Is there a log file for invalid logins? (Blocking hackers)

Is there a log file that can store the IP address of invalid logins, so that we can use something like fail2ban to ban bad people?

There is only one log file but you can search/grep for login attempts.

16-08-11 08:04:10 WARNING (CP Server Thread-9) [homeassistant.components.http] Login attempt or request with an invalidpassword from 127.0.0.1

Thank you… I should have checked there! Here’s a working config for fail2ban:

in jail.conf:

[hass-iptables]

enabled = true
filter = hass
action = iptables-allports[name=HASS]
logpath = /var/opt/hass/home-assistant.log
maxretry = 5

in filter.d/hass.conf:

[INCLUDES]

before = common.conf

[Definition]

failregex = ^%(__prefix_line)s.*Login attempt or request with an invalidpassword from <HOST>.*$

ignoreregex =

[Init]

datepattern = ^%%y-%%m-%%d %%H:%%M:%%S

Looks simple and useful…We should create a cookbook entry for this.

I’m on fail2ban v0.8.13 is this configuration still working? I tried to enter a bunch of bogus passwords but I’m not getting banned/blocked.

Using Pi AIO so log is located /home/hass/.homeassistant/home-assistant.log

[email protected]:/etc/fail2ban $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-hass tcp – anywhere anywhere
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-hass (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

It should but the typo in the error message was fixed.

failregex = ^%(__prefix_line)s.*Login attempt or request with an invalid password from <HOST>.*$

I’m having the same issue here. It appears that fail2ban v0.8.13 has issues reading the date format (yy-mm-dd) in home-assistant.log and v0.8.13 seems not to know the “datepattern” option. I tested with fail2ban-regex: no issues reading yyyy-mm-dd format but yy-mm-dd format won’t work and the “-d” switch is not supported to change the date format it is using.

Maybe newer versions of fail2ban, e.g. v09.6, support the “datepattern” option, but latest stable for Debian Jessie is v0.8.13 it seems.

Would there be an option to have HASS use the yyyy-mm-dd format? Brings back memories of the y2k “issue” :wink:

Was merged and will be shipped with 0.44.

1 Like

Thanks mate!

Done. Submitted PR.

https://github.com/home-assistant/home-assistant.github.io/pull/2710

So… out of curiosity… I set this up just now and immediately got banned IPs… would that mean someone(s) are actively attacking my HA instance?

[email protected]:/etc/fail2ban$ tail -100 /var/log/syslog|grep fail2ban
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:47 WWEServer fail2ban.actions[2795]: NOTICE [sshd] 116.31.116.43 already banned
Jun  1 19:00:48 WWEServer fail2ban.actions[2795]: NOTICE [sshd] 218.87.109.150 already banned
Jun  1 19:00:49 WWEServer fail2ban.actions[2795]: NOTICE [sshd] 218.65.30.122 already banned

HA software or your ssh daemon?

That’s normal for any machine with port 22 open to the internet.

Hmm, sshd I guess (since it says that) - missed that. Was too worried about the blocks :slight_smile:

Thanks for the tip.

I thought I’d open this back up. There are a few tweaks I needed to make on HA 0.52.1 version.

in my configuration.yaml , had to add the .ban at the end of http

logger:
  default: critical
  logs:
    homeassistant.components.http.ban: warning

and in my /etc/fail2ban/fail2ban.local

[Definition]
logtarget = SYSLOG

and in my /etc/fail2ban/filter.d/hass.local

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from 
<HOST>.*$

ignoreregex =

[Init]
datepattern = ^%%y-%%m-%%d %%H:%%M:%%S

and lastly in my /etc/fail2ban/jail.local

[hass-iptables]
enabled = true
filter = hass
action = iptables-allports[name=HASS]
logpath = /home/homeassistant/.homeassistant/home-assistant.log
maxretry = 3

But NOW I’m getting this error when I run,

[email protected]:$ tail -100 /var/log/syslog|grep fail



Sep  4 08:35:08 hass fail2ban.filter[22830]: WARNING Found a match for '2017-09-04 08:35:08 
WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with 
invalid authentication from 192.168.1.207' but no valid date/time found for '2017-09-04 08:35:08 
WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with 
invalid authentication from 192.168.1.207'. Please try setting a custom date pattern (see man page 
jail.conf(5)). If format is complex, please file a detailed issue on 
https://github.com/fail2ban/fail2ban/issues in order to get support for this format.

Clearly it sees the home-assistant.log and attempts to login, but something to do with date-formatting. Not sure where to go from here.

Just remove the datepattern, like this

/etc/fail2ban/filter.d/hass.local

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.Login attempt or request with invalid authentication from
<HOST>.
$

ignoreregex =

In the newer HA you don’t have to configure the logger anymore. So no extra lines needed in the configuration files!

If you enable the logger you lose the output information in the journals created by the service homeassistant is running.

sudo journalctl -fu [email protected]

Wil not show any debug information when the logger is configured a purposed in the original doc.

i also can confirm that the tweaks suggested by Max_HASS and freakstatic are needed for fail2ban to run on HA 0.54.0

I have tried every combination to get this working

Nov 10 10:03:31 Ha fail2ban.filter[10053]: INFO Added logfile = /root/.homeassistant/home-assistant.log
Nov 10 10:03:31 Ha fail2ban.actions[10053]: INFO Set banTime = 600
Nov 10 10:03:31 Ha fail2ban.filter[10053]: INFO Date pattern set to `'^%y-%m-%d %H:%M:%S'`: `^Year2-Month-Day 24hour:Minute:Second`
Nov 10 10:03:31 Ha fail2ban.jail[10053]: INFO Jail 'sshd' started
Nov 10 10:03:31 Ha fail2ban.jail[10053]: INFO Jail 'hass-iptables' started
Nov 10 10:05:22 Ha systemd[1]: hass.service: Unit entered failed state.
Nov 10 10:05:36 Ha fail2ban.filter[10053]: INFO Log rotation detected for /root/.homeassistant/home-assistant.log

seems to be starting but the fail2ban sensor always shows none

BTW tried with date pattern and without