Home Assistant, nginx and fail2ban

l0rdraiden · January 25, 2021, 7:27pm

I have followed this guide (FAIL2BAN with Docker)

This is a sample log when a loging fails

2021-01-25 19:30:02 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 162.158.134.46 (162.158.134.46) (Mozilla/5.0 (Linux; Android 11; SM-G981B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.116 Mobile Safari/537.36 EdgA/45.12.4.5125)

findtime and bantime are set to 60 seconds just for the test.

The behaviour is the following
I log in with my phone, no warning message appears in home assistant log
I log out
I log in again, the login is suscesful but I automatically get a ban in in fail to ban. Maxtry is set to 3 but it shouldn’t matter since all the logins are suscesfull.

2021-01-25 19:33:59,368 fail2ban.filter         [439]: INFO    [hass-iptables] Found 162.158.7.117 - 2021-01-25 19:33:59
2021-01-25 19:33:59,494 fail2ban.actions        [439]: NOTICE  [hass-iptables] Ban 162.158.7.117

this is the hass.local file, looks fine to me but I’m not an expert.

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$

ignoreregex =

[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S

I have tried everyting (3 hours troubleshooting).
Why I’m getting baneed even if the login is ok?

# Home Assitant integration https://www.home-assistant.io/integrations/fail2ban/
[hass-iptables]
enabled = true
filter = hass
logencoding = utf-8
action = iptables-allports[name=HASS]
logpath = /hass/home-assistant.log
maxretry = 3

l0rdraiden · January 25, 2021, 7:37pm

For example, for single fail login

2021-01-25 20:34:56 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 2.red-95-127-169.staticip.rima-tde.net (95.127.169.2) (Mozilla/5.0 (Android 11; Mobile; rv:84.0) Gecko/84.0 Firefox/84.0)

I get all this in the fail2ban log

2021-01-25 20:34:56,804 fail2ban.ipdns          [442]: WARNING Determined IP using DNS Lookup: 2.red-95-127-169.staticip.rima-tde.net = {'95.127.169.2'}
2021-01-25 20:34:56,805 fail2ban.filter         [442]: INFO    [hass-iptables] Found 95.127.169.2 - 2021-01-25 20:34:56
2021-01-25 20:34:56,806 fail2ban.ipdns          [442]: WARNING Determined IP using DNS Lookup: 2.red-95-127-169.staticip.rima-tde.net = {'95.127.169.2'}
2021-01-25 20:34:56,806 fail2ban.filter         [442]: INFO    [hass-iptables] Found 95.127.169.2 - 2021-01-25 20:34:56
2021-01-25 20:34:56,807 fail2ban.ipdns          [442]: WARNING Determined IP using DNS Lookup: 2.red-95-127-169.staticip.rima-tde.net = {'95.127.169.2'}
2021-01-25 20:34:56,807 fail2ban.filter         [442]: INFO    [hass-iptables] Found 95.127.169.2 - 2021-01-25 20:34:56
2021-01-25 20:34:56,808 fail2ban.ipdns          [442]: WARNING Determined IP using DNS Lookup: 2.red-95-127-169.staticip.rima-tde.net = {'95.127.169.2'}
2021-01-25 20:34:56,808 fail2ban.filter         [442]: INFO    [hass-iptables] Found 95.127.169.2 - 2021-01-25 20:34:56
2021-01-25 20:34:56,809 fail2ban.ipdns          [442]: WARNING Determined IP using DNS Lookup: 2.red-95-127-169.staticip.rima-tde.net = {'95.127.169.2'}
2021-01-25 20:34:56,809 fail2ban.filter         [442]: INFO    [hass-iptables] Found 95.127.169.2 - 2021-01-25 20:34:56
2021-01-25 20:34:56,810 fail2ban.ipdns          [442]: WARNING Determined IP using DNS Lookup: 2.red-95-127-169.staticip.rima-tde.net = {'95.127.169.2'}
2021-01-25 20:34:56,810 fail2ban.filter         [442]: INFO    [hass-iptables] Found 95.127.169.2 - 2021-01-25 20:34:56
2021-01-25 20:34:56,811 fail2ban.ipdns          [442]: WARNING Determined IP using DNS Lookup: 2.red-95-127-169.staticip.rima-tde.net = {'95.127.169.2'}
2021-01-25 20:34:56,811 fail2ban.filter         [442]: INFO    [hass-iptables] Found 95.127.169.2 - 2021-01-25 20:34:56
2021-01-25 20:34:57,353 fail2ban.actions        [442]: NOTICE  [hass-iptables] Ban 95.127.169.2

l0rdraiden · January 25, 2021, 8:56pm

I think I found the issue, the regex in the guide is wrong.
When I do a failed login I get this

