fail2ban


This is a quick guide on how to set up fail2ban for Home Assistant. Contains extracts from Is there a log file for invalid logins? (Blocking hackers).

Installing fail2ban

Debian/Ubuntu:

$ sudo apt-get install fail2ban

CentOS/RHEL:

$ sudo yum install epel-release
$ sudo yum install -y fail2ban

Fedora:

$ sudo dnf install -y fail2ban

For other package managers use the appropriate commands.

Enable Home Assistant Logging

First, enable http.ban logging in configuration.yaml file for your Home Assistant instance:

logger:
  default: critical
  logs:
    homeassistant.components.http.ban: warning

Restart Home Assistant to activate the changes:

$ sudo systemctl restart home-assistant

Tail the Home Assistant log then log out of the Home Assistant web interface and attempt logging in with an incorrect password, look for a line like Login attempt or request with invalid authentication from xxx.xxx.xxx.xxx:

$ tail -f /home/homeassistant/.homeassistant/home-assistant.log | grep WARNING
2018-08-29 14:28:15 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from xxx.xxx.xxx.xxx

Configure fail2ban

Next we will create a filter and jail file for fail2ban:

  • /etc/fail2ban/filter.d/ha.conf
  • /etc/fail2ban/jail.d/ha.conf

Contents of /etc/fail2ban/filter.d/ha.conf:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
ignoreregex =

Contents of /etc/fail2ban/jail.d/ha.conf. Note that you’ll need to change the logpath to match your logfile which will be different from the path listed.:

[DEFAULT]
# Email config
sender = email@address.com
destemail = email@address.com

# Action "%(action_mwl)s" will ban the IP and send an email notification including whois data and log entries.
action = %(action_mwl)s

[ha]
enabled = true
filter = ha
logpath = /home/homeassistant/.homeassistant/home-assistant.log

# 3600 seconds = 1 hour
bantime = 3600
bantime = 30 # during testing it is useful to have a short ban interval, comment out this line later

# Maximum amount of login attempts before IP is blocked
maxretry = 3

Restart fail2ban:

sudo systemctl restart fail2ban

Confirm fail2ban is running:

sudo systemctl status fail2ban

Check that the ha jail is active:

sudo fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	ha

Testing fail2ban

Tail the fail2ban log file then log out of the Home Assistant web interface and attempt to log in again with an incorrect password.

sudo tail -f -n 20 /var/log/fail2ban.log
2018-08-29 13:25:37,907 fail2ban.server         [10208]: INFO    Starting Fail2ban v0.10.3.fix1
2018-08-29 13:25:37,916 fail2ban.database       [10208]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-08-29 13:25:37,918 fail2ban.jail           [10208]: INFO    Creating new jail 'ha'
2018-08-29 13:25:37,922 fail2ban.jail           [10208]: INFO    Jail 'ha' uses poller {}
2018-08-29 13:25:37,922 fail2ban.jail           [10208]: INFO    Initiated 'polling' backend
2018-08-29 13:25:37,932 fail2ban.filter         [10208]: INFO    Added logfile: '/home/homeassistant/.homeassistant/home-assistant.log' (pos = 5873, hash = 02ec3aefc005465a6cd8db91eff2d5e57c45757e)
2018-08-29 13:25:37,932 fail2ban.filter         [10208]: INFO      encoding: UTF-8
2018-08-29 13:25:37,933 fail2ban.filter         [10208]: INFO      maxRetry: 3
2018-08-29 13:25:37,934 fail2ban.filter         [10208]: INFO      findtime: 600
2018-08-29 13:25:37,934 fail2ban.actions        [10208]: INFO      banTime: 30
2018-08-29 13:25:37,938 fail2ban.jail           [10208]: INFO    Jail 'ha' started
2018-08-29 13:27:49,125 fail2ban.filter         [10208]: INFO    [ha] Found xxx.xxx.xxx.xxx - 2018-08-29 13:27:48
2018-08-29 13:27:51,330 fail2ban.filter         [10208]: INFO    [ha] Found xxx.xxx.xxx.xxx - 2018-08-29 13:27:51
2018-08-29 13:27:52,533 fail2ban.filter         [10208]: INFO    [ha] Found xxx.xxx.xxx.xxx - 2018-08-29 13:27:52
2018-08-29 13:27:52,678 fail2ban.actions        [10208]: NOTICE  [ha] Ban xxx.xxx.xxx.xxx
2018-08-29 13:28:23,941 fail2ban.actions        [10208]: NOTICE  [ha] Unban xxx.xxx.xxx.xxx

Now that fail2ban is working it can be enabled for startup at boot time, also raise the bantime from 30 seconds to what ever you would like. 8 hours is 28800 seconds.

$ sudo sed -i 's/bantime = 30/bantime = 28800/g' /etc/fail2ban/jail.d/ha.conf
$ sudo systemctl enable fail2ban
$ sudo systemctl restart fail2ban

A final note, if you need to unban an IP it can be done with fail2ban-client:

$ sudo fail2ban-client set JAILNAME unbanip IPADDRESS

eg:

$ sudo fail2ban-client set ha unbanip xxx.xxx.xxx.xxx

Fail2ban should now be configured and running, if an IP address is banned you will receive an email with WHOIS details about the IP address that attempted to connect, if not you will need configure Postfix or another MTA (Mail Transport Agent).

If you want to read more about fail2ban, some links are below: