WTH are all those "login attempt failed" in my notifications?

I’ve been getting these for years now. I think it has something to do with camera streams or something. But AFAIK the root causes were never really identified, and the log message doesn’t give anything useful. Just the IP of the device I’m accessing hass from.

There is a super old issue related that I opened: any `picture-entity` cards that are backed by the `camera_proxy` loose their auth token/authSig and display a grey `image-broken.svg` thumbnail when HA is restarted. · Issue #4302 · home-assistant/frontend · GitHub

FWIW, I can still reproduce this issue using the more recent HA builds.

I am also getting a few login attempt failures every hour (this is new/recent; a few weeks ago they were only showing up a few times a week!). Each time, it’s from the same host; the one that hosts the dashboard on a screen/kiosk… But I have no cameras on any of the dashboards that the Kiosk displays!

I got these from Android app but haven’t seen lately any more. Looks like this one is fixed but might be some other use case where it is still exists

An example of the error would help.

As far as I was aware, the issue was fixed. At least we had no new reports after the last changes.

Nevertheless, the logs files should provide more details (additional details like path called). Having that information would be useful, as it might help finding the thing that causes it.

…/Frenck

Not fixed for me at least.

 Logger: homeassistant.components.http.ban
Source: components/http/ban.py:125
Integration: HTTP (documentation, issues)
First occurred: September 20, 2022 at 22:31:30 (8 occurrences)
Last logged: September 20, 2022 at 22:31:30
Login attempt or request with invalid authentication from <IP REDACTED> (<IP REDACTED>). (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0)

Bit more context on one of the times I saw it, but I don’t see the calendar stuff every time, so it may just be a red herring. Usually it looks more like the above, just one message with no real explanation.

2022-09-18 19:56:04 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or req
uest with invalid authentication from <IP_REDACTED> (<IP_REDACTED>). (Mozilla/5.0 (Macintosh; Intel
 Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0)
2022-09-18 19:56:04 DEBUG (MainThread) [homeassistant.core] Bus:Handling <Event state_changed[L]:
 entity_id=persistent_notification.http_login, old_state=None, new_state=<state persistent_notifi
cation.http_login=notifying; message=Login attempt or request with invalid authentication from <IP_REDACTED> (<IP_REDACTED>). See the log for details., title=Login attempt failed, friendly_name=Lo
gin attempt failed @ 2022-09-18T19:56:04.083272+02:00>>
2022-09-18 19:56:04 DEBUG (MainThread) [homeassistant.core] Bus:Handling <Event persistent_notifi
cations_updated[L]>
2022-09-18 19:56:04 DEBUG (Recorder) [homeassistant.components.recorder.core] Processing task: Ev
entTask(event=<Event state_changed[L]: entity_id=persistent_notification.http_login, old_state=No
ne, new_state=<state persistent_notification.http_login=notifying; message=Login attempt or reque
st with invalid authentication from <IP_REDACTED> (<IP_REDACTED>). See the log for details., title=
Login attempt failed, friendly_name=Login attempt failed @ 2022-09-18T19:56:04.083272+02:00>>)
2022-09-18 19:56:04 DEBUG (Recorder) [homeassistant.components.recorder.core] Processing task: Ev
entTask(event=<Event persistent_notifications_updated[L]>)
2022-09-18 19:56:04 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or req
uest with invalid authentication from <IP_REDACTED> (<IP_REDACTED>). (Mozilla/5.0 (Macintosh; Intel
 Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0)
2022-09-18 19:56:04 DEBUG (MainThread) [homeassistant.core] Bus:Handling <Event persistent_notifi
cations_updated[L]>
2022-09-18 19:56:04 DEBUG (Recorder) [homeassistant.components.recorder.core] Processing task: Ev
entTask(event=<Event persistent_notifications_updated[L]>)
2022-09-18 19:56:04 DEBUG (Recorder) [homeassistant.components.recorder.core] Processing task: Ev
entTask(event=<Event persistent_notifications_updated[L]>)
2022-09-18 19:56:04 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or req
uest with invalid authentication from <IP_REDACTED> (<IP_REDACTED>). (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0)
2022-09-18 19:56:04 DEBUG (MainThread) [homeassistant.core] Bus:Handling <Event persistent_notifications_updated[L]>
2022-09-18 19:56:04 DEBUG (Recorder) [homeassistant.components.recorder.core] Processing task: EventTask(event=<Event persistent_notifications_updated[L]>)
2022-09-18 19:56:04 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from <IP_REDACTED> (<IP_REDACTED>). (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0)
2022-09-18 19:56:04 DEBUG (MainThread) [homeassistant.core] Bus:Handling <Event persistent_notifications_updated[L]>
2022-09-18 19:56:04 DEBUG (Recorder) [homeassistant.components.recorder.core] Processing task: EventTask(event=<Event persistent_notifications_updated[L]>)
2022-09-18 19:56:04 DEBUG (MainThread) [homeassistant.components.buienradar.util] Calling url: https://data.buienradar.nl/2.0/feed/json
2022-09-18 19:56:04 DEBUG (MainThread) [homeassistant.components.http.auth] Authenticated <IP_REDACTED> for /api/calendars/calendar.alena_and_seans_calendar using bearer token
2022-09-18 19:56:04 DEBUG (MainThread) [gcal_sync.auth] request[get]=https://www.googleapis.com/calendar/v3/calendars/alenaandsean%40gmail.com/events {'maxResults': 100, 'singleEvents': 'true', 'orderBy': 'startTime', 'fields': 'kind,nextPageToken,nextSyncToken,items(id,summary,description,location,start,end,transparency,eventType,visibility,attendees,attendeesOmitted)', 'timeMin': '2022-09-17T22:00:00+00:00', 'timeMax': '2022-09-20T21:59:59+00:00'}

