For some reason my kitchen Fully Kiosk Fire tablet seems to get banned after a while - haven’t a clue why.
The only thing I’m doing on that tablet perhaps more than on any other tablet is viewing external camera URLs. Often a precursor to the ban is the camera feeds start showing as unavailable images and the next time I go to view them it’s a 403 forbidden for the whole HA site.
Would dearly like to whitelist that IP so it never gets banned but don’t think this is possible?
same here after update to 0.107 using fully kiosk and tileboard.
All worked fine until 0.107
I’ve seen this happen when watching a camera feed that cuts out - I’ll see a notification for a login attempt with invalid credentials from my IP address. Not sure what’s causing it, but it’s definitely affecting more than just one user.
Damn, you are right! For a week now (v107.x), I’ve been getting IP banned over and over on connections to our remote lake house and could not for the life of me figure out who or what was creating the invalid login. Just now erased IP_Bans, restarted HA, logged in and tried to connect to a page showing 3 camera snapshots. Waited, waited, and no pictures ever came up… but the IP BANNED notification!
EDIT: yeah, the Internet connection at the remote location is often dismal these days. Upload well under 1mbit. Still, how does that explain an invalid login?
Hi! Got the same on my local network after upgrade to 107. I use stream component, but was not even opening this page.
Took a lot of digging, but in this post there was a mention of getting IP_banned after accessing remote cameras as well.
It was an old topic regarding the changes to trusted_networks in HA .89 so it didn’t seem at all relevant. But on a hunch, I added 127.0.0.1 (localhost) along with my local internal network as a trusted network and now I haven’t had any authentication errors accessing cameras.
I have no idea why localhost would be needed, or if it was something else I did in the mad scramble trying to fix it, but I no longer have any problem. So if you don’t have this currently defined in your auth_providers configuration, give it a shot and please confirm results.
Unfortunately, this didn’t work for me, still getting authentication errors from iOS and web interface as well. I will try a bit later to add internal hassio addons subnet as trusted network, just for a test.
Just for information, I tried adding:
- my_home_subnet
- 127.0.0.1
- 172.30.33.0/25
to trusted networks. 172.30.33.0/25 is hassio add-ons subnet. And I am still getting authorization errors.
I will just wait untill 0.108 is out and, if ip_ban is not fixed there, will try to remove all camera streams from frontend for a test.
So it was something else in my case, not camera streams - I have now no camera streams at frontend and still invalid authentication attempts.
I am interested in last_authenticated sensor, how would you set it up? Thanks!
Use this
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- ::1
ip_ban_enabled: true
login_attempts_threshold: 5
# Logger
logger:
default: warn #warn
logs:
custom_components.sensor.authenticated: debug
You will then have a sensor.last_successful_authentication you can display in lovelace like this:
Thank you, This is really helpful!
Have you had any luck in getting the notification to work (per the documentation) ?
My code (configuration.yaml)
sensor:
- platform: authenticated
enable_notification: true
provider: ipapi
Yes I get notifications
hmmm…
Here’s my config, would you be kind enough to compare against yours to see if I am missing something?
homeassistant:
auth_providers:
- type: trusted_networks
trusted_networks:
- 192.168.0.0/24
trusted_users:
192.168.0.0/24:
- userID 1- redacted
- userID 2- redacted
- userID 3- redacted
- userID 4- redacted
- userID 5- redacted
- userID 6- redacted
- type: homeassistant
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- ::1
ip_ban_enabled: true
login_attempts_threshold: 3
logger:
default: warn
logs:
custom_components.sensor.authenticated: debug
sensor:
- platform: authenticated
enable_notification: true
provider: ipapi
Here is auth. My http is shown in above post.
# Auth & 2FA
auth_mfa_modules:
- type: notify
- type: totp
auth_providers:
- type: trusted_networks
trusted_networks:
- 127.0.0.1
- ::1
- !secret my_ipv4_network
- fd00::/8
- !secret zerotier_network
- !secret my_ipv6_network
trusted_users:
127.0.0.1: !secret user_id
"::1": !secret user_id
!secret trusted_ipv4: !secret user_id
"fd00::/8": !secret user_id
!secret trusted_ipv6: !secret user_id
!secret zerotier_network: !secret user_id
allow_bypass_login: true
- type: homeassistant
Configuration of component:
# Sensors
sensor:
# Authentication Sensor
- platform: authenticated
enable_notification: true
provider: 'ipapi'
exclude:
- !secret my_ipv4_network
- fd00::/8
- !secret zerotier_network
- !secret my_ipv6_network
made a few adjustments… will have to see if that help any.
I like how you are using the secrets file for compartmentalizing the users and network info (had to take that into my setup, so thanks for showing that off).
started getting the notifications.
I don’t have banning enabled and don’t have ip_bans.yaml in my config folder but HA dosen’t let me log in from a specific IP of my desktop.
Has anyone else experienced similar problem?
Logs;
Logger: homeassistant.components.http.ban
Source: components/http/ban.py:114
Integration: HTTP (documentation, issues)
First occurred: December 4, 2020, 11:17:43 AM (7occurrences)
I also keep getting one of my tablets constantly banned for no reason for years now. This is a very annoying issue.
It’s a shame you didn’t accept https://github.com/home-assistant/core/pull/18770 PR that addressed this issue.