Is cloudflare secure and how do I stop this?

I use the cloudflared addon for remote access currently, and for the life if me I cannot figure out why I get several of these notifications in HA daily:

image

It is never the same IP address, and I do have a very long 30 digit password for access to HA which I do change periodically so I am pretty comfortable that nobody will break in - but how do I stop the above?

Doing a search through the command line for the logs doesn’t help much either:

Thoughts?

Check what the log has said before the line you posted,
as prior notice may give insight.

Change your sub domain.

Create a wildcard ssl certificate
*.domain.com

Only use your full hostname in nginx ssl proxy.

This may not work in Argo Tunnel.

There are bots scrapping dns domains and ssl certificates.

Or use a vpn.

Here are the 20 lines before and after the invalid authentication. I wish my flair vents were not cloud based, they are such a PITA to keep online. In any event - let me know if this sheds any light on it (line 40883) - I don’t think it does:

➜  ~ grep -n -B 20 -A 20 "invalid authentication" /config/home-assistant.log

40863-2024-10-19 09:32:43.719 WARNING (MainThread) [custom_components.flair] Flair Vent: Bedroom 2 Flair Vent is reported to be offline.
40864-2024-10-19 09:32:43.719 WARNING (MainThread) [custom_components.flair] Flair Vent: Bedroom 1 Flair Vent is reported to be offline.
40865-2024-10-19 09:32:43.719 WARNING (MainThread) [custom_components.flair] Flair Vent: Bedroom 3 Flair Vent is reported to be offline.
40866-2024-10-19 09:32:47.280 INFO (Wemo Events Thread) [pywemo.subscribe] Resubscribe for <Subscription basicevent "Bedroom 2 Light Switch">
40867-2024-10-19 09:32:47.345 WARNING (Wemo Events Thread) [pywemo.subscribe] Resubscribe error for <Subscription basicevent "Bedroom 2 Light Switch"> (400 Client Error: Bad Request for url: http://192.168.10.18:49152/upnp/event/basicevent1), will retry in 60s
40868-2024-10-19 09:32:47.391 INFO (Wemo Events Thread) [pywemo.ouimeaux_device] Reconnected to wemo <WeMo DimmerV2 "Bedroom 2 Light Switch"> on port 49152
40869-2024-10-19 09:32:50.822 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Running template script
40870-2024-10-19 09:32:50.822 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Executing step call service
40871-2024-10-19 09:32:50.823 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Executing step call service
40872-2024-10-19 09:32:57.234 INFO (MainThread) [aioambient] Received packet PING data 
40873-2024-10-19 09:32:57.234 INFO (MainThread) [aioambient] Sending packet PONG data 
40874-2024-10-19 09:33:07.001 INFO (MainThread) [homeassistant.components.automation.hallway_lights_timer_expired_if_automation_enabled_lights_off] Hallway Lights Timer Expired -> if Automation Enabled -> Lights  Off: Running automation actions
40875-2024-10-19 09:33:07.002 INFO (MainThread) [homeassistant.components.automation.hallway_lights_timer_expired_if_automation_enabled_lights_off] Hallway Lights Timer Expired -> if Automation Enabled -> Lights  Off: Executing step call service
40876-2024-10-19 09:33:14.586 WARNING (MainThread) [custom_components.flair] Flair Vent: Powder Room is reported to be offline.
40877-2024-10-19 09:33:14.586 WARNING (MainThread) [custom_components.flair] Flair Vent: Bathroom is reported to be offline.
40878-2024-10-19 09:33:14.586 WARNING (MainThread) [custom_components.flair] Flair Vent: Living Room Rear Flair Vent is reported to be offline.
40879-2024-10-19 09:33:14.586 WARNING (MainThread) [custom_components.flair] Flair Vent: Living Room Front Flair Vent is reported to be offline.
40880-2024-10-19 09:33:14.587 WARNING (MainThread) [custom_components.flair] Flair Vent: Dining Room Flair Vent is reported to be offline.
40881-2024-10-19 09:33:14.587 WARNING (MainThread) [custom_components.flair] Flair Vent: Kitchen Flair Vent is reported to be offline.
40882-2024-10-19 09:33:14.587 WARNING (MainThread) [custom_components.flair] Flair Vent: Den Flair Vent is reported to be offline.
40883:2024-10-19 09:33:16.801 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 134.209.222.178 (134.209.222.178). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
