[homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.1.1

HAVEN8 · November 18, 2017, 7:22pm

A few weeks ago I set up Duck DNS, SSL, and an API password. When i was getting it set up, I didn’t use the most secure password, so yesterday I used a password generator to create a random 20 character password.

The web interface still allows me to log in with my new password, however in my home-assistant.log I now continually get:

2017-11-18 14:14:56 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.1.1
2017-11-18 14:15:01 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.1.1
2017-11-18 14:15:06 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.1.1

I’ve now changed my password back to the not so secure password, and attempted other passwords with and without special characters. I’ve used the secrets.yaml file to store the password, and also just left the password in the configuration.yaml.

http:
  api_password: !secret http_api_password
  base_url: !secret base_url
  ssl_certificate: '/etc/letsencrypt/live/xxxxxxxxxxx.duckdns.org/fullchain.pem'
  ssl_key: '/etc/letsencrypt/live/xxxxxxxxxxx.duckdns.org/privkey.pem'

I’ve cleared cookies and cache from my chrome web browser and from my mobile, which are the two platforms I typically use to access the dashboard.

I don’t believe this error showed when I originally set up the SSL and password, but it seems any combination of settings I’m getting is now showing this continuous error.

What am i missing? I’m on Hassbian 0.57.3

sjee · November 19, 2017, 7:35am

Did you check which device on your network is using ip 192.168.1.1?

HAVEN8 · November 19, 2017, 2:04pm

That would be my router IP address, which is used in the DDWRT Device Tracker component.

### device_tracker.yaml

- platform: ddwrt
  host: 192.168.1.1
  username: !secret ddwrt_username
  password: !secret ddwrt_password
  track_new_devices: yes
  interval_seconds: 3

For now I removed the error by white listing my router’s IP address, although I’m still not sure whats causing the error to present in the first place.

### configuration.yaml
http:
  api_password: !secret http_api_password
  base_url: !secret base_url
  ssl_certificate: '/etc/letsencrypt/live/xxxxxxxxxxx.duckdns.org/fullchain.pem'
  ssl_key: '/etc/letsencrypt/live/xxxxxxxxxxx.duckdns.org/privkey.pem'
  trusted_networks:
    - 192.168.1.1
  ip_ban_enabled: True
  login_attempts_threshold: 10

ngknick · December 6, 2017, 1:47am

Did you ever track this down by chance? I went from a normal (8-10 character) password to a super secret 16-20 character while trying to setup google assistant component, and was able to log in via duckdns with the new password - but continually getting the same “Login attempt or request with invalid authentication from 192.168.1.1” message… what gives?!

HAVEN8 · December 6, 2017, 10:37pm

I haven’t messed with it again much. If I remove this from my config, the error comes back. I’m not sure if this is the best solution (or most secure?) but that is the only way I’ve found so far.

tenly · December 18, 2017, 6:42pm

I’m on 0.59.2 and started seeing this issue after changing my password. I’ve updated all of my devices that are configured with the password to the new password but I still continue to get the error message flooding my log file.

The only difference in my setup is that I have letsencrypt and duckdns configured and the invalid IP in my logs is shown as my Public IP address.

My best guess is that some component of HA has configured itself with the initial password and keeps trying to connect - but I temporarily changed my password back to the original value and it didn’t eliminate the problem - so that kind of rules out this theory.

Is there a log message we can enable that will give us more information about the connect which gets rejected? For example, the entire URL that was requested with the ‘bad password’ or more detail about the requester themselves? Showing me that it originated with my router is not really all that useful.

mrand · January 14, 2018, 6:30pm

A lot of people (including myself) seem to be running into this… and it appears to be Appdaemon:

Should the example at appdaemon/conf/examples.yaml at master · AppDaemon/appdaemon · GitHub have something mentioning certs, urls, and passwords?

At a minimum, it seems like there should be a pointer on the Home Assistant security page(s), and maybe a mention in the hass.io add-on’s “options” template to give people some bread crumbs.

e-raser · March 9, 2021, 4:47pm

No final „fix“ for this? My main smartphone running HA Companion app triggers those messages quite frequently. Couldn’t track down why/when because of which reason but… it’s annoying especially cause I block devices after few failed login attempts.