HASS needs a log of all connections made by ip and login success or fail for the front end so users can detect hacking attempts at login. This log should by separate from all other logs.
+1 that’s a nice idea anyone using tor with hass
Failed logins are visible on the “About” page but that place is a bit hidden. We have Persistent Notification. Let me take a look if we can attach that to the login part.
At this point in time I think that it would be contra-productive to start splitting the log file. Better one file with 5 entries than 5 files with one line
I am familiar with how HASS displays logs currently but that can get lost in the mix of all the other outputs to that log. Needs to be a raw log with the ip info and any information that can be grabbed from the browser like a normal httpd access log. This being a separate txt based log that would be easy to scan for attempts on the system.
A persistent notification is a nice idea but they could pile up fast if some one really went after the login with something like a dictionary attack.
I also understand the need for kiss of the log file but I think security logs, when possible, that are isolated from the system logs are important to any system that is exposed to the wild. How long would it take you to find a failed login attempt in your log files unless you are running grep on your log output looking for it. How many users know how to do that? If its half then the other half have no way of knowing if anything has happened and if they are getting pen tested. Lets not “obscure” the security data in the system logs just to keep things simple. Those of us that have exposed HASS to the wild have done so at risk of someone taking control of live devices within our homes. We should take all precaution to protect its front door.
I have created a simple way to detect failed login as a proof of concept using automation. Failed Login Detection
With fail2ban (see here) is a solution available that is doing the blocking automatically.
True, but as we can use the same ID. So only the last one will be visible.
Not that long because my log file is basically empty on the productive instance.
Well, we need to assume that people who are exposing their systems to the wild know that they are doing. Especially when it comes down to securing the communication channel, the logging, and the access itself.
The warnings are not buried in the system logs. Home Assistant is keeping its own log file which makes it much more accessible than the classical approach of using /var/log/
. For that we have the syslog notify platform that would allow to hook Home Assistant’s logging into the system’s one.
The fail2ban solution is an acceptable solution to keep from getting hammered on the front end. Good idea to consider.
Yes I forgot about using the same ID.
Yes in your instance you may have this but not all users are going to have there log setting setup the same way.
To assume a user is always going to know the best practices while using a product is a bad assumption. In the basic setup instructions there is a small blurb about security referencing Let’s Encrypt but nothing to Fail2ban. IoT security is a very big issue for the industry as a whole. Maybe there is a need for a more in-depth entry on securing a HASS instance.
I was unaware of the syslog component.
While the original feature request may be moot it has exposed the need for more documentation on HASS security. Maybe a blog entry on setting up fail2ban(more info then that is shown in that post) or HASS security best practices.
My main concern is that the more I incorporate devices and information into HASS about my home and my life the more important it is to keep it secure. The information that HASS could be tracking could be very personal and if compromised could be very damaging. Any measures that can be taken should be taken to protect your HASS instance.
I think having a built in notification of bad login attempts as a persistent notification would be a good feature. That way you would have a real time notification in the front end if there is a failed login attempt. This way with the most basic setup the user at min knows someone is trying to login with a bad password and they need to check the logs. This was my motivation for the simple automation I created.
Try this custom component, I have tested it a bit and it is catching all of my external log-ins (ie. from outside my network). From inside my network a lot of activitiy shows up as coming from my router as I am connecting using my duckdns address and my router loops it back. Every computer/device IP that have I have accessed the front end with though, has been flagged.
The authenticated component was working great until last year but is now deprecated, does anyone know of an alternative to suck an important service? Knowing what IP has logges into to your HA instance is really important as someone with your password could log into your HA without you noticing, which is pretty scary considering how many things many of us have connected to HA (including cameras, security systems, etc)