40884-2024-10-19 09:33:19.475 INFO (MainThread) [aioambient] Received packet MESSAGE data 2["data",{"dateutc":1729344780000,"tempinf":72.3,"humidityin":38,"baromrelin":30.55,"baromabsin":30.491,"tempf":53.2,"battout":1,"humidity":65,"winddir":253,"windspeedmph":0,"windgustmph":0,"maxdailygust":2.2,"hourlyrainin":0,"eventrainin":0,"dailyrainin":0,"weeklyrainin":0,"monthlyrainin":0,"totalrainin":39.28,"solarradiation":61.09,"uv":0,"temp1f":69.8,"humidity1":47,"batt1":1,"batt_co2":1,"feelsLike":53.2,"dewPoint":41.74,"feelsLike1":68.7,"dewPoint1":48.6,"feelsLikein":71,"dewPointin":45.3,"lastRain":"2024-09-29T20:47:00.000Z","tz":"America/New_York","date":"2024-10-19T13:33:00.000Z","macAddress":"E8:DB:84:E6:D0:B0"}]
40885-2024-10-19 09:33:19.475 INFO (MainThread) [aioambient] Received event "data" [/]
40886-2024-10-19 09:33:19.475 INFO (MainThread) [aioambient] Watchdog triggered - sleeping for 900 seconds
40887-2024-10-19 09:33:22.309 INFO (MainThread) [aioambient] Received packet PING data 
40888-2024-10-19 09:33:22.309 INFO (MainThread) [aioambient] Sending packet PONG data 
40889-2024-10-19 09:33:22.816 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Running template script
40890-2024-10-19 09:33:22.816 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Executing step call service
40891-2024-10-19 09:33:22.817 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Executing step call service
40892-2024-10-19 09:33:47.384 INFO (MainThread) [aioambient] Received packet PING data 
40893-2024-10-19 09:33:47.384 INFO (MainThread) [aioambient] Sending packet PONG data 
40894-2024-10-19 09:33:47.391 INFO (Wemo Events Thread) [pywemo.subscribe] Resubscribe for <Subscription basicevent "Bedroom 2 Light Switch">
40895-2024-10-19 09:33:47.459 WARNING (Wemo Events Thread) [pywemo.subscribe] Resubscribe error for <Subscription basicevent "Bedroom 2 Light Switch"> (400 Client Error: Bad Request for url: http://192.168.10.18:49152/upnp/event/basicevent1), will retry in 60s
40896-2024-10-19 09:33:47.508 INFO (Wemo Events Thread) [pywemo.ouimeaux_device] Reconnected to wemo <WeMo DimmerV2 "Bedroom 2 Light Switch"> on port 49152
40897-2024-10-19 09:33:54.747 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Running template script
40898-2024-10-19 09:33:54.748 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Executing step call service
40899-2024-10-19 09:33:54.752 INFO (MainThread) [homeassistant.helpers.script.trigger_update_coordinator] Trigger Update Coordinator: Executing step call service
40900-2024-10-19 09:34:12.463 INFO (MainThread) [aioambient] Received packet PING data 
40901-2024-10-19 09:34:12.463 INFO (MainThread) [aioambient] Sending packet PONG data 
40902-2024-10-19 09:34:19.709 INFO (MainThread) [aioambient] Received packet MESSAGE data 2["data",{"dateutc":1729344840000,"tempinf":72.3,"humidityin":38,"baromrelin":30.553,"baromabsin":30.493,"tempf":53.4,"battout":1,"humidity":65,"winddir":256,"windspeedmph":0,"windgustmph":0,"maxdailygust":2.2,"hourlyrainin":0,"eventrainin":0,"dailyrainin":0,"weeklyrainin":0,"monthlyrainin":0,"totalrainin":39.28,"solarradiation":56.62,"uv":0,"temp1f":69.8,"humidity1":47,"batt1":1,"batt_co2":1,"feelsLike":53.4,"dewPoint":41.93,"feelsLike1":68.7,"dewPoint1":48.6,"feelsLikein":71,"dewPointin":45.3,"lastRain":"2024-09-29T20:47:00.000Z","tz":"America/New_York","date":"2024-10-19T13:34:00.000Z","macAddress":"E8:DB:84:E6:D0:B0"}]
40903-2024-10-19 09:34:19.710 INFO (MainThread) [aioambient] Received event "data" [/]
➜  ~ 

Thanks for the advice, but taking into account - I have no clue what I am doing and only set up the cloudlfare addon after some struggle - so please be kind in your answer (!) - I was going to reach out to support for the folks that gave me the certificate and/or the domain provider - once I get some direction from you - !

I presume the two bullets below do not apply in my case, they were separate suggestions from you for other routes to take?

  • I do not use an nginx ssl proxy (or does this clopudlfare use that?)
  • A VPN is a PITA because every device that then connects to my HA remotely has to fist turn on and access a VPN -

So If I go to those guys for suport I shouild say…

Change your subdomain (?) I only bought a domain and it is not connected to any server, just used for the redirect to the HA instance -

Create a wildcard ssl certificate - maybe that would fix it - ?

Thanks for your help -

Hello, the SSL certificate will solve the problem. Please keep me informed of the developments.

