I have been having some trouble lately where my phone’s IP address gets banned (not sure why) and it requires manually editing the ip_bans.yaml and removing it’s IP and of course doing a complete reboot which is a pain because the ZWave network takes forever to finish it’s setup.
I was just about to ask how to do this. My phone is often banned when switching from my work or home wifi to the cellular network.
removing ip_bans.yaml is pretty trivial, but removing all bans is a bit of a blunt instrument.
i can’t even work out why I got banned most of the time. It would be great if there was even an ssh command to reset the bans instead of deleting and restarting.
This sort of thing can be a retrograde influence security wise. Scenario: people get sick of resetting needless IP bans, so just disable it altogether, removing an important security measure.
Same with anti-virus popping up all the time, or consuming all your resources. The temptation is to just switch it off.
3 Likes
I am very tempted.
What really pisses me off is at night I ask Google to activate bedtime and it works and 5 minutes later when I try and turn everything off, it says it can’t talk to my app right now… and it ends up being a ban!!! I mean WTF?
I probably should try and work out how the trusted networks and trusted proxies works as I just don’t properly understand them at the moment and don’t want to open up THAT can of works security wise. All my bans come from 127.0.0.1 I think and I think the reverse proxy brings everything in on that. If I did set trusted networks and proxies then I could set that other flag (the one that removes the mask and shows real ip of connection) and fix it I guess.
I’m on Hassio/Docker but just dont know what to be plugging in.
1 Like
A service should be pretty simple; once that’s in place, a UI can be built. I’ll take a look at part 1!
3 Likes
FYI: https://github.com/home-assistant/home-assistant/pull/18770 – am seeking guidance from some members who have more experience in this subsystem. Will keep everyone posted.
So this seems to work and I managed to lock myself out a few times as well (deliberately)
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- ::100:
I’m having a similar issue where I’m seeing bans from 172.30.33.x addresses. At first I thought it was some crazy hacker and I tried to find out who it was. I’m not IT guy so I quickly found out that 172. is a private IP address. This is confusing to me as I use the 192. private IP for my network. To test that this was coming from inside, I logged out of HA and purposefully entered wrong passwords. Whether I was on the local network or from my cell phone (off the wifi) it put out the 172 ip ban. I have a feeling this is coming from using Nginx but I’m not sure how to configure it a different way. Again, I’m not an IT guy and it seems like a lot of the info I see on Nginx is for people who already know what they are doing.
In all my searching to figure out how to solve this, I came across something that said to NOT to what @DavidFW1960 is recommending as it could allow spoofing of IPs and bypassing the password entirely.
https://github.com/home-assistant/home-assistant/issues/14345
Maybe I’m reading this incorrectly or this has been fixed but thought I’d bring it up. Hopefully someone else can chime in with the latest/safest way to set use_x_forwarded_for, trusted_networks and trusted_proxies when using Nginx.
If you don’t set the use_x_forwarded_for: true then you won’t ever see the real IP address of anyone connecting. The 172 addresses BTW are docker.
If you use x_forwarded_for then the real IP address of anyone connecting is visible. and if you use that you have to use a trusted proxy. The settings I put in here are straight out of the docs for http.
Since putting that in, I get the IP address of the last connected user using the last_authenticated sensor.
I don’t find this very intuitive and if someone feels there is a security risk in the settings as I have them. Not also that in that github issue, you also need to have trusted_networks defined. (I don’t) and an API password (I don’t). So everyone has to authenticate using the new auth username and password and also enter the 2FA code from my phone. That is a very old issue from an old version of HA prior to auth. The ONLY thing I am trying to achieve is to see the authenticated IP addresses and not get banned for no good reason as per this thread. I was finding that my 127.0.0.1 was getting banned for no discernible reason - revealing the true IP addresses has stopped that.
I note also in that issue that PR’s have been released to address the issue with trusted networks and x_forwarded_for.
@bachya did you get anywhere with this?
It’s kind of useless having a mobile client that gets banned when you need it most.
I haven’t, unfortunately – other priorities took over. One challenge with this is that the banning mechanism is fairly tightly coupled with the http module; at the same time, that module is where the websocket API is defined (creating something of a circular reference). Long story short: I’m not convinced this is a simple implementation…
If my other, higher priority items cool down, I will definitely try to take another look at this.
4 Likes
Does anyone know if this was ever created? It’d be nice to be able to remove banned IPs without a restart. The z-wave network is a bit slow coming back up.
I ended up turning off IP bans in HA and now use fail2ban
1 Like
For some reason my kitchen Fully Kiosk Fire tablet seems to get banned after a while - haven’t a clue why.
The only thing I’m doing on that tablet perhaps more than on any other tablet is viewing external camera URLs. Often a precursor to the ban is the camera feeds start showing as unavailable images and the next time I go to view them it’s a 403 forbidden for the whole HA site.
Would dearly like to whitelist that IP so it never gets banned but don’t think this is possible?
2 Likes
same here after update to 0.107 using fully kiosk and tileboard.
All worked fine until 0.107
I’ve seen this happen when watching a camera feed that cuts out - I’ll see a notification for a login attempt with invalid credentials from my IP address. Not sure what’s causing it, but it’s definitely affecting more than just one user.
3 Likes
Damn, you are right! For a week now (v107.x), I’ve been getting IP banned over and over on connections to our remote lake house and could not for the life of me figure out who or what was creating the invalid login. Just now erased IP_Bans, restarted HA, logged in and tried to connect to a page showing 3 camera snapshots. Waited, waited, and no pictures ever came up… but the IP BANNED notification!
EDIT: yeah, the Internet connection at the remote location is often dismal these days. Upload well under 1mbit. Still, how does that explain an invalid login?