Along the same lines… WTH do you need to restart HA to clear an accidental IP Ban?
Delete the IP from /config/ip_bans.yaml
But after that a restart is still required.
2 Likes
Yep. That’s my issue. I know how to clear them, but why can’t we force a reload of the ban file instead of a full restart.
Not really.
They share some points but it’s different.
Trusted networks remove the password which admittedly removes the risk of banning, but it also makes anyone on the network able to sign in on your account
If you use your main network as guest network too.
3 Likes
If an attacker is able to enter your network, then you have other issues. Especially when this is true:
That’s a way more serious security flaw.
Also you don’t need to add your whole network to trusted_networks, you can put single IP addresses there, so only put the IPs of your trusted devices and not every IP on your network and you’re fine.
It’s not as we give out our credentials to anyone passing by our house.
It’s friends and family.
The intention may not be to “attack” but more of a “whoops”…
When I get notifications of wrong password entered it’s my routers IP that is presented.
So that means I need to trust my router, but since it’s always the routers IP then that means I trust any connection.
Isn’t that a way bigger security flaws then?
You need to pass source ip to the packet in router. So the header will be not with the router ip but source ip.
I might be wrong,but is it masquarade?
I don’t know how to pass the IP.
But then again, I really don’t care.
I mean to some extent it’s better that there is a max attempts overall than max attempts per IP.
Otherwise someone who actually wants to attack could sign in to a open wifi and try again.
It’s really not a big deal
The worst thing that can happen is that all my accounts are locked out and I need to unlock them by removing the banned IP which is my router.
Had it been that this happens every day or every month, well…
But I don’t believe I have had a single attempt that has not been our phones that has had issues. Only once in soon a year have I had to unlock my router once.
Not a big deal if you ask me.
Whoops my guest found my HA URL by accident and tried to login by accident?
Then you need a reverse proxy or similar.
Trusted networks does not prevent the notification from appearing
I get these notifications every day from my iOS devices, likely because of expired token in the companion app. The device is in the trusted networks - I can login without a password, but I still get the notification.
Just wondering if there’s any hope of seeing any progress on this? Both the IP whitelisting of my WAN would be good as wells as removing the requirement to restart after removing an IP from ip_bans.yaml
1 Like
Would like this too.Every now and again I get banned .Not really sure why as I’ve set my browser to remember my credentials so I’m never prompted to enter them, I have the same issue with the iOS app.
I know it’s easy to edit the ipban file and remove the offended entry(ies) but it does mean I have to restart HA and also means I need to access HA from a different devices (hoping I’m home to edit the actual file)
Seeing as I’m on fixed IP address at home it would help to be able to whitelist these IP Addresses…
This happens to me every few weeks, it’s really annoying.
It happened to me a few times but hasn’t for a long while now. For argument sake, try reinstalling the app AND clearing your browser cookies.
Comment out login_attempts_threshold from the http section (or remove it entirely) to not get banned anymore.
It will remove the threshold for anyone but it’s better then to get yourselve banned every time and needing to remove the ip ban from the YAML file and restart HA. (the restarting of HA for the ban to be removed is fine for me, atleast you know that if an ip get’s banned the banned IP can’t be removed. moving the YAML ban file to the backend of HA would pose some security risks).
I would also like that IP’s from the trusted networks section would also prevent banning those ip’s. That would be better and is also assumed by the name (trusted networks, Why would someone ban a trusted network?)
http:
server_port: 8123
login_attempts_threshold: 10
Yes exactly why am i getting banned ips from my internal network that is also listed as a trusted network?
1 Like