Do you worry when you get a failed login attempt to your HA?

giovanniong · August 17, 2024, 8:46am

This morning, I received a notification that said:

2024-08-17 09:06:15.130 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 37-xxx-xx-xxx.mob.proxad.it (37.xxx.xx.xxx). Requested URL: ‘/api/template’. (Home Assistant/2024.7 (io.robbie.HomeAssistant; build:2024.730; iOS 17.5.1)).

A few months ago, I got a similar notification from an IP address in China.

For remote access, I’ve set up Duck DNS + Nginx Reverse Proxy + 2FA + IP Ban and I keep the SW updated. It’s not a brute force attack, so I assume it’s a “scan,” which is normal for exposed instances like mine.

How do you behave when you get notifications like this?

fleskefjes · August 17, 2024, 9:13am

I don’t mind if there’s just a single entry. If there are multiple entries I add the IP to my routers blacklist. I also have blocked all traffic from the “usual suspect” countries.

giovanniong · August 18, 2024, 12:27pm

Thank you. How did you set it up?

fleskefjes · August 18, 2024, 1:48pm

It’s a feature in my Ubiquiti Unifi router. If you have a router that supports blocking IP ranges you could do some manual work and find the ranges belonging to specific countries I would think.

baudneo · August 18, 2024, 2:27pm

I would recommend looking at using cloudflared. You can block geoip and get all sorts of great stuff included while masking your home ip. Also “follows” your IP like dyndns as it changes from DHCP renews by your ISP.