I’ve had the same issue with invalid login notice displaying my router’s IP. Just tested by accessing HASS from my cellular connection. Incorrect login notice did not return my router’s IP address; external IP from my wireless provider was displayed.
Any idea why router my router’s IP is being displayed and in other cases the actual external IP?
Best way to find out is to use a reverse proxy, and have it send HA the IP address, you could check your router logs for IPs around the time the login attempt was reported as well.
I highly recommend using a revers proxy rather than just leaving Home Assistant exposed, plus it’s far easier to setup SSL certs this way.
I use Nginx for this, here’s my config:
worker_processes 2;
events {
worker_connections 1024;
use epoll;
}
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# Update this line to be your domain
server_name [REDACTED DOMAIN NAME];
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/[REDACTED DOMAIN NAME]-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/[REDACTED DOMAIN NAME]-0001/privkey.pem; # managed by Certbot
# These shouldn't need to be changed
# Proxy Home Assistant via SSL
listen 0.0.0.0:443;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass http://[IP ADDRESS TO HOME ASSISTANT]:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Unmask IP of user
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}
I noticed the same behaviour, but I found something interesting…
My Home Assistant is reachable from the internet and has its own domain based on DuckDNS.
If I connect to HA from the Internet (for example using my smartphone over a mobile network), HA reports the correct external IP address of my smartphone.
If I connect to HA from my LAN visiting the DuckDNS domain, HA reports the IP address of my router.
If I connect to HA from my LAN visiting the local domain (https://hassio.local), HA reports the IP address of the device I am using.
Correct this is the NAT loopback working (Hairpin NAT). Completely normal.
Then is it correct to say that when I see a failed login attempt from my router IP, it’s a matter of LAN devices and not of someone from the internet?
I have this same issue, leaving some crumbs for myself to find later once y’all find this out. It started happening when I added app daemon, I removed app daemon and it’s still showing up. To my knowledge when it says it’s coming from your router, following the conversation here and elsewhere, it means a device on your own wifi network is trying to connect but can’t. Strange, I’d love to find out what is going on to cause this same error on my machine.
I too get the Failed Login attempt just about all the time when either the web browser has sit for a while, or even the iOS app is firing up sometimes (restart the app and no problem); whether at home, or away. Its always my (or router’s) address. Rather annoying.
Me too. Whenever I login to Homeassistant (and there isnt already a login session) I get a failed login notification. It happens weather I use my android phone’s browser, the home assistant app, or my pc.
It must be some kind of a bug…
I’m getting this too - every 30 seconds or so. In my case the IP address in the error message belongs to my Wireless Tag hub, which seems to be working perfectly well.
@Stiltjack did you ever find an answer to this problem as am experiencing the same issue with my wireless tag hub too
Afraid not - it’s become a feature. Doesn’t seem to do any harm. Mainly it’s the annoyance of a constant notification, but you get used to it after a few weeks…
Yep, enjoying same feature atm 
Yes, I have been having the same issue for the past 3 days and is incredible annoying. I alos have Ip_ban enabled so Have to keep unbanning my devices. I have googled and googled and do not see any advice for this. We need to get this looked at. I am guessing it is my own networking error somewhere
but extremely frustrating
I have had this error for 6 months now. I have just learned to ignore notifications hoping nothing important comes up.
Are you guys using the local_file camera?
Nope. I dont use the local file camera platform.
This notification appears whenever I login to Homeassistant (and there isnt already a login session running ) and despite I have no trouble logging in.
Hey all.
I’m in the same boat.
Plus https blocks me every once and awhile.
I recently added my router to my trusted networks but I’m worried I’m allowing some nefarious activity.
Like @ebaschiera I noticed when I log in from work my external IP address is logged.
There seems to be multiple issues related to logins that continue to be a problem in 2021.5.0, possibly constrained to specific plugins in the ui at the time, is there a github discussions for this?
Seems in my case that a cookie or token expired and a cached ui obliviously repeatedly tried to authenticate or use it invalidly.
Connection attempts were made by an idle browser client every 4 seconds for a period of over 12 hours for almost twelve thousand attempts.
The external ip of an authenticated Chrome client left idle connecting through caddy-docker-proxy to home assistant using authenticated proxies and x-forwarded-for ip banning was logged making exactly 7 invalid attempts in a second roughly every minute multiple times.
This same idle browser was able to connect to the UI without reauthenticating after an ipban removal and restart of the home assistant container (a config reload likely would have sufficed) followed by refreshing the browser
Perhaps this can be fixed globally by ignoring unauthenticated/invalid connections and only logging a connection using a unique invalid credential combo as a login attempt.
Perhaps this can be fixed globally by ignoring unauthenticated/invalid connections and only logging a connection using a unique invalid credential combo as a login attempt.
I totally agree with this, I get too many router bans for no reasons too 
So I had this issue, failed login attempts from my router ip, it found in my case the trigger was using MPD addon to play media. It seems only with any local hosted mp3 files, no external radio stations. The audio plays just fine though. I use DuckDNS to access my HA externally. Does anyone know a way it could be fixed (without exposing my router)?