Estimated reading time: 9 minutes
If you use Home Assistant, you are probably familiar with the integrated IP ban function, which automatically blocks IP addresses that repeatedly log in with incorrect login information. This function ensures that potential attackers remain locked out. However, Home Assistant may also mistakenly block the IP addresses that you actually always need - such as the internal IP of your router or other important devices in the network.
Here comes the IP-Ban-Allowlist into the game! With this extension, you define IP addresses or IP ranges (subnets) that should never be banned, even if several incorrect login attempts occur. The Allowlist gives you back control and helps you to avoid unpleasant surprises.
For detailed instructions and an explanation of all configuration options, I recommend the YouTube video linked below. In this video, every single setting is explained in detail so that you receive comprehensive instructions for the exact setup. You can find any code from the video in this article so that you can use it directly without having to type it in.
What is the IP ban whitelist/allowlist?
With the IP-Ban-Allowlist you can control which devices or IP addresses are allowed to access your Home Assistant under all circumstances. This means that you retain control over which devices (e.g. your smartphone or laptop) can connect to your system, while still blocking unwanted access directly. This integration is based on a GitHub project developed by the community, and you can use it find here.
This function is particularly useful if you want to prevent unauthorized devices, such as the IP address of an attacker, from gaining access to your system. With a well-configured IP ban whitelist, you can increase the security of your smart home installation and ensure a reassuring level of privacy.
IP ban allowlist in Home Assistant: How to protect important devices from accidental blocking
If you use Home Assistant, you are probably familiar with the integrated IP ban function, which automatically blocks IP addresses that repeatedly log in with incorrect login information. This function ensures that potential attackers remain locked out. However, Home Assistant may also mistakenly block the IP addresses that you actually always need - such as the internal IP of your router or other important devices in the network.
Here comes the IP-Ban-Allowlist into the game! With this extension, you define IP addresses or IP ranges (subnets) that should never be banned, even if several incorrect login attempts occur. The Allowlist gives you back control and helps you to avoid unpleasant surprises.
Why use an IP ban allowlist?
The IP ban allowlist reliably protects important devices that need to access Home Assistant, even if they have failed login attempts. This can be particularly useful for systems that access Home Assistant automatically and regularly - such as your automation servers or backup services, which may "make a mistake" from time to time.
Here are the biggest advantages:
- Protection against accidental lockingYou no longer have to worry about your own devices being accidentally locked out.
- More control over the locking behaviorYou specifically define the IPs that Home Assistant should not block, regardless of failed attempts.
- Trouble-free operation: Devices that you need for your smart home always remain accessible, which saves you valuable time when troubleshooting.
Installation of HACS and integration of IP-Ban-Allowlist in Home Assistant
Step 1: Installing HACS in Home Assistant
Home Assistant Community Store (HACS) is a custom add-on for Home Assistant that provides access to a variety of custom integrations and plugins developed by the community. How to install HACS:
- Check requirements: Make sure that your Home Assistant is ideally up to date.
- Download Execute script: Open a terminal for the Docker container version or the core version.
- Docker: Dial into the container with:
docker exec -it homeassistant bash
or (similar) - Core: Switch to the user who is running Home Assistant
- Execute the following command for both variants:
wget -O - https://get.hacs.xyz | bash -
- Docker: Dial into the container with:
- Restarting the Home Assistant: After the files have been copied, restart Home Assistant.
- Integrate HACS into Home AssistantGo to "Configuration" > "Integrations" > "Add" in the Home Assistant interface and search for HACS. Add it and enter your GitHub token if prompted.
For the supervised version, please refer to the Documentation of HACS itself to read about the installation.
Step 2: Add IP Ban Allowlist integration via HACS
Once HACS is installed, you can simply add IP-Ban-Allowlist:
- Open HACS: Go to HACS in the Home Assistant interface.
- Open the advanced menuClick on the three dots at the top right and then on "Custom repositories".