Create a new subdomain

I get this as well but its my son’s mobile phone. Not sure why it does this. Out of all our phones his is the only one that does this. Based on your logs it looks like a web browser is causing this. Do an IP lookup to see where the IP originates from the help determine what going on. You can also enable IP banning with in Home Assistant. HTTP - Home Assistant. I use this for an extra layer of protection for unwanted login attempts.

I am going to work with the vendor tomorrow to switch to a wildcard ssl certificate and let you folks know how it goes… (I won’t know for a few days if it stops the random attempts to get in)…

Yes but the IP banning would not work for me as it is a very different IP address every single time lol

I reduced the occurrence of these by banning all countries in Cloudflare except mine and the US (to allow the Google integration in). The IP you listed is from New Jersey in the US - do you live there? If so, it’s probably something of yours doing it.

Bots only can reach you by your subdomain, or directly over your IP address.

With cloudflared you don’t need port forwarding at router.

I am sorry I am having trouble where to put this certificate. Does this also mean that anyone who tries to access #1 has to also have the certificate on their machine? I have two things I set up for the cloudflared addon:

  1. A domain (just the name is reserved, there is no host server (other than my HA instance) - so, I have not web server on which to put a certificate…)
  2. A free cloudflared account using some kind of an API key.

From what I understand, someone tries to go to that domain and cloudlared is called to redirect the person accessing that domain, to my HA instance. Where does the certificate go - and once it is inplace, doesnt’t the other related system talking to that system have to have some kind of a matching certificate? Where?

And doesn’t this just encrypt the connection between cloudflared and my HA instance? I believe my main issue is stopping the external attempts from other random devices going to that URL (Ideally stopping them from being redirected would be the best approach)?

If Bots knows your subdomain you need change it…

Try change subdomain.

https://myha.domain.com

to

https://myha1234.domain.com

Wildcard certificate only fix exposition of your subdomain over certificates chain.

Your HA it’s like a web server. Will be spammed every day if they know your complete domain.

You could block countries in Cloudflare

Security > WAF

Zone-level Web Application Firewall (WAF) detects and mitigates malicious requests across all traffic under this zone.

I’m not entirely sure what it is you are trying to do here. It sounds like you are wanting to setup your cloudflare tunnel/HA to require a cert to be able to access the URL. If that is correct there are few steps you need to do for this to work. Below is a thread that outlines these steps pretty well. I would suggest having a read and see if this is what you are trying to do

Home Assistant App through Cloudflare Tunnel - Mobile Apps - Home Assistant Community

One thing to note is this doesn’t work for IOS devices.

Hello @billyjoebob999 also for chiming in.

Although strangers are not able to access my ha because I have a 30 digit password, I prefer for those folks to not even get the chance to try to log in…

On my PC accessing the external url, from within the cloudflare account, was able to set up access requiring email authentication on the cloudflare site before sending people to my HA and it worked prior to redirecting it to my HA RPI, only with chrome on a PC.

However, in testing this, it is unreliable maybe because of some kind of redirection that was blocked. On Chrome on a PC it will get me to the HA login page, only to tell me “Something went wrong” and the button to try again does not do anything.

Clearing out the browser cache and cookies etc. does not help, and the same exact issue with Microsoft’s browser. Also on Samsung browser on an android, same issue, except I see another message that appears later, I see a message “Unable to fetch Auth providers. https:///authcallback=1”

In android on the chrome browser the same thing (except no error message).

Doing this just for fun from the HA android app (!), I am sent to the cloudflare authentication login, evidently within the default browser (chrome), but then that cloudflare web site on chrome running within the ha android app - keeps creating and endless number of tabs and it’s impossible to stop that unless you reboot the phone.

So, using just the cloudflare free ‘Cloudflare Access’ with email authentication, does not work.

So I guess I am forced to go through extra steps now to put certificates on every device. Trule a pita especially if I am trying to access ha from a work machine or a hotel PC, etc… sigh.

Extra software on machines accessing HA is not acceptable.

I’ll try turning on MFA in HA as a last resort (external folks will still be able to reach my HA instance to log in…)…

Not compatible yet

I just use port forwarding, wildcards and random port.

Cloudflare dns:

*.domain.com cname your.dynamic-ip.dns

Nginx ssl proxy addon:

Ssl cert: *.domain.com
Host: my-secret-ha.domain.com

You need letsencrypt addon to create certificate.

router

Config port forwarding 12345 > 443 for example.

access

Access via https://my-secret-ha.domain.com:12345/

This you protect HA. But exposes router.

Only nginx ssl proxy knows your true “full domain”.

Any invalid domain will fail, but reach your nginx proxy. But not reach HA Core.

jcjsjsjjd.domain.com


True security only with vpn like wireguard.

All IP Addresses are spammed everyday.

Thank you.

Still researching!

1 Like