[Security] Improvement of IPBan [HTTP Integration]

I would like to request an enhancement to the existing IPBan functionality. Currently, IPBan allows automatic blocking of an IP addresse after it tries unsuccessfully X times to log in, but it does not support manual wildcard rules or CIDR notation to block entire IP ranges efficiently.

I’m facing several “Login attempt failed” per week from foreign countries on different HA instances (at different locations so not on the same public IP address).

Proposed Enhancement:

  • Add support of whitelist additionnaly to black list
  • Add support for wildcard-based IP filtering (e.g., 192.168.*.* to allow an entire subnet in whitelist OR 45.148.* to block an entire subnet in blacklist).
  • Alternatively, allow CIDR notation (e.g., 192.168.1.0/24 or 45.0.0.0/8) for more flexible range-based blocking.
  • Ensure compatibility with the existing IPBan mechanisms for logging and automatic banning.

Use Case: This feature would significantly improve security by enabling users to preemptively block known problematic IP ranges rather than only reacting to individual addresses. For instance, users could proactively block entire ASNs or geographic ranges associated with repeated unauthorized access attempts.

Additional Considerations:

  • The implementation should ensure that existing individual IP bans remain functional.
  • A configuration UI or YAML option could be provided for defining wildcard or CIDR-based rules.
  • Performance considerations should be taken into account to prevent excessive overhead when processing large ranges.

I believe this enhancement would greatly improve Home Assistant’s security capabilities and give users more control over access management. Thank you for considering this request and a huge thank you to all the contributors of this wonderful project <3

You get my vote, but just so you know, someone is already working on submitting a PR to do this.

Whether that PR gets approved or not is a different matter, but there’s always hope.

1 Like

You should take a look at my pull request to do just this :grinning:
Improve http component to ban IP addresses by subnet #140661
Please comment on it - be gentle it’s my first with HA