I noted that I was getting a warning sometimes telling me that my password seems insecure (or words similar to that) on HASSIO.
I decided to change my password in the configuration and then had all sorts of problems.
When trying to browse to HASSIO via the external hostname I could not log on. No warning of incorrect credentials, just not logging in and staying on the login screen.
Logging on using the local hostname showed that the IP address of my router was blocked. This is the 1st time I had ever seen this message for any IP address.
I presumed this was because the IOS app on my phone was trying to access HASSIO using the external hostname using the âoldâ password. I changed the password, shutdown the app, commented out the router IP address in the ip_bans.yaml file and restarted HASSIO.
I watched the logs as the system booted and noted that a few times the router IP address tried to log in and was refused due to incorrect credentials. This again resulted in the router IP address being banned/blocked.
I also noted that I got the same message about my (new) password seems weak
I left it for a bit longer (an hour maybe) like this and got another message stating that another IP address had been banned (92.207.7.175). I dismissed this message and a little later got another message about another IP address being banned (didnât note this one).
So, I decided to comment out these IP addresses from the ip_bans.yaml file and reboot HASSIO again to see if it happened again. The only entry was for my router IP address, which I was a little surprised about. I changed the external hostname port to a random high number and routed this through to my local HASSIO port. This allowed me to log in ok from the external hostname, and after few hours no IP bans or incorrect logins have occurred.
Next I closed the external port on my router. Obviously no access via the external hostname, but after about 14 hrs no record of the router IP being banned or incorrect login attempts.
So a few questions arise.
⢠What are the criteria for the âyour password seems weakâ message?
⢠Since I had never seen a message about banned IP addresses until very soon after I had changed my password does this mean something or someone was logging in unhindered to HASSIO using my old password?
⢠Are the banned IP addresses being stored somewhere other than just ip_bans.yaml? If not why was only the router IP address in there?
A bit about my setup as I am sure it will be asked
⢠HASSIO v0.76.1 on a RPi3
⢠Router has 1 port forwarded to local port of hassio (8123) (disabled at the moment)
⢠My external IP address is fixed
⢠MQTT server on a separate RPi 2 â not exposed to external network
⢠Addons
⢠Samba shareâ no guest access âpassworded
⢠TasmoAdmin
⢠HADashboard
⢠DuckDNS with Letâs Encrypt
⢠Log Viewer
⢠Configurator
⢠InfluxDB
⢠SSH server using RSA Key and password
⢠Grafana (disabled)
The message you are seeing is published by the configurator add-on. The relevant part of the code is here. I have implemented this back when there were a lot of threads about security and people getting âhackedâ. The intention is to notify people with weak passwords that they should do something about that.
To break down the check the configurator performs on the api_password:
Password should be 8 characters or more
Password should contain numbers and letters
Password should have some complexity. aaaaaaa1 for example is not unique enough. abcd1234 is. aaaaaaaaaaaaaaaaa234 would be considered safe as well even though it is not very uniqe. But a longer password compensates for missing uniqueness (brute-force attacks take significantly longer even with low complexity).
Sounds like you dismissed a notification from UI, that should be âFailed login attemptâ notification. And one failed login attempt will not get the IP banned until it exceed the throttle you set in config.
Thanks for the explanation. Didnât think my password was that weak, but maybe it is! By accident in both passwords there were 2 repeated digits so even though both passwords were > 14 digits I guess this is what was picked up?
Any way I probably need to put more thought into my passwords in futureâŚ
I did dismiss this messageâŚ
âŚexpecting it to pop up again the next time an invalid authentication was detected, even if it was from the same IP address. Not sure this is the case but will test further when I get chance.
It looks like form testing today the âBanning IP addressâ message pops up on the 11th attempt to log in.
I still donât fully understand why my router IP got banned. I had assumed that the router IP was banned because when and external IP address was forwarded it assumed the router IP address, but that doesnât make sense because otherwise I would not have got external IP addresses showing log in attempt failure.(?)
There are warnings for both. Which one is meant is mentioned in the warning. You didnât post the exact phrase, so I thought the api-password was the relevant one. Sorry for the inconvenience.
You should always set a strong password on your router so that nobody can access your internet connection. If you have a Linksys router and you want to set a strong password or change its password then you may visit this link How To Change Password On Linksys Router to know how to change its password.
