My IP gets banned, without login attempts

[nitobuendia]

Home Assistant release with the issue: Version: 0.97.2

Operating environment (Hass.io/Docker/Windows/etc.): Hass.io System: HassOS 2.12 Deployment: production Installed on Raspberry Pi 3

Component/platform: HTTP (ip_ban.yaml) / Auth

Description of problem: Every few days, I get my own IP banned. This usually happens while navigating on my Macbook or Android phone (web version).

If I am using DuckDNS URL, the IP that gets banned is always my external IP. This blocks me from using the DuckDNS URL. Then, I need to use the local Raspberry IP, use configurator to remove the IP Ban entry and get it fixed.

However, this also happens if I am using the local network IP for the Raspberry Pi to use the UI. In this case, my internal IP would be banned instead. I do not have an iPhone. I only use web on my Mac and Android phone. The Android phone is usually open in the Lovelace home view.

This is hard to reproduce, but it is happening at least once a week.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

ip_ban_enabled: true
login_attempts_threshold: 3

and my Auth provider is homeassistant:

auth_providers:
  - type: homeassistant

I have DuckDNS Add-On installed. However, as stated, it would ban internal or external IP depending on whether I am using DuckDNS URL or Raspberry Pi IP directly.

Additional information:

I do not want to disable either protection system, I just want to understand why my own IP gets banned without any manual intervention. Note that I’ve also checked the time at which I got banned, and there were no other devices connected to my internet. So it’s not like someone accessed my local network and sent requests on my behalf.

Any ideas on what could be triggering this?

[matteofranceschini]

I have the same issue with the iPhone app that connects via vpn to the raspberry with the app.

It looks like that if I use the app from ouside via vpn and then connect to the my home wireless nerwork if the VPN disables itself for some reason then I get a login failed.

I'm still trying to understand the exact situation that triggers this, but it happens daily.

[DeviousPenguin]

I think this may be due to unclean session disconnect / reconnect, maybe over websockets?

I get the same thing happen, I have a valid session cookie in my browser, yet when connecting to HA I get 'bad authentication attempt' in my log for the IP address that has already logged in.

This happens in both a normal http session using HA in browser, and also using HTTPS websockets using NGINX reverseproxy and tileboard.

A (bad) workaround is to use LLAT, I use LLAT with nodeRED websockets as currently that is the only way to do things.

[nitobuendia]

I have not been able to consistently reproduce, so I cannot confirm @DeviousPenguin hypothesis. However, I do can confirm that I usually keep my HomeAssistant tab open on both Mac and Android all the time.

Also, wanted to add that more people are reporting similar errors on the community, so it seems a bit widespread.

[DeviousPenguin]

I forgot to mention before that I'm currently moving from a HassIO based setup to a VENV based setup, however both setups have this issue.

The only thing I haven't tried yet it the Command Line auth provider as detailed here:

https://www.home-assistant.io/docs/authentication/providers/

I'm still moving things over between 2 Rpi's right now, but once I get everything working smoothly with my VENV based setup I may see if using the Command Line auth provider is a good workaround this issue.

Has anyone else tried it?

[nitobuendia]

@DeviousPenguin A "workaround" (or more like an alternative suggestion) in the Community is to toss away IP ban and add 2FA as a security replacement. Probably limiting to a range/set of IPs might be a good idea too, if possible. Not really a workaround, but a way to avoid the issue without compromising security.

[lbouriez]

Same issue, I had to disable ip_ban_enabled to access HA again. It started today...

[stale[bot]]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue now has been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

[DeviousPenguin]

@DeviousPenguin A "workaround" (or more like an alternative suggestion) in the Community is to toss away IP ban and add 2FA as a security replacement. Probably limiting to a range/set of IPs might be a good idea too, if possible. Not really a workaround, but a way to avoid the issue without compromising security.

Thanks, I may well give that a try. I'm not the only user however so I need to check that 2FA is OK for the other users, but so far with my IP ban set to 20 attempts per day I don't get bans very often but it is annoying as it's always machines that are already logged in getting banned.

Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Updated to 0.103, issue not resolved

[nitobuendia]

After a long quiet time, this started happening to me again recently on version 0.103.5. The spike is "coincidentally" aligned with a change of domain (from DuckDNS to my own domain). It could also be correlated with having installed the PWA app.

[firasnajjar]

This is happening to me as well. Every couple of days, my iPhone's IP gets blocked. This happens only when I'm using the iPhone app. On the android app I do not see such thing.

[DrCryptoToad]

This just happened to me (v0.100.3). I was confused to see my internal IP address banned. I did not enter the password incorrectly, as it is usually always left logged in. When I couldn't login I reset the Pi and found that it was because my IP had been banned. I will try updating this week, though.

[nitobuendia]

I still experience it from time to time. I have not been able to consistently reproduce it, but usually it happens if I restart or re-login from one device, and then I use a different one. Does this resonate with others?

Something like:

• Restart system form my PC.
• Immediately after restart is done, use an actions (e.g. script) from my Android (web UI) without refreshing the page first.

[firasnajjar]

I think I can reproduce this. Sometimes, when I open the iOS app, it says that it is reconnecting. If you try to do anything when it is still reconnecting, e.g. turn on a light or anything else, afterwords, I get blocked and 403 error.

My assumption is that any action done while the app is reconnecting, will send a request to homeassistant possibly with an expired token which results in the ip of the phone being banned.

I hope this can help!

[nitobuendia]

@firasnajjar That's similar to the behaviour I observe too. Refreshing the page may refresh the credentials/token and make it work, but if you make actions before, it uses wrong/expired credentials and blocks you.

