Mysterious "Login attempt failed" in Notifications

Hi all,

so I recently switched from HA Cloud to a Cloudflare Tunnel. Everything works as expected except for one thing: I keep receiving “Login failed” warnings in my notifications. I don’t understand why this happens neither how to fix.

Screenshot_1

Here is the error from the logs:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:135
integration: HTTP (documentation, issues)
First occurred: 3:18:25 AM (4 occurrences)
Last logged: 6:16:01 AM
Login attempt or request with invalid authentication from 139.59.30.23 (139.59.30.23). Requested URL: ‘/media/wp-includes/wlwmanifest.xml’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from 193.148.16.108 (193.148.16.108). Requested URL: ‘/media/wp-includes/wlwmanifest.xml’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from 128.199.189.117 (128.199.189.117). Requested URL: ‘/media/wp-includes/wlwmanifest.xml’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36)

Could anybody help me with to understand what’s causing this? Any feedback would be much appreciated.

Thanks!

Both originating IP addresses are on a few block lists. So it was likely a hacking attempt. Which was blocked and the IP addresses have been banned from further attempts.

The settings for this ban can be found here: HTTP - Home Assistant

And you will see the banned IP addresses in config/ip_bans.yaml

Thanks for the feedback @tom_l. As a fairly new HA user, that is a quite scary thing to read.

In Studio Code Server, I don’t see a config/ip_bans.yaml file, and my configuration.yaml does not contain ip_ban_enabled: true. Would you recommend adding that? Is that potential attack likely using my custom domain? Would you recommend changing?

Note that the IP address appears to be different every day (after I cleared the notification), sometime even mentioning google cloud in the domain name.

The attack is most likely based on the IPv4 address, because that IP range is so small that it is relative simple to do them all from end to the other.
These kind of attacks are just a fact on the internet today and they generally attempt known security holes.
As long as HA does not have a security hole you are safe, but if it gets one, then you .ight have to react extremely fast and HA have had security holes in the past!

It’s your configuration.yaml file. Under http:

Do you mean you guys also have these warnings? So confused right now. I’m sure it’s started after I set up Cloudflare (or maybe my Nest thermostat).

Do you guys recommend turning ip_ban_enabled to true? And why isn’t that default?

Everyone on the internet have it.
I have. A VPN server in front, so I have an extra layer of security. The chance of both the VPN server and HA having security holes at the same time is a lot smaller than just HA.

The reason why you have not seen it with NabuCasa is probably that your connection is not open from the internet until you have authenticated yourself to NabuCasa.
NabuCasa is acting as a filter in this case.

1 Like

I used to see similar attempts when I was using DuckDNS for remote access. I have yet to see one since switching to Nabu Casa.

I ended turning remote access OFF for now. Until I figure out a more secure setup. Thank you guys for your feedback.

To be clear the intrusion attempts were blocked.

This time indeed. Nevertheless, it’s quite worrisome. I obviously don’t want my home to be under constant daily attacks.