Here’s another:

2022-09-20 22:31:30 DEBUG (Recorder) [homeassistant.components.recorder.core] Processing task: EventTask(event=<Event state_changed[L]: entity_id=persistent_notification.http_login, old_state=<state persistent_notification.http_login=notifying; message=Login attempt or request with invalid authentication from localhost (127.0.0.1). See the log for details., title=Login attempt failed, friendly_name=Login attempt failed @ 2022-09-18T19:56:04.083272+02:00>, new_state=<state persistent_notification.http_login=notifying; message=Login attempt or request with invalid authentication from <IP_REDACTED> (<IP_REDACTED>). See the log for details., title=Login attempt failed, friendly_name=Login attempt failed @ 2022-09-18T19:56:04.083272+02:00>>)

What is the IP? Is it internal (then why do you hide it?) or is your HA publicly accessible? Then anyone can try to log in.

Internal IP. HA not publically accessible, it’s behind firewall.

I remember reading about this in the WTH 2020 category: WTH are those Login Attempt failed?

As I understand, it was possibly caused by the backend considering any 401/403 response to be a “failed login attempt”. I am not sure if this has been fixed.

If it were fixed, I’d expect not to have the issue any more? I don’t just have it one one rogue IP address. It’s on all the IP addresses that I access the lovelace UI from.

I was actually able to “fix”* this by making a small change to the dashboard that was causing the issues.

I should have shot a video because this is going to be hard with just words.

I have a 1080p screen mounted in the ‘portrait’ orientation.

In the above link, you can see the scroll bars on the screen. I have made some changes to the dashbaord since that photo was taken, but I stopped getting a ton of “invalid login” messages as soon as I made a simple change.

Effectively, I removed the scroll bars by reducing the number of things on the page. Just before getting the “invalid notification” message several times a day, I added a few new entities to the bottom of a column on that dashboard. The new entities pushed the bottom of the page just slightly below the bottom of the screen… this resulted in scroll bars that were only a few pixels “long”.

The scroll bars were constantly appearing/disappearing because the graph cards have a small animation that plays when the data is being refreshed. When this animation was showing up / playing, the scroll bars would come/go.

As soon as I removed the extra entities, the total length of the columns was under the length of the screen. No constant scroll bars and it’s been almost 48h since my last “invalid login” message showed up.

If that was confusing, I’ll try to add back the entities and capture a quick video.

* I said “fix” above in quotes because the constant notification of invalid login seems to have gone, but the issue where graphs stop getting valid data has not gone. Every once in a while, the lines of the graphs will go flat (but, usually, some other elements of the page still work. e.g. i can tap buttons and they turn entities on/off as expected). Refreshing the page or just switching to a different dashbaord and then back seems to solve the issue / get the graphs re-drawing properly. SO there’s for sure some issue w/r/t stale auth or WSS connection that’s preventing some entities from getting new data but other entities still work.

I get those on my every time I leave the house pointing to public up of cell phone

I still get these occasionally. I have a weather map on my dashboard. Perhaps that’s triggering it?

I still get these constantly.

yep I get them as well, only my desktop IP in the alert, even though I use the companion app on like 3 other devices.

this still happens if you use xiaomi/roborock robot map card stuff

This is still a problem

Hi,
I’ve been having this same issue. In my case, I know where it comes from: I have a couple of automations that play a sound or a music at a precise time (mainly to remember my kids to prepare for school in the morning). My setup is Home Assistant OS, on a dedicated RPi4, MPD, with NGINX reverse proxy (the base one and not the NGINX Manager), all of which are installed on the same RPi4.

These automations all worked (including the sound)… I obviously lose the sound after getting banned, but all works before getting banned.

Here’s a couple of sections of Config.yaml, first:

homeassistant:
  auth_providers:
    - type: homeassistant    
    - type: trusted_networks
      trusted_networks:
        - xxx.xxx.xxx.0/30 # Local IPs
        - 127.0.0.1 # Local MPD
        - xxx.xxx.xxx.0/24 # NGinX
      allow_bypass_login: true
###########################################
http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - xxx.xxx.xxx.xxx # couple of such lines for dedicated fixed adresses for local IPs
    - xxx.xxx.xxx.0/24 # NGinX
  ip_ban_enabled: true
  login_attempts_threshold: 5

The infos I gathered seems to indicate that, when using an automation, MPD seems to go through an external path to get the music/sound to play. Even trying to “ease” the security through trusted_proxies or trusted_networks, MPD still bans itself in those automations.

I know that the trusted networks and trusted proxies can have overlaps, but when I tried to keep adresses only in trusted networks, I lose remote access, and trusted networks allows to skip login… that’s why I also keep it for local purposes…

I tried a lot of different possibilities, but I haven’t found the solution yet… Think I saw a couple of questions through the forums, so I know I’m not alone… but still no solutions.

Perhaps one of you will find that elusive solution… if so, please share, I’d be very happy to know about it!

I had my Unifi Protect doorbell feed on my dashboard and constantly had these notifications. I’ve since removed the stream and put it in a card-mod popup instead. Doing so has solved the problem.

I’m on the exactly same boat as you, if u ever find a solution, please let me know