- Add repositoryNow enter the URL of the GitHub repository under Repository (https://github.com/palfrey/ban_allowlist) and select "Integration" from the drop-down menu type
- Search for integrationClick on "Integrations" and use the search function to search for "IP-Ban-Allowlist". This will ensure that everything has worked.
- Install IP-Ban-AllowlistFind IP-Ban-Allowlist in the list and click on "Install". This will add the integration to your Home Assistant.
- Configure IP ban allowlist: Now you have to enter your configuration.yaml as you cannot configure the tool via the Home Assistant UI. Insert something like the following there:
ban_allowlist:
ip_addresses: ["my.ip.address", "another.network.address/24"]
- Restarting the Home Assistant: Start Home Assistant again to apply the changes.
Conclusion
With these steps, you have successfully installed HACS in your Home Assistant and added the IP Ban Allowlist integration. This powerful combination opens up a world of additional features and customizations that have been and are being developed by the Home Assistant community. More blog posts and videos on useful integrations to follow. If you don't want to miss out, subscribe to my YouTube channel!
Warning
If you use Home Assistant without direct Internet access and only include internal IP addresses in the Allowlist, you can use the IP ban Allowlist without any problems and without taking a security risk. For external access, we recommend using a VPN to access your system safely and securely.
However, great caution is required if you add external IP addresses to the Allowlist and your Home Assistant instance can also be reached directly from the Internet, whether via an open port or services such as Nabu Casa. Incorrect configuration could mean that unauthorized access is not blocked and could potentially access your smart home system.
Functionality & examples
The IP ban/allowlist integration for Home Assistant technically uses a less conventional method to circumvent the lack of a native allowlist function in the system. Home Assistant offers an IP banning function by default, which blocks IP addresses after several failed login attempts - handy if you want to secure a publicly accessible instance. However, it becomes problematic if this function also accidentally bans internal IP addresses, e.g. if an internal device addresses your Home Assistant via the external address.
As the Home Assistant developers do not see this as a bug in the system and reject a native Allowlist function, the community had to get creative. The IP Ban Allowlist integration solves the problem with a "Hack"by intervening directly in the HTTP handler of Home Assistant. It wraps the banning logic with a "wrapper" function that checks whether an IP address is on the allowlist before it is banned. This bypasses the internal banning, albeit in a technically risky way, as the code interferes deeply with Home Assistant's functionality and changes the HTTP mechanisms.
While this approach is backed up with an extensive test suite and regularly tested against all newer Home Assistant versions, it remains a "hack" without official support. It is important to use this solution with caution as future updates of Home Assistant could potentially cause incompatibilities.
An example configuration could look like this:
ban_allowlist:
allowlist_ips:
- 192.168.1.1 # Example IP address of your router
- 192.168.1.2 # Additional IP address
- 192.168.1.0/24 # Example for an entire subnet
Tips for using the IP ban allowlist
- Select subnets carefully: If you want to configure an entire subnet (e.g.
192.168.1.0/24
), all devices in this network area will not be blocked. Think carefully about how large the area should be so as not to jeopardize your security. - Regular checksCheck your Allowlist regularly to make sure that only the devices that should really be excluded from blocks are listed.
- Maintain safety precautions: Even with the Allowlist, each device should use a secure password to further protect your system.
What to do in case of problems?
However, should it happen that Home Assistant bans an important IP address that you have not entered in the Allowlist, you can remove this block manually:
- Check logsCheck the Home Assistant logs to see if and why a specific IP has been blocked.
- Customize AllowlistAdd the affected IP to the allowlist to prevent future blocks.
- Delete IP ban fileIf access is still blocked, you can open the file
.storage/ip_bans.yaml
delete and restart Home Assistant. This will remove all IP locks.
YouTube video implementation
Conclusion
The IP ban allowlist gives you control over which IP addresses Home Assistant is guaranteed not to block. This protects important internal devices and prevents your smart home system from being disrupted by false alarms.
0 Comments