanks for the warning. I’ll have to dig out my development platform and see what’s what.

I’m making progress - I should have an update soon.

Good news - I believe it’s working for 2026.4.1
For this and future versions it’s in a new repository here
As usual the folder http needs to be copied to the config/custom_components folder.
Usual warnings apply - make sure you have smb/samba access so you can remove the http folder if/when HA developments break it

Please let me have comments/breakage reports

Hi. Great work!!! Thanks. It seems to do it’s job:), but I get the error below. Don’t know if I did something wrong?

Integration error: log_banned_networks - Integration ‘log_banned_networks’ not found.
Integration error: notify_banned_networks - Integration ‘notify_banned_networks’ not found.

@martinmg1212 Oh dear
Those are the config flags so not sure why it comes up as an integration error.

Is it a one-off or repeating error?
Could you post adjacent log entries please and the http: part of your configuration.yaml
No need to include all of the banned subnets if it’s a large list

edit: it was a dash causing my error.

Phew - thanks for letting me know