WTH are those Login Attempt failed?

Hi, I ended up here as well… have 4 instances of HA. 2 production and 2 dev/test. In all 4 I have this.

I get is from mobile browser access, mobile companion access and desktop browser access… both via direct “internal”, and external access via nabu casa and as well reverse proxy logins.

If I add the local network as trusted I get other weird behaviour like I suddenly have to login randomly and the browser seems not to remember the session (likewise the app).

How can I get rid of the mostly annoying messages?

@reinder83 did you succeed in configuring Home Assistant for a reverse proxy as @frenck suggested? If so would you mind sharing what steps you took?

I’d love to get rid of these warnings. As I have IP banning set-up sometimes I lock myself out of my home assistant…

Here are some examples of the warnings I get:

  • Login attempt or request with invalid authentication from a0d7b954-nginxproxymanager.local.hass.io (172.30.33.7). (Mozilla/5.0 (Linux; Android 11; AC2003 Build/RP1A.201005.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.105 Mobile Safari/537.36)
  • Login attempt or request with invalid authentication from 192.168.0.158 (192.168.0.158). (Mozilla/5.0 (Linux; Android 11; SM-A705FN Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.105 Mobile Safari/537.36)

Many people seem to be sufering from these kind of warnings as demonstrated by for example this post and this one but the topics don’t really contain pointers about how to go about solving the issue.

Yeah I did, the only difference is the IP addresses in the warnings are from the actual device instead of a docker IP, so im still getting those.

Could this have something to do with ad-blocker/adguard/trackers/ blocker etc. in browsers???

oh man… well at least it’s one step forward in terms of solving the actual problem.
I’m not too sure what I should add to my configuration.yaml to configure home assistant for reverse proxies.
I have added the following:

http:
  use_x_forwarded_for: true 
  trusted_proxies:
    - 172.30.33.7

The IP address I used here is the one that is mentioned in the Home Assistant errors and if I look in portainer that is indeed the internal adress used in docker.
But this is completely unrelated to the actual internal ip adresses I use here at home, which looks like 192.168.0.158 for example, so I wasn’t too sure whether I should really be placing some internal docker IP adress here that a normal user (that doesn’t start digging into the portainer add-on) is not even supposed to know about at all.

EDIT: I see someone has proposed here to add some instructions on precisely these questions in the NGINX Proxy manager documentation here: Include `use_x_forwarded_for` instructions in doc · Issue #109 · hassio-addons/addon-nginx-proxy-manager · GitHub
But it was automatically closed after having received to response.

1 Like

I’m also having the same issue, I think it is something to do with the reverse proxy as I am using NginX proxy manager. I think the issue may be caused by token’s as the issue only seems to occur once the app is resting in the background and then is switched back to causing the authentication to fail? Although I don’t know how to confirm this. I think you guys probably have your proxy set up correctly because I’m getting failed login attempts with the correct IP’s from the device that is logging in.

If you guys aren’t getting the correct IP I can send my config.yml file however this won’t solve the login attempt failed issues.

Same issue. Near each time I open the app, there is this notification. I think it comes from the very Android phone I’m opening it on but I’m not sure… Very annoying.

2 Likes

Same issue here, happens every single time I open the Home Assistant app on Android. It gives my local address of the phone when I’m at home and my WAN IP when I’m not at home. So it seems like it’s not just confined to Reverse Proxy!

Login attempt or request with invalid authentication from ConorPhone.broadband (192.168.0.37). See the log for details.

Very frustrating as I’m one of those OCD people about notifications! :joy:

5 Likes

I’m having this issue at the moment. I think it might be because of the camera entity related to the Xiaomi vacuum map extractor HACS integration.

1 Like

I’ve also started noticing this after I updated to the xiaomi vacuum map card v2.0. Happens with companion app as well as browser on my laptop.

1 Like

Nothing has substantially changed. I’m going on 3 years of these messages. Probably related to cameras.

1 Like

Yes, I still get these messages every day. Probably related to tabs/devices going to sleep with camera panels open (not a reverse proxy issue). At this point I wonder if it’s more effective to just look for a way to disable these notices entirely.

1 Like

Mine seem to be coming from the companion app mostly, but sometimes come from the browser if I hadn’t used the tab for a while. I’m guessing it’s something to do with refreshing the token.

It is to do with token for camera when picture-entity is used. When you are coming back to the page it still has an old token. I had to disable fail2ban because of this.

2 Likes

Sometimes you just have to live with it. As long as it’s an internal issue, just ignore it. At least that’s what I do. I would prefer the dev to focus on many other improvements required. Three years later, it should have been fixed if it could. I still enjoy the system, never mind the yellow annoying notification down the page.

Yeah I’ve just trained myself to ignore notifications altogether… which is fine until something important shows up there…

1 Like

Yeah that’s the problem. If you’re getting flooded with meaningless warnings and condition yourself to ignore them, you’ll miss the one real warning that matters.

I have the same problem with these notifications, I have had it since I started using HA. Mine come from using Tileboard on my phone (which uses the HA websocket API). When I leave the page open and the phone goes to sleep, when I wake it up again I get the login warning in the log. I assume it’s trying to access the API with an expired token after waking up, before renewing it.

@resoai, since you’re already around here, did you experience similar issues with TB ?

My workaround was to add a custom user agent string on my phone with a long GUID (using Fully Kiosk) and then patch HA to not log a login warning when it’s tagged with that specific user agent GUID. I only use Fully to access HA and nothing else, so the user agent shouldn’t get leaked. But it’s a hacky workaround and I’m not too proud of it.

2 Likes

I was excited to see the new local user only account that came in the December release. So I setup a guest and had them sign into the app on their phone when they were watching our house at Christmas. Now that they are off our network, I am getting these messages. I could ask them to uninstall the app, but then when they are here next time, I’ll have to help them sign in again. I understand it and it’s because the account is probably trying to ping my home assistant when off the local network, so it’s a failure, but I wish it wouldn’t show as a notification. Or certainly a lower priority one that doesn’t trigger the orange circle.

1 Like

@hoyt I’ve seen this notification show up as well. Over the past couple days I’ve done a fresh install, I have Z-Wave JS integrations for light control and not much else. I don’t have the cameras mentioned above.
I added two Android users with the Companion App and that went fine, running the Nabu Casa 1-month trial at the moment, that went fine.
Then I added another android user via a cheap tablet and set it to be a local-only account. Immediately I have these notifications on every access from that tablet.
During the setup the Companion app picked up my local server IP as expected (192.168… address) and when my connection broke and I saw the settings had auto-populated the Nabu Casa URL, I’m thinking this might be what’s causing the issue as the user is supposed to be local.

I’m going to open a question about getting to that settings page, because I still don’t get it.
Edit: I didn’t end up making that post because I was just not looking in the right place. In case others have the same issue I’ve described it in this reply: Internal and External URL - #8 by dabell

I have the same password (on the same installation) for two years, yet I’m getting these bogus notifications from devices that are obviously correctly logged in for years as well. It’s apparently a bug or something. At the very least, there should be an ignore button.

1 Like