My external IP getting banned

Hi everyone,

Every few days, I get my own external IP banned. I have seen some similar complaints (example), but none quite my same case.

The IP that gets banned is always my external IP. This blocks me from using the DuckDNS URL and need to use the internal Raspberry IP, use configurator to remove the IP Ban entry and fixed. However, it’s annoying.

I do not have an iPhone. I only use web on my Mac and Android phone. The Android phone is usually open in the Lovelace home view.

My system details:

• System: HassOS 2.12
• Deployment: production
• Version: 0.97.2
• Installed on Raspberry Pi 3

I have ip ban enabled:

ip_ban_enabled: true
login_attempts_threshold: 3

and my Auth provider is homeassistant:

auth_providers:
  - type: homeassistant

I have DuckDNS Add-On installed, which I understand is why it’s my external IP and not my internal IP that gets banned.

I do not want to disable either protection system, I just want to understand why my own IP gets banned without any manual intervention. Note that I’ve also checked the time at which I got banned, and there were no other devices connected to my internet. So it’s not like someone accessed my local network and sent requests on my behalf.

Any ideas on what could be triggering this?

Thank you,
Nito

I’ve published an issue for this. It also bans my internal IP if I am surfing with the local Raspberry IP instead of the DuckDNS problem.

You could try deleting all your refresh tokens (in your home assistant profile) and then log in again on each device. Not sure if it will help.

It seems CGNAT used by cellular carriers stuffs up mobile authentication occasionally.

There was some discussion a while ago about making a service to reset ip bans without requiring a restart. It didn’t get anywhere.

Hi @tom_l,

Thanks for the suggestion. I have followed your steps now. I will report if the IP ban happens again.

That being said, I am not sure if the “CGNAT used by cellular carriers” is the root cause. Last time this happened, I had my Android phone connected to DuckDNS URL and I was surfing on my Macbook using the local Raspberry Pi IP. The IP that was banned that time was not my external IP, but my local IP. Somehow, I forgot to double check whose device IP it was, but I understand it was my Macbook’s as I couldn’t keep surfing.

I am a bit clueless on what is the source of this and it’s hard to reproduce consistently. It just happens, and appears to be random, so it is hard to predict too

I have failed auth messages also when the session doesn’t reconnect cleanly, even tho the cookie in the browser is good.

I’ve raised my

login_attempts_threshold: 

and also set up NGINX to restict access to a limited IP address range.

I have also been seeing random login failed messages. It seems to be when I am away from the home assistant tab and I come back to it. (Browser is Brave Browser) Quite a few times, I see the failed login notification with the notification time indicating pretty close to when I switched back to the HA tab.

I am logged in from work and its my work IP that threw it this time so its definitely this specific session. I see similar issues when I leave the tab up in brave browser indefinitely on my main PC at home. It even went as far as to IP ban my desktop at home from the amount of times it failed logins.

You could ditch the auth providers and use MFA. This might be scary to some but I actually prefer it. No hassles.

I can confirm this did not solve it. While I didn’t get banned this time, I did get some IP login failures.

What’s MFA? Thanks

Multi factor authentication. It’s under your profile.

Ah OK thanks, I may give it a try