Failed Login Detection

I have created a simple sensor and automation to detect if there are any login failures on the front end. This is a proof of concept to increase the security awareness of HASS. This is in responce to my feature request posted to : IP Security Logs IP Security Logs

sensor:
  platform: command_line
  command: "grep -c invalidpassword /CONFIG_DIR/home-assistant.log"
  name: badlogin

automation:
  - alias: Login Failure
    trigger:
      platform: numeric_state
      entity_id: sensor.badlogin
      above: 1
    action:
      service: notify.telegram
      data:
        message: "Login Failure Detected"

I have this triggering a notification though telegram as an example. This is only proof of concept as more information could be extracted from the logs to include in the sensor if one was so inclined.

We should create a cookbook entry for this.

For this one automation or for the whole security concept?

Not sure where I have gone wrong here.

• platform: command_line
  command: “grep -c invalidpassword /home/hass/.homeassistant/home-assistant.log”
  name: badlogin

Yields an error in the log:

16-10-03 21:30:20 homeassistant.components.sensor.command_line: Command failed: grep -c invalidpassword /home/hass/.homeassistant/home-assistant.log

What do you get when you run the command ls /home/hass/.homeassistant from a command line prompt?

I tested your command and it works for me, so I can only imagine your HASS log is in a different location.

I get the files that are in that directory, including home-assistant.log

I tried just running the command as user PI and Hass and both return a value of 1. (1 should be the correct value as the error from the log I pasted above contains “invalidpassword”)

Hello there

Just a small precision , the above won’t work when the logger is set to Info as the whole command is logged in home-assitant.log so it will detect the trigger action logging and then count it in for a bad password attempt

but other than that the command_line works great

If of any interest, i’ve changed your command line with the following and with a log level to warning and it works great …in fact really great

sensor 6:
  platform: command_line
  command: grep -c "Login attempt or request with an invalid password" /home/hass/.homeassistant/home-assistant.log
  name: badlogin

Did not tought of monitoring those before but this is a great idea !

Thanks for the post !

This popped up again and It thought after a fresh install of jessie and upgrading to 31.1 this should work. No dice.

homeassistant.components.sensor.command_line: Command failed: grep -c "Login attempt or request with an invalid password" /home/hass/.homeassistant/home-assistant.log

I tried philippe_audet’s version too:

  platform: command_line
  command: grep -c "Login attempt or request with an invalid password" /home/hass/.homeassistant/home-assistant.log
  name: badlogin

Anyone else getting an error with this, or am I the only one?

Hey @silvrr

You are right , it was a fake good condition.
After much back and forth with the config and such i got it working

First off , the message you get : [quote=“silvrr, post:10, topic:4280”]
homeassistant.components.sensor.command_line: Command failed: grep -c “Login attempt or request with an invalid password” /home/hass/.homeassistant/home-assistant.log
[/quote]
does not mean much as it’s the same message either your command failed, you don’t have the permission , etc …etc …

Another thing , i get the command failed message as well when i try to grep the /var/log/syslog file for which hass have the access.
So all in all any error will give this message

Now for the solution to work

To be noted : you will need to pollute your logs which for me is a draw back

So the solution for it to work with the command line is to fetch for a string without any spaces within the home-assistant.log file.
to be able to succeed without getting your own grp command in the count of bad login failure here’s what you need to do

first off : the grep command

sensor 6:
  platform: command_line
  command: "grep -c service_data=notification_id=http-login /home/hass/.homeassistant/home-assistant.log"
  name: badlogin 

Then the logger settings:

logger:
  default: critical
  logs:
    homeassistant.core: info

with the above you will be able to get the error in your count

but again with that level of login the home assistant log file will become large pretty fast

Would be better if the command_line plateform would let us do the same in the /var/log/syslog file since everything is logged in there … seems to be a limitation as the same command as above fails when trying to fetch the info from there even with all the proper perms,etc …

I just try with a symlink just in case … and it worked after i changed the permissions to put read to all ( as sudo is not supported )

So i set back the HA logger to critical and now the only thing left is that i need to grep first from the last reboot and then grep for the error in the log

sensor 6:
  platform: command_line
  command: "grep -c service_data=notification_id=http-login, /home/hass/.homeassistant/syslogfile"
  name: badlogin

