Getting insane amount of login attempt spam from possibly HASS App?

awff · May 17, 2025, 6:35am

Recently this week I noticed that I couldn’t access my remote instance of HA that uses a cloudflare tunnel. I then went to look at the logs and I noticed a loging attempt from local host.

2025-05-17 16:27:51.832 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

So I went to remove 127.0.0.1 from the IP ban list, reset and it got banned immediately!

So out of curiosity I disabled IP Ban altogether and holy moly, it was spamming login attempts with the same message, but almost 5 attempts per second so it was spamming

Here is a “very small” sample of the logs i am getting:

Logs

2025-05-17 16:27:22.680 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-17 16:27:22.884 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-17 16:27:23.099 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-17 16:27:23.311 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-17 16:27:23.543 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-17 16:27:23.765 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-17 16:27:23.990 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/auth/token’. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

From the message, it looks like an app. So, I disconnected the server and even deleted the app to see if it would stop… But it didn’t. Myself and the wife are both on the latest iOS 18.5 aswell so not sure where iOS 18.4.1 is coming from.

Any idea what would be causing this? Or am I genuinely getting hacked here?

ShadowFist · May 17, 2025, 12:13pm

Sounds extremely similar to this thread.

TLDR: check if you have other iOS devices (like a tablet) connecting to HA. Check the user settings (local only vs external access) and check the refresh tokens stored on HA.

awff · May 17, 2025, 1:01pm

Thanks, it Sounds exactly like what I’m getting. Some of the comments are also quite recent so I wonder if the latest update broke something.

I spent all day trying to figure it out. Even when as far as changing out my network SSID and password.

Reinstated the Home Assistant app, and delete and added the server

The only account that has local access only is the MQTT user. I removed my wife’s account so it’s just myself but still seem to get the issue

ShadowFist · May 17, 2025, 1:16pm

Doubt it. There are similar threads going all the way back to 2023.

Check what refresh tokens you have stored. In HA, click your profile Icon in the bottom left of the sidebar, then click the Security tab at the top. Scroll down till you get to the Refresh tokens. You should find one or more entries relating to iOS.
Either delete those entries manually, or else just log out from the app - this should cause the token to be deleted. If you’re still seeing iOS tokens while logged out after refreshing the security page, then manually delete those.

awff · May 18, 2025, 12:29pm

Thanks, I initially did that for both our devices. Cleared all tokens, removed the server from the companion app, deleted it, reinstalled and logged back in but no luck. Even tried disabling all my HA integrations but still getting spammed…

The number of attempts is just crazy! I’m completely stumped as to what this is… I wonder if it’s an issue with the Cloudflare tunnel… but what would be making these attempts at such rates… None of us are on that ios version.

It just keeps going and going! 5000+ occurrences in the last 30 mins

Log snippet

2025-05-18 22:29:36.106 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:36.315 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:36.534 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:36.743 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:37.021 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:37.242 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:37.467 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:37.692 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:37.916 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:38.153 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:38.375 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:38.616 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:38.834 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:39.048 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:39.290 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:39.505 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:39.746 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:39.974 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:40.301 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:40.593 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:40.816 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:41.096 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:41.316 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:41.548 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:41.765 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:41.991 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:42.277 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:42.545 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:42.758 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:42.958 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:43.191 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:43.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:43.624 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:43.839 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:44.058 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:44.296 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:44.508 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:44.713 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:44.958 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:45.357 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:45.459 WARNING (MainThread) [homeassistant.components.websocket_api.http.connection] [547079894208] from 127.0.0.1 (Home Assistant/2025.3 (io.robbie.HomeAssistant; build:2025.1205; iOS 18.4.1)): Disconnected: Received close message during auth phase

2025-05-18 22:29:45.604 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:45.832 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:46.048 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:46.304 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:46.523 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:46.744 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:46.960 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:47.168 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:47.379 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:47.649 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:47.873 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:48.122 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:48.369 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:48.588 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:48.820 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:49.088 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:49.308 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:49.545 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

2025-05-18 22:29:49.769 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

ShadowFist · May 18, 2025, 12:37pm

I’d be disabling addons instead of integrations. They’re the ones which use the 127 docker addresses you’re seeing.

Start by disabling addons one at a time until the login attempts stop. If it’s still happening after disabling all addons, then it’s time to start looking at your cloudflare tunnel

awff · May 18, 2025, 11:45pm

@ShadowFist
Thanks i’ll try that … what I notice is that it stops after awhile… then randomly appears back.

Out of curiosity, i did the following:

I tried a different WIFI network and logged out.
Then purposely entered my credentials wrong
Then logged in
Did the same thing on my mobile network, then on my brothers laptop whom has never logged in before, and lives in a separate house on a different network.

I see in the notifications the same error, this time with a browser (Microsoft Edge in my case).

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/login_flow/97af1e5567647611311da78b0f36c825'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0)

Which is expected, but why would all my intentionally failed logins appear as localhost? It’s a little worrying since different devices on different networks are appearing as 127.0.0.1. Could this genuinely be someone brute force attacking my server if all IP’s are redirected as localhost?

The weird part is that it used to show the full external IP address until recently this week

update: I added 127.0.0.1 into trusted proxies.

http:
  # Cloudflare Tunnel
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 127.0.0.1

and can now see the IP (IPV6 in this case) address of the culprit:

Login attempt or request with invalid authentication from 2401:d006:d808:c300:893e:5b67:9a11:1b0 (2401:d006:d808:c300:893e:5b67:9a11:1b0). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.3 (io.robbie.HomeAssistant.PushProvider; build:2025.1205; iOS 18.4.1) Alamofire/5.8.0)

I still don’t know why everyone is masked under 127.0.0.1. Never happened in the past 5 years my server has been running smoothly for.

Snash · May 23, 2025, 4:28pm

Hi Andrew,

I am getting the below message which is extremely concerning as a container or device seems to be compromised and the service is trying to access known folders that Wordpress has. I have checked my NGINX log and the log is clean. Was your device trying to get to specific folders?

I have added 127.0.0.1 to trusted proxies will report back on any progress or lack thereof

Log details (WARNING)
Logger: homeassistant.components.http.ban
Source: components/http/ban.py:136
integration: HTTP (documentation, issues)
First occurred: May 22, 2025 at 1:11:39 PM (5 occurrences)
Last logged: 11:44:44 AM

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36)
Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/media/system/js/core.js'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36)

Snash · May 23, 2025, 6:47pm

After adding 127.0.0.1 to trusted proxies I am getting the IP address as I previously used to. This change has occurred recently with an HA update I am not sure why the developers will not show it clearly in the logs rather than showing a masked device

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:136
integration: HTTP (documentation, issues)
First occurred: 2:37:42 PM (1 occurrence)
Last logged: 2:37:42 PM

Login attempt or request with invalid authentication from 107.151.248.165 (107.151.248.165). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36)

awff · May 25, 2025, 12:12am

Yup, adding local host to trusted proxy resolved it for me. I never had to do this in the past 5 years or so.

I was also able to track down the specific device that was spamming the logins.

In my case, it was a family member’s old iPhone that had HA installed, but did not delete the server. Hence it kept trying to log in…but since I changed their HA password it kept failing. Their network provider was also set up as dynamic IP with their data center located in a different state, so no matter how many IP bans were made, it would just keep trying with a new IP. To make things harder iCloud private relay creates a “spoofed” IP, hence made it hard for me to track down.

Snash · May 27, 2025, 1:52pm

Thanks useful information