Login hack?

Is this a hack attempt, how can the hacker knows my HA url? how can I protect that from the future

Logger: homeassistant.components.http.ban

Source: components/http/ban.py:128

integration: HTTP (documentation, issues)

First occurred: 1:34:01 AM (48 occurrences)

Last logged: 1:45:05 AM

Login attempt or request with invalid authentication from ********. Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2024.1 (io.robbie.HomeAssistant.PushProvider; build:2024.535; iOS 17.2.1) Alamofire/5.6.4)

Logger: homeassistant.components.websocket_api.http.connection

Source: components/websocket_api/http.py:461

integration: Home Assistant WebSocket API (documentation, issues)

First occurred: 1:34:10 AM (7 occurrences)

Last logged: 1:44:28 AM

[547390786240] from ****************** (Home Assistant/2024.1 (io.robbie.HomeAssistant; build:2024.535; iOS 17.2.1)): Disconnected: Did not receive auth message within 10 seconds

[547434661568] from ****************** (Home Assistant/2024.1 (io.robbie.HomeAssistant; build:2024.535; iOS 17.2.1)): Disconnected: Did not receive auth message within 10 seconds

[546876029248] from ****************** (Home Assistant/2024.1 (io.robbie.HomeAssistant; build:2024.535; iOS 17.2.1)): Disconnected: Did not receive auth message within 10 seconds

[546903173184] from ****************** (Home Assistant/2024.1 (io.robbie.HomeAssistant; build:2024.535; iOS 17.2.1)): Disconnected: Did not receive auth message within 10 seconds

[546946471232] from ****************** (Home Assistant/2024.1 (io.robbie.HomeAssistant; build:2024.535; iOS 17.2.1)): Disconnected: Did not receive auth message within 10 seconds

It looks like some 3rd party app that you added or authorized is trying to authenticate to your HA instance. It also looks like it is originating from n iPhone.

Is your instance hosted externally? Are you using nabu casa?

Im using Cloudflared but failed login for 48 times?

It’s possible. I’ve never used cloudflared, so I don’t know how it gets configured. But I definitely don’t think you got hacked.

could it be apple home (and the 48) is 48 sensors?

but the logs shows an external ip that tried to login (it could be mine, did not chk as I rebooted the router and that gets a new Ip)

Most likely if it was an external IP, it was you. Do you host your HA instance publicly?

Hmmmm, I don’t think so. Maybe, but I think HomeKit is all done locally, but I’m not sure, to be honest.

The IPv4 address is so small that it is possible to scan all the IP addresses and there might also be the possibility to discover servers through hostnames on DNS services.

What you see here might be a script testing your server for common vulnerabilities and typically a finger printing of your server will be done too, so ones behind the script can use zero day vulnerabilities better.

shall I be worried…what do I need to do?

Finger printing just means the malware people try to figure out what OS and services you are running, so they can use it later if they get a trick to break into those.
Currently there are probably no issues, but if HA or an addon get a security hole, then you might have a breach before you can react to it.

Your setup is only protected by one layer, which is the HA username and password.
A better setup would be to use a VPN server, which would act as the first layer and then HA would be the second layer. Of course the important thing here is to not use the same password/username on both HA and VPN.
Preferable the best solution would be to use a certificate on the VPN.

VPN on the network form thridpary? to local on my openness (planned install)

-so do you agree that this was a hack?

It is not a hack.
Your could call it a first attempt, like a burglary that walks around the hedge of several houses to scope them out.
He might find one that looks easy to break into and he might find none, but he now knows the setup of all the houses and maybe he later hears about a way to bypass a specific alarm type and then one of those scopes out houses might have that alarm type and can then easily be broken into.

Anything exposed to the internet will eventually be probed by bots - it’s a question of when, not if.

Your best bet for now is to set up login attempts threshold and ip_bans.

Just make sure to set the value to something reasonable (like 3 or 5) so you won’t get yourself locked out if you enter your login incorrectly once or twice.

Enable MFA if you haven’t. I always add scans like this to a list on my router where all traffic from the added ips are dropped.

So that’s confirm it is an outside trial of login?

For the VPN do you mean establishing a local VPN using wireguard for example?

It is hard to confirm from the logs you posted, but it is highly likely and in case it is not an outside attempt, then it will come soon anyway.
A standard open port 80 or 443 will be hit by a bit scan within a minute. Other ports a bit seldom, but it will happen.

A VPN service will add an extra layer on your security and because a VPN service is a piece of software which main objective is to secure the connection, then it will be hardened in a much more secure way than HA with its convenience objective.

Local VPN? The term does not really make sense, so I am unsure what you mean.
What you need is a VPN connection inside your own network.
That meansneither running a VPN service inside your network or have use an external VPN service that provide the ability to link two VPN connections together (one from your HA network and one from your mobile devices outside your home network).
HA have some like tailscale and maybe also wireguard.