Is there a log file for invalid logins? (Blocking hackers)

forbin · August 11, 2016, 12:10am

Is there a log file that can store the IP address of invalid logins, so that we can use something like fail2ban to ban bad people?

fabaff · August 11, 2016, 6:06am

There is only one log file but you can search/grep for login attempts.

16-08-11 08:04:10 WARNING (CP Server Thread-9) [homeassistant.components.http] Login attempt or request with an invalidpassword from 127.0.0.1

forbin · August 11, 2016, 2:38pm

Thank you… I should have checked there! Here’s a working config for fail2ban:

in jail.conf:

[hass-iptables]

enabled = true
filter = hass
action = iptables-allports[name=HASS]
logpath = /var/opt/hass/home-assistant.log
maxretry = 5

in filter.d/hass.conf:

[INCLUDES]

before = common.conf

[Definition]

failregex = ^%(__prefix_line)s.*Login attempt or request with an invalidpassword from <HOST>.*$

ignoreregex =

[Init]

datepattern = ^%%y-%%m-%%d %%H:%%M:%%S

fabaff · August 15, 2016, 9:24pm

Looks simple and useful…We should create a cookbook entry for this.

dv8ed · September 9, 2016, 3:53am

I’m on fail2ban v0.8.13 is this configuration still working? I tried to enter a bunch of bogus passwords but I’m not getting banned/blocked.

Using Pi AIO so log is located /home/hass/.homeassistant/home-assistant.log

pi@raspberrypi:/etc/fail2ban $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-hass tcp – anywhere anywhere
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-hass (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

fabaff · September 9, 2016, 8:26am

It should but the typo in the error message was fixed.

failregex = ^%(__prefix_line)s.*Login attempt or request with an invalid password from <HOST>.*$

jkruid · April 27, 2017, 2:38pm

I’m having the same issue here. It appears that fail2ban v0.8.13 has issues reading the date format (yy-mm-dd) in home-assistant.log and v0.8.13 seems not to know the “datepattern” option. I tested with fail2ban-regex: no issues reading yyyy-mm-dd format but yy-mm-dd format won’t work and the “-d” switch is not supported to change the date format it is using.

Maybe newer versions of fail2ban, e.g. v09.6, support the “datepattern” option, but latest stable for Debian Jessie is v0.8.13 it seems.

Would there be an option to have HASS use the yyyy-mm-dd format? Brings back memories of the y2k “issue”

fabaff · April 27, 2017, 4:24pm

fabaff · April 27, 2017, 5:17pm

Was merged and will be shipped with 0.44.

jkruid · April 28, 2017, 8:07pm

Thanks mate!

bbrendon · May 25, 2017, 4:20am

Done. Submitted PR.

fabaff · May 25, 2017, 8:18am

https://github.com/home-assistant/home-assistant.github.io/pull/2710

Corey_Johnson · June 2, 2017, 12:06am

So… out of curiosity… I set this up just now and immediately got banned IPs… would that mean someone(s) are actively attacking my HA instance?

wwolf@WWEServer:/etc/fail2ban$ tail -100 /var/log/syslog|grep fail2ban
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 116.31.116.43
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.65.30.122
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:46 WWEServer fail2ban.filter[2795]: INFO [sshd] Found 218.87.109.150
Jun  1 19:00:47 WWEServer fail2ban.actions[2795]: NOTICE [sshd] 116.31.116.43 already banned
Jun  1 19:00:48 WWEServer fail2ban.actions[2795]: NOTICE [sshd] 218.87.109.150 already banned
Jun  1 19:00:49 WWEServer fail2ban.actions[2795]: NOTICE [sshd] 218.65.30.122 already banned

bbrendon · June 2, 2017, 12:08am

HA software or your ssh daemon?

That’s normal for any machine with port 22 open to the internet.

Corey_Johnson · June 2, 2017, 12:10am

Hmm, sshd I guess (since it says that) - missed that. Was too worried about the blocks

Thanks for the tip.

Max_HASS · September 4, 2017, 3:47pm

I thought I’d open this back up. There are a few tweaks I needed to make on HA 0.52.1 version.

in my configuration.yaml , had to add the .ban at the end of http

logger:
  default: critical
  logs:
    homeassistant.components.http.ban: warning

and in my /etc/fail2ban/fail2ban.local

[Definition]
logtarget = SYSLOG

and in my /etc/fail2ban/filter.d/hass.local

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from 
<HOST>.*$

ignoreregex =

[Init]
datepattern = ^%%y-%%m-%%d %%H:%%M:%%S

and lastly in my /etc/fail2ban/jail.local

[hass-iptables]
enabled = true
filter = hass
action = iptables-allports[name=HASS]
logpath = /home/homeassistant/.homeassistant/home-assistant.log
maxretry = 3

But NOW I’m getting this error when I run,

hass@hass:$ tail -100 /var/log/syslog|grep fail



Sep  4 08:35:08 hass fail2ban.filter[22830]: WARNING Found a match for '2017-09-04 08:35:08 
WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with 
invalid authentication from 192.168.1.207' but no valid date/time found for '2017-09-04 08:35:08 
WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with 
invalid authentication from 192.168.1.207'. Please try setting a custom date pattern (see man page 
jail.conf(5)). If format is complex, please file a detailed issue on 
https://github.com/fail2ban/fail2ban/issues in order to get support for this format.

Clearly it sees the home-assistant.log and attempts to login, but something to do with date-formatting. Not sure where to go from here.

freakstatic · September 18, 2017, 2:16am

Just remove the datepattern, like this

/etc/fail2ban/filter.d/hass.local

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.Login attempt or request with invalid authentication from
<HOST>.$

ignoreregex =

jodur · October 3, 2017, 6:17pm

In the newer HA you don’t have to configure the logger anymore. So no extra lines needed in the configuration files!

If you enable the logger you lose the output information in the journals created by the service homeassistant is running.

sudo journalctl -fu [email protected]

Wil not show any debug information when the logger is configured a purposed in the original doc.

i also can confirm that the tweaks suggested by Max_HASS and freakstatic are needed for fail2ban to run on HA 0.54.0

Vasiley · November 10, 2017, 4:34pm

I have tried every combination to get this working

Nov 10 10:03:31 Ha fail2ban.filter[10053]: INFO Added logfile = /root/.homeassistant/home-assistant.log
Nov 10 10:03:31 Ha fail2ban.actions[10053]: INFO Set banTime = 600
Nov 10 10:03:31 Ha fail2ban.filter[10053]: INFO Date pattern set to `'^%y-%m-%d %H:%M:%S'`: `^Year2-Month-Day 24hour:Minute:Second`
Nov 10 10:03:31 Ha fail2ban.jail[10053]: INFO Jail 'sshd' started
Nov 10 10:03:31 Ha fail2ban.jail[10053]: INFO Jail 'hass-iptables' started
Nov 10 10:05:22 Ha systemd[1]: hass.service: Unit entered failed state.
Nov 10 10:05:36 Ha fail2ban.filter[10053]: INFO Log rotation detected for /root/.homeassistant/home-assistant.log

seems to be starting but the fail2ban sensor always shows none

Vasiley · November 10, 2017, 4:34pm

BTW tried with date pattern and without