One of the things that bothers me most is the message “Login Attempt failed” from different io addresses:
It’s quite frustrating
Same here; not a lot of context in logs so hard to pinpoint the origin. Would be nice if the log also have a bit more info.
It shows the client address. Which additional info would like to see here?
Well, on my system, it’s always a known device with HA configured and running properly. Yet it still creates these “login failed” errors. Completely unclear why.
Oh and don’t forget if you use nabucasa failed logins on that always show up as 127.0.0.1
I run HA Container, and I occasionally get a failed login from the IP address of the default gateway for the Docker network. Not sure why.
The log shows the docker internal IP. Which does not tell anything if you don’t have Portainer maybe, so some more info like the add-on or origin, used login method and the username used etc.
Right! Resolve the hostname from the IP if possible and shows that. That sounds sane and doable.
Well in my case my NAS has many containers linked to HA (nodered, mosquitto, deconz, mariadb) so some more info can be useful to understand which one is making trouble.
I’d like to understand why I’m getting these at all? As I said, I can identify every IP as a properly configured device, yet the notifications still persist. Is there some timeout thing that’s triggering it?
If you try to go to any endpoint without proper auth it gives this error.
excluding stuff like /local/, /hacsfiles/, Home Assistant JS
Does that mean the official apps are doing that? And the browser frontend? Can I make it stop? What’s the point of notifying something that I have zero control over, like a behaviour of the app?
Well if you go to any /api URL with no auth / wrong auth it’ll error out. I don’t know how to see what endpoints are causing these errors without using a proxy.
Want me to look? I have an nginx proxy 
My opinion is that it’s just that the apps are not actually looking at their credential expiry time, and only “notice” after they hit an endpoint for the first time and get 403/401 error. This generates the pointless notification, and the app goes and gets a new credential.
Maybe additional data, including user-agent, would help to diagnose a lot?
Yeah, include user agent, endpoint accessed, as well as IP. Maybe also provide a button to quick-ban the IP or IP range, and open a IP analyzer for more details?
The problem for me isn’t figuring out the host, that’s easily found by IP address. The problem is understanding why. They are all just standard browsers or iOS apps which I regularly use to access hass and it’s never related to mis-entering passwords on my part. All the passwords have been cached and working correctly for months. So it’s something internal that’s broken.
We need to get a good error message for this and get to the bottom of what’s going on or just turn it off, because after 2 years of getting these useless messages daily I’m pretty tired of it and I simply don’t use the notifications any more because I just assume that that’s all that’s there (so I miss important ones about expired tokens).
Geo-ip would be a nice feature you could enable as well.
Thank you for explaining this! It isn’t clear in the notification itself. To me it sounds like they’re just 403 errors from the local web server.
Wouldn’t it make much more sense to log these to home-assistant.log as errors, and not post persistent notifications for each occurrence?
The payload (or part of) or the user agent might be a good start for this. I did try an implementation, but it broke more than it fixed 