[sloppycoffee]

Having the same issue. Very annoying. Having external and internal ips banned even though I have been signed in on the tab for awhile.

[ronytomen]

Been experiencing this on Firefox, about 1 time a week. I haven't tracked it down, but it seems to happen when my laptop comes out of sleep.

[jamman9000]

First time I've had this happen to me. I leave HA open in a tab all the time, sometimes jump from hardwired to wifi on the same network. The wired connection IP was banned today.

While this is still being investigated - how do we manually remove the ban of the IP??

[sloppycoffee]

First time I've had this happen to me. I leave HA open in a tab all the time, sometimes jump from hardwired to wifi on the same network. The wired connection IP was banned today.

While this is still being investigated - how do we manually remove the ban of the IP??

In the config directory. You will see an IP.log. open it up and remove your IP.

[DrCryptoToad]

First time I've had this happen to me. I leave HA open in a tab all the time, sometimes jump from hardwired to wifi on the same network. The wired connection IP was banned today.

While this is still being investigated - how do we manually remove the ban of the IP??

I'm curious, what OS are you running Home Assistant on? I didn't realize that my system was on a totally depreciated OS (ResinOS) instead of HassOS. I haven't had the problem again for a couple weeks now since I've upgraded. Maybe it just hasn't hit me again though.

[sloppycoffee]

First time I've had this happen to me. I leave HA open in a tab all the time, sometimes jump from hardwired to wifi on the same network. The wired connection IP was banned today. While this is still being investigated - how do we manually remove the ban of the IP??

I'm curious, what OS are you running Home Assistant on? I didn't realize that my system was on a totally depreciated OS (ResinOS) instead of HassOS. I haven't had the problem again for a couple weeks now since I've upgraded. Maybe it just hasn't hit me again though.

Docker image.

[jamman9000]

First time I've had this happen to me. I leave HA open in a tab all the time, sometimes jump from hardwired to wifi on the same network. The wired connection IP was banned today. While this is still being investigated - how do we manually remove the ban of the IP??

I'm curious, what OS are you running Home Assistant on? I didn't realize that my system was on a totally depreciated OS (ResinOS) instead of HassOS. I haven't had the problem again for a couple weeks now since I've upgraded. Maybe it just hasn't hit me again though.

I forget how many months ago my build was freshly done - it's a whiskerz script to build a Proxmox VM with one line of code and his script takes care of the rest. Just a few months back, just before they changed the name away from Hass.io. I have static IPs set up, and typically keep up to date on all OS/HA updates within a week or two after they release to let the bugs get worked out.

[ntilley905]

Has there been any progress on this issue? I am getting either my phone (iOS running the companion app) or my laptop (macOS running Firefox) banned at least once a week. Disabling IP banning is becoming tempting but it's an important part of my security.

Possibly worth mentioning: my partner never experiences this. The only behavior that is different between this is that she always force closes the companion app on iOS via the app switcher, so I imagine it is a clean session every time. That would point towards it still being something with the previous session having issues.

[brianlane]

I'm having this same issue however I never turned on ssh from my raspberryPi so I cannot access my pi from the Internal Url. How can I unblock my IP if my pi is running HA and I can't ssh into?

[brianlane]

I'm having this same issue however I never turned on ssh from my raspberryPi so I cannot access my pi from the Internal Url. How can I unblock my IP if my pi is running HA and I can't ssh into?

Also strangely I cannot log in from any device externally but my other users still have access, unfortunately they are not adminstrators

[ttaidapos]

A bit better with .115.# but still get it. Eeerf this is annoying. Need to SSH, clear the ip ban, restart hass.

[Tobu42]

Same problem here. At first I thought that my wife tried to login with wrong credentials several times, but this was never the case. Maybe it is also due to many sessions at the same time? I am logged in with different browsers and in the app on my smartphone that changes networks more often.

[bdraco]

It might be that just accessing a protected url is counting as an authentication attempt even if there are no credentials sent.

[ttaidapos]

Since version .115 as mentioned before it has gotten better and even better as of recent (116.4 with Python 3.8) but it's still there. If you dont respond quickly enough to dismiss it from the UI notifications, BOOM you're wacked and need to SSH in to clear IP bans.

[DeviousPenguin]

I have a NodeRED flow that is able to remove the IP ban and restart HA, but this is only a workaround

[steinmaerivoet]

Experiencing the same issue. I have an android wall mounted tablet with home assistant app, and from time to time I get several bad authentications in a row untill the ban threshold is reached. Quite annoying the white label 403 page shows up and the house is uncontrollable for the non-techies here.

[github-actions[bot]]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

[DeviousPenguin]

I think this issue may be related to the camera component. I've tried removing the camera component for testing and I'm no longer getting this issue, but when I add the camera back in, the issue returns.

[nitobuendia]

I never had the Camera component and this still happened to me.

It hasn't happened in a while, but last time I checked I did manage to see Network calls being unauthorized. For me, this is just the system using an expired credential, hitting endpoints and being blocked for wrong password when what should have happened is that the system should have prompted you to login instead.

[ttaidapos]

For what it's worth, I have a mounted tablet always on with hass. Typically a browser tab on as well. All on the same internal network.

[AussiSG]

I still have this problem and it just started recently.

And I have/get it through the use of the Android app....

[dbrgn]

One of my two Android devices (with the HASS app installed) gets banned regularly. The other doesn't. I don't have a clue what causes this, but I suspect a bug in the Android app?

It would be nice if this issue could get re-opened. It was marked as stale, even though a lot of people reported issues.

[shkm]

Same issue here. In my case it just seems to be iOS devices with the companion app — an iPad and Mac both get IP banned regularly; no problems with androids or web logins.