Sorry for the long long thread, but i typed it along the way this morning

I’ll share the final result later to display a more clearer and straight forward process

cheers

Finally got it working , don’t ask me why though
I was about to open a bug to HS, i was repeating the steps by steps to give as much information as possible and “bam” it worked

First off i updated to 0.32.3 this morning
second, the first entry will always be a failed command message since the grep command did not find any entry ( this could be reported as a bug since normally it should just report a 0 as on the command line
Third , the looked for string is not valid anymore as the error message changed from a few version down the road

So here’s my config that IS working

configuration.yaml

sensor 6:
  platform: command_line
  name: badlogin
  command: grep -c 'Login attempt' /home/hass/.homeassistant/home-assistant.log

logger:
  default: warning

home-asssistant.log

Result at startup
16-11-11 14:15:59 homeassistant.components.sensor.command_line: Command failed: grep -c 'Login attempt' /home/hass/.homeassistant/home-assistant.log

Result when login failed

16-11-11 14:17:07 homeassistant.components.http: Login attempt or request with an invalid password from 70.83.11.62
16-11-11 14:17:08 homeassistant.components.http: Login attempt or request with an invalid password from 70.83.11.62
16-11-11 14:17:11 homeassistant.components.http: Login attempt or request with an invalid password from 70.83.11.62

Screen shot of the result in HA

As you can see, the result will always be +1 as it the actual bad login attempt

Also , if you reduce the Logger level ( or the component level ) above “warning” the failed command will still be logged in but not the entry as above, so you will always staty with Value = 1 with your grep -c

Hopefully it will help some of you

Also, i will submit an updated documentation as the example on the site is not up to date anymore

cheers

A little addition

The following loggger setting will remove the +1 caused by the first command which is failing and will give you the proper count
if you can live with those http log setting

logger:
  default: critical
  logs:
    homeassistant.components.http: warning

Any way to do some kind of fail2ban setup? Too many wrong passwords and the IP gets locked out for a certain amount of time? Might be useful to prevent brute-force attempts as the project continues to grow

What i did for mine after 10 failed attempt I stop HA

Easy to do with the command line and automation
Not the best but for now it’s the only thing I have

Thats a good solution. I may implement this, but instead of stopping HA just shut down my Raspberry Pi, that way the device they are trying to access is gone along with the HA instance.

Anyone know how to attach a file (home-assistant.log) to a STMP notification. It would be nice to get the log file so I can see what the IP address is.

@silvrr
If you get to have this running please share your findings
I have not been able to issue a sudo reboot command from HA and I did not want to grant my hass user root access to perform it

Thanks

I wouldn’t want some bot hammering my login screen to completely shut down my entire Home Automation/Monitoring system.

I posted a feature request at Failed Login Lockout / Brute Force Protection for native support

I noticed after my update to 34.3/4 that there is a persistent notification for a failed login attempt. The state of this trigger includes the IP the failed login was made from.

Anyone have any idea on how to automate this for a notification? Only part I don’t have is the trigger. Not sure how to trigger off a persistent notification.

You could try a state trigger with entity_id: persistent_notification.httplogin. Don’t specify state or from/to on this trigger as the content of the persistent notification is variable. So something like this:

- alias: "Send notification upon failed login attempt"
  trigger:
    - platform: state
      entity_id: persistent_notification.httplogin
  condition:
    - condition: template
      value_template: "{{ trigger.to_state.state != 'None' }}"
  action:
    - service: notify.pushover
      data_template:
        title: "Failed login!"
        message: "{{ trigger.to_state.state }}"

Bare in mind I haven’t tested the code above, so it may contain errors. The template condition is there to avoid sending a notification when dismissing the persistent notification (at which point the state of the persistent notification goes from Invalid password used from xxx.xxx.xxx.xxx to None).

The alternative for this condition would be to include from: 'None' in the trigger, but then you risk not getting notified if the persistent notification is overwritten before it gets dismissed.

And, of course, replace the pushover notify service in my code with whatever notify service you use.