2021-01-25 21:54:13 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 2.red-95-127-169.staticip.rima-tde.net (95.127.169.2) (Mozilla/5.0 (Linux; Android 11; SM-G981B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.116 Mobile Safari/537.36 EdgA/45.12.4.5125)

2021-01-25 21:54:13 DEBUG (MainThread) [homeassistant.core] Bus:Handling <Event call_service[L]: domain=persistent_notification, service=create, service_data=title=Login attempt failed, message=Login attempt or request with invalid authentication from 2.red-95-127-169.staticip.rima-tde.net (95.127.169.2) (Mozilla/5.0 (Linux; Android 11; SM-G981B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.116 Mobile Safari/537.36 EdgA/45.12.4.5125), notification_id=http-login>

According to the parsing

failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$

I think the both messages are being parsed for the same event, anyone can help me? I have no idea how that regex works.

Here is another log entry that match that regex

2021-01-25 22:08:04 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection] [23282150996192] Sending {'id': 12, 'type': 'result', 'success': True, 'result': [{'notification_id': 'config_entry_discovery', 'message': 'We have discovered new devices on your network. [Check it out](/config/integrations).', 'status': 'unread', 'title': 'New devices discovered', 'created_at': datetime.datetime(2021, 1, 25, 20, 47, 44, 226454, tzinfo=datetime.timezone.utc)}, {'notification_id': 'http-login', 'message': 'Login attempt or request with invalid authentication from 2.red-95-127-169.staticip.rima-tde.net (95.127.169.2) (Mozilla/5.0 (Linux; Android 11; SM-G981B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.116 Mobile Safari/537.36 EdgA/45.12.4.5125)', 'status': 'unread', 'title': 'Login attempt failed', 'created_at': datetime.datetime(2021, 1, 25, 21, 7, 19, 773869, tzinfo=datetime.timezone.utc)}]}

l0rdraiden · January 25, 2021, 9:15pm

I fee like a pro, I fixed it by trial an error

This is the right configuration for hass.local file

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$

ignoreregex = ^%(__prefix_line)s.*DEBUG

[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S

leranp · September 2, 2021, 6:46pm

can you please help me
it look like the failregex incorrect
2021-09-02 20:55:46,613 fail2ban.ipdns [565]: WARNING Unable to find a corresponding IP address for 31-154-163-53.orange.net.il: [Errno -2] Name does not resolve

same configuration like you

this is the log from HA

2021-09-02 20:30:41 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 31-154-163-53.orange.net.il (2.55.163.53). (Mozilla/5.0 (Linux; Android 11; SM-G975F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.166 Mobile Safari/537.36)```

vmorganp · October 12, 2021, 7:04am

just ran into this as well, looks like maybe the log format was updated
mine is now working with my filter.d/hass.local looking like this

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from.*\(<HOST>\).*$

ignoreregex = ^%(__prefix_line)s.*DEBUG

[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S

ppluti007 · November 1, 2021, 11:22pm

I confirm that the good failregex is what you proposed.

Thank You man!!!

PolarLava · March 5, 2024, 10:54pm

I’m currently attempting to setup Fail2Ban for my HA running in a Docker container. Unfortunately, F2B fails to start as the HA filter has and error that’s preventing it from starting:

ERROR Failed during configuration: Bad value substitution: option 'filter' in section 'HASS' contains an interpolation key '__prefix_line' which is not a valid option name. Raw value: '^%(__prefix_line)s.*Login attempt or request with invalid authentication from.*(<HOST>).*$'

This is the string recommended on the official HA integration page. I also get a similar error when trying to use the regex that @vmorganp and @ppluti007 recommend above.

My F2B jail file looks like the following. Note it’s no exactly as you guy are using as I’m actually running F2B from OMV which acts as a front-end for editing the files. That shouldn’t be an issue I don’t believe as it’s a regex issue.

[HASS]
enabled = yes
port = 8085
filter = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
logpath = /var/lib/docker/volumes/ha-config/_data/home-assistant.log
bantime = -1
maxretry = 3

Anybody have any thoughts?