Is it possible to use fail2ban with hassio?

Codec303 · May 7, 2019, 4:52pm

I was reading on a blog about securing HA that fail2ban is recommended.

Is it possible to use it with HassIO? I’m accessing HA over the internet using the websocket.

Silicon_Avatar · May 7, 2019, 5:16pm

Yeah, in a way.

In there you’ll see the ip_ban_enabled and login_attempts_threshold flags.
Configure those and then if a certain IP attempts to log in more than X tries, they will be banned.
Be careful not to accidentally ban yourself and get locked out. You might want to look at the docs for the Trusted Networks component to add a PC on your LAN to be trusted to not get accidently banned while testing.

Also note, that if your using a proxy like nginx you have to set use_x_forwarded_for in the HTTP component to get the correct IP, and have that proxy server added to the trusted_proxies list in the Trusted Networks section of your configuration.

Codec303 · May 8, 2019, 2:39pm

Thanks, so it looks like fail2ban functionality is already built into HA, nice. I’ll make sure I have SSH access before adding the ip_ban_enabled options, that way I’ll be able to unban myself if needed.

Thanks for the use_x_forwarded_for tip also, I so plan to use NGINX proxy eventually as I’ve found the HTTP component built into HA gives me SSL handshake errors when trying to use HTTPS, but I’m one step at a time here.

jazzyisj · October 16, 2019, 2:45am

Curious, have you found a way to unban yourself over ssh without restarting Home Assistant?

Codec303 · October 17, 2019, 8:11am

Nope, still have to restart HA everytime.

It used to take 5+ mins for a restart but I’ve now moved to VENV and restarts are are quicker now at least.

e-raser · January 3, 2021, 1:48pm

So manually unblocking banned IPs is done by editing the “ip_bans.yaml” (removal of IP + ban time) and restarting HA. (https://www.home-assistant.io/integrations/http#ip-filtering-and-banning)

Two questions on this:

Is there also a certain SSH command (fail2ban-client did not work, so did iptables)? And I guess it needs to be executed on the host SSH?
How long are bans valid (open-end/forever? 1 hour? 1 day?)

rjulius23 · July 29, 2023, 7:32am

@e-raser I would like to introduce temporary ban in the HA, like ban for 1 day, then lift the ban. Do you happen to know how to set that up ?

e-raser · July 29, 2023, 9:47am

As you can see in my last post I was asking for ways to unblock IPs. No one had an answer.

So for now: unblocking is only done by restarting HA, which is a bit annoying. So no I have no idea. You could of course automate a HA restart after e. g. 1 day to achieve a „temporary“ ban.

Shurov · December 16, 2023, 2:18pm

Swag combines Nginx Proxy Manager (a reverse proxy) with Fail2ban - so, you can expose local HASS via reverse proxy - it’ll have a certificate and fail2ban