To make sure you never - ever ban your own IP address. Whitelisted IP’s should not pop up as failed login attempts.
Voted and agreed!
Specifically regarding these random “failed login” persistent notifications, I’d like to see those go to the log file instead.
Along the same lines… WTH do you need to restart HA to clear an accidental IP Ban?
Delete the IP from /config/ip_bans.yaml
But after that a restart is still required.
Yep. That’s my issue. I know how to clear them, but why can’t we force a reload of the ban file instead of a full restart.
Are you aware of any progress on that?
Isn’t this exactly what trusted networks already does?
They share some points but it’s different.
Trusted networks remove the password which admittedly removes the risk of banning, but it also makes anyone on the network able to sign in on your account
If you use your main network as guest network too.
If an attacker is able to enter your network, then you have other issues. Especially when this is true:
That’s a way more serious security flaw.
Also you don’t need to add your whole network to trusted_networks, you can put single IP addresses there, so only put the IPs of your trusted devices and not every IP on your network and you’re fine.
It’s not as we give out our credentials to anyone passing by our house.
It’s friends and family.
The intention may not be to “attack” but more of a “whoops”…
When I get notifications of wrong password entered it’s my routers IP that is presented.
So that means I need to trust my router, but since it’s always the routers IP then that means I trust any connection.
Isn’t that a way bigger security flaws then?
You need to pass source ip to the packet in router. So the header will be not with the router ip but source ip.
I might be wrong,but is it masquarade?
I don’t know how to pass the IP.
But then again, I really don’t care.
I mean to some extent it’s better that there is a max attempts overall than max attempts per IP.
Otherwise someone who actually wants to attack could sign in to a open wifi and try again.
It’s really not a big deal
The worst thing that can happen is that all my accounts are locked out and I need to unlock them by removing the banned IP which is my router.
Had it been that this happens every day or every month, well…
But I don’t believe I have had a single attempt that has not been our phones that has had issues. Only once in soon a year have I had to unlock my router once.
Not a big deal if you ask me.
Whoops my guest found my HA URL by accident and tried to login by accident?
Then you need a reverse proxy or similar.
Trusted networks does not prevent the notification from appearing
I get these notifications every day from my iOS devices, likely because of expired token in the companion app. The device is in the trusted networks - I can login without a password, but I still get the notification.
Just wondering if there’s any hope of seeing any progress on this? Both the IP whitelisting of my WAN would be good as wells as removing the requirement to restart after removing an IP from ip_bans.yaml