Failed Login Detection

cgarwood · November 14, 2016, 2:16pm

Any way to do some kind of fail2ban setup? Too many wrong passwords and the IP gets locked out for a certain amount of time? Might be useful to prevent brute-force attempts as the project continues to grow

Philippe_Audet · November 14, 2016, 6:42pm

What i did for mine after 10 failed attempt I stop HA

Easy to do with the command line and automation
Not the best but for now it’s the only thing I have

silvrr · November 14, 2016, 6:49pm

Thats a good solution. I may implement this, but instead of stopping HA just shut down my Raspberry Pi, that way the device they are trying to access is gone along with the HA instance.

Anyone know how to attach a file (home-assistant.log) to a STMP notification. It would be nice to get the log file so I can see what the IP address is.

Philippe_Audet · November 14, 2016, 6:53pm

@silvrr
If you get to have this running please share your findings
I have not been able to issue a sudo reboot command from HA and I did not want to grant my hass user root access to perform it

Thanks

cgarwood · November 14, 2016, 7:17pm

I wouldn’t want some bot hammering my login screen to completely shut down my entire Home Automation/Monitoring system.

I posted a feature request at Failed Login Lockout / Brute Force Protection for native support

silvrr · December 8, 2016, 9:38pm

I noticed after my update to 34.3/4 that there is a persistent notification for a failed login attempt. The state of this trigger includes the IP the failed login was made from.

Anyone have any idea on how to automate this for a notification? Only part I don’t have is the trigger. Not sure how to trigger off a persistent notification.

fanaticDavid · December 8, 2016, 10:07pm

You could try a state trigger with entity_id: persistent_notification.httplogin. Don’t specify state or from/to on this trigger as the content of the persistent notification is variable. So something like this:

- alias: "Send notification upon failed login attempt"
  trigger:
    - platform: state
      entity_id: persistent_notification.httplogin
  condition:
    - condition: template
      value_template: "{{ trigger.to_state.state != 'None' }}"
  action:
    - service: notify.pushover
      data_template:
        title: "Failed login!"
        message: "{{ trigger.to_state.state }}"

Bare in mind I haven’t tested the code above, so it may contain errors. The template condition is there to avoid sending a notification when dismissing the persistent notification (at which point the state of the persistent notification goes from Invalid password used from xxx.xxx.xxx.xxx to None).

The alternative for this condition would be to include from: 'None' in the trigger, but then you risk not getting notified if the persistent notification is overwritten before it gets dismissed.

And, of course, replace the pushover notify service in my code with whatever notify service you use.

ih8gates · December 8, 2016, 10:09pm

Haven’t tried, but what happens when you test for it with a template trigger?

trigger:
  - platform: template
      value_template: '{% if (states.persistent_notification.name_of_notification.state) %}true{% else %}false{%endif%}'

edit: @fanaticDavid came to the rescue while I was testing my syntax

silvrr · December 9, 2016, 1:27pm

The notification works, however, it does give another notification when you dismiss. Ill have to work on the condition.

fanaticDavid · December 10, 2016, 12:48am

Hmmm try removing the single quotes around None, so:

condition:
  - condition: template
    value_template: "{{ trigger.to_state.state != None }}"

Bob_NL · February 10, 2017, 3:51pm

That did the trick

Update: It does create an empty notification (only the title, message is blanc) after dismissing the login failure persistant notification in the frontend which is kind of annoying. Any idea how to dismiss these in silence (or even better: dismiss them at once since I will allready be notified anyway)?

molano · February 10, 2017, 9:51pm

Found it.

The condition must be:

condition:
  - condition: template
    value_template: "{{ trigger.to_state.state != off }}"

Bob_NL · February 13, 2017, 6:36pm

Doesn’t work anymore after upgrading to 0.38.2 since there is no entry in the logfile anymore.

Update: same issue on 0.38.3

Kareem · February 23, 2017, 12:56am

And same on 0.38.4.

Bob_NL · February 26, 2017, 11:15am

Works like a charm on 0.39

metbril · April 2, 2017, 5:38am

I have solved this by adding a value_template that always subtracts 1 :

- platform: command_line
  name: bad_login
  command: "grep -c 'Login attempt' /home/homeassistant/.homeassistant/home-assistant.log"
  value_template: '{{ value | int - 1 }}'

My sensor reports 0 after a restart and the actual number of bad logins when they occur.

silvrr · January 29, 2019, 6:28pm

anyone using this be sure to validate that it still works after the 0.86 update. I noticed that persistent_notification.httplogin has become persistent_notification.http_login on my configuration which breaks the automation many are using.

(unique content to make the forum not freak out)

Burningstone · April 20, 2019, 5:51pm

Thanks a lot. This saved me a huge head ache.

caiosweet · August 12, 2020, 4:18pm

This discussion is old, but maybe it can still be useful …
to avoid another notification when ignoring… i use this condition…

from your github - pc_security

replace…

    condition:
      - condition: template
        value_template: "{{ trigger.to_state.state != 'None' and trigger.to_state.entity_id is defined}}"

and removed service: persistent_notification.dismiss

belanger · April 12, 2024, 5:46pm

FYI the following seems a good workaround just by adding || true

command: ‘grep -c “Login attempt” /config/home-assistant.log || true’