Mysterious "Login attempt failed" in Notifications

florian1 · October 7, 2024, 8:30am

Hi all,

so I recently switched from HA Cloud to a Cloudflare Tunnel. Everything works as expected except for one thing: I keep receiving “Login failed” warnings in my notifications. I don’t understand why this happens neither how to fix.

Screenshot_1

Here is the error from the logs:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:135
integration: HTTP (documentation, issues)
First occurred: 3:18:25 AM (4 occurrences)
Last logged: 6:16:01 AM
Login attempt or request with invalid authentication from 139.59.30.23 (139.59.30.23). Requested URL: ‘/media/wp-includes/wlwmanifest.xml’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from 193.148.16.108 (193.148.16.108). Requested URL: ‘/media/wp-includes/wlwmanifest.xml’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from 128.199.189.117 (128.199.189.117). Requested URL: ‘/media/wp-includes/wlwmanifest.xml’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36)

Could anybody help me with to understand what’s causing this? Any feedback would be much appreciated.

Thanks!

tom_l · October 7, 2024, 8:51am

Both originating IP addresses are on a few block lists. So it was likely a hacking attempt. Which was blocked and the IP addresses have been banned from further attempts.

The settings for this ban can be found here: HTTP - Home Assistant

And you will see the banned IP addresses in config/ip_bans.yaml

florian1 · October 7, 2024, 10:26am

Thanks for the feedback @tom_l. As a fairly new HA user, that is a quite scary thing to read.

In Studio Code Server, I don’t see a config/ip_bans.yaml file, and my configuration.yaml does not contain ip_ban_enabled: true. Would you recommend adding that? Is that potential attack likely using my custom domain? Would you recommend changing?

Note that the IP address appears to be different every day (after I cleared the notification), sometime even mentioning google cloud in the domain name.

WallyR · October 7, 2024, 10:58am

The attack is most likely based on the IPv4 address, because that IP range is so small that it is relative simple to do them all from end to the other.
These kind of attacks are just a fact on the internet today and they generally attempt known security holes.
As long as HA does not have a security hole you are safe, but if it gets one, then you .ight have to react extremely fast and HA have had security holes in the past!

tom_l · October 7, 2024, 11:00am

It’s your configuration.yaml file. Under http:

florian1 · October 7, 2024, 2:13pm

Do you mean you guys also have these warnings? So confused right now. I’m sure it’s started after I set up Cloudflare (or maybe my Nest thermostat).

Do you guys recommend turning ip_ban_enabled to true? And why isn’t that default?

WallyR · October 7, 2024, 2:55pm

Everyone on the internet have it.
I have. A VPN server in front, so I have an extra layer of security. The chance of both the VPN server and HA having security holes at the same time is a lot smaller than just HA.

The reason why you have not seen it with NabuCasa is probably that your connection is not open from the internet until you have authenticated yourself to NabuCasa.
NabuCasa is acting as a filter in this case.

tom_l · October 7, 2024, 8:15pm

I used to see similar attempts when I was using DuckDNS for remote access. I have yet to see one since switching to Nabu Casa.

florian1 · October 8, 2024, 9:32am

I ended turning remote access OFF for now. Until I figure out a more secure setup. Thank you guys for your feedback.

tom_l · October 8, 2024, 10:27am

To be clear the intrusion attempts were blocked.

florian1 · October 10, 2024, 6:55am

This time indeed. Nevertheless, it’s quite worrisome. I obviously don’t want my home to be under constant daily attacks.

mbobbar · November 28, 2024, 8:00am

Hey guys I keep getting these same messages, its happening often enough to trigger an ipban. I’ve worked out its my companion app triggering the alert and Im using cloudflare tunnel with country blocking.
Every time it happens I have to login via VPN and edit the ipbans list and reboot which is sub par.
I’m using the app on Android, partner has the same with no issues.
Any ideas on how to whitelist or avoid this issue? Is it a known issue?

WallyR · November 28, 2024, 8:24am

If you are banned on the HA server, then it has nothing to do with the Cloudflare tunnel.
A guess could be that your time on the server and the phone might be too much apart from each other, which will make an encryption fail and therefore count as a failed login.
Normally the time difference can not be more than 5 minutes between the two ends of an encrypted connection.

elektrinis · December 2, 2024, 2:12pm

I’m getting these errors as well, for last 9 months or so. Was getting it with cloudflare tunnel, also getting it now with static IP/domain (behind nginx reverse proxy). Listed IP is my home IP, or sometimes I would get an IP of my phone if accessing it from outside. I also often get IPs from my local devices, like a fridge tablet, wife’s phone, etc. I’m certain this is false positive, but very annoying, nonetheless. This needs to be fixed.

fantangelo · December 2, 2024, 2:46pm

This happens to me as well. I’m pretty sure that it is my android companion app that causes the errors. It works 99% of the time but occasionaly it causes the login attempt failed error. Both at home and away as well.