Originally created by palfrey as ban_allowlist. This fork builds on that work with a live Home Assistant IP ban and allowlist manager UI.
Warning
THIS IS A HACK. USE AT YOUR OWN RISK. Home Assistant does not provide a public integration API for changing the HTTP IP ban manager at runtime, so this integration uses a small internal hook around Home Assistant's built-in ban manager.
IP Ban Manager gives Home Assistant's built-in IP filtering and banning the management UI it has always needed: trusted networks, live ban review and removal, automatic-ban controls, diagnostics, services, and a proper integration icon.
IP Ban Manager turns the original YAML-only allowlist wrapper into a practical management panel for Home Assistant IP banning. Exact IP bans stay in Home Assistant's native live ban manager and ip_bans.yaml workflow; IP Ban Manager adds the UI, allowlist, managed network blocks, safety checks, diagnostics, and services around it.
| Release | Highlights |
|---|---|
| v1.1.2 | README and HACS display polish, including a more reliable license badge. |
| v1.1.1 | Repository brand assets so HACS and Home Assistant can discover the integration icon where supported. |
| v1.1.0 | Managed Blocked networks for CIDR ranges and IPv4 wildcard shorthand, allowlist precedence over blocked networks, automatic-ban notification control, and blocked-network diagnostics. |
| v1.0.0 | First public IP Ban Manager release with config-flow setup, YAML import, live Allowed IPs and Banned IPs editing, automatic-ban controls, services, diagnostics, and safer file handling. |
Core management features include:
- Setup: UI setup with automatic-ban controls,
127.0.0.1safe default, optional detected local subnet, and YAML import for existingban_allowlistusers. - Allowed IPs: live editable trusted IPs, CIDR networks, and IPv4 wildcard networks like
192.168.1.*. - Banned IPs: live exact-IP ban review, add, remove, and clear actions without restarting Home Assistant. Existing ban timestamps are shown as readable local times and preserved when unchanged.
- Blocked networks: managed CIDR or wildcard network blocks, enforced behind Home Assistant's native ban lookup without pretending
ip_bans.yamlsupports ranges. - Ordering and persistence:
ip_bans.yamlrewrites stay oldest-first so new exact bans appear at the bottom, matching Home Assistant's normal file behavior. - Notifications: matching stale Home Assistant ban/login notifications are dismissed when a ban is removed, and automatic-ban notifications can be disabled from the UI.
- Safety checks: malformed entries, all-Internet allowlist or block entries, exactly banned IPs that are also allowed, risky typo removals, and unconfirmed clear-all service calls are rejected before anything is written.
- Automation: services for adding, removing, and clearing exact bans plus adding and removing allowlist entries.
- Diagnostics: sensors for active bans, allowlisted networks, managed blocked networks, and failed-login sources.
|
|
|
This is a HACK because Home Assistant does not provide a public integration API for changing the HTTP IP ban manager at runtime. IP Ban Manager wraps Home Assistant's internal HTTP ban manager and failed-login handling so Home Assistant's built-in ban middleware still does the actual blocking, while this integration adds allowlists and live management on top.
That internal hook is intentionally small and covered by tests, but it is still internal Home Assistant behavior. Check release notes and test after Home Assistant updates, especially major releases.
Home Assistant has a very useful IP banning feature, which is nice for a private but externally facing instance. The missing feature is IP allowlists. Without an allowlist, your own home IP can get banned when something inside the house uses your external hostname. The position of the core devs appears to be "this is a bug with something else that we shouldn't workaround", but this integration keeps that workaround available and manageable.
If the button does not work, add Wheemer/ip-ban-manager to HACS manually as a custom integration repository.
After installing, restart Home Assistant once so the custom integration is loaded. Then add the integration from Settings > Devices & services > Add integration. Setup starts with the important controls only: automatic bans, the login-attempt threshold, and allowlist safe defaults for 127.0.0.1 plus, when detected, Home Assistant's local subnet. 127.0.0.1 is selected by default; the detected local subnet is available but not selected by default. Add or remove trusted LAN and remote IPs from Configure after setup.
Existing YAML configuration is imported automatically:
ban_allowlist:
ip_addresses: ["my.ip.address", "192.168.1.0/24", "192.168.2.*"]
Home Assistant's built-in HTTP banning must still be enabled:
http:
ip_ban_enabled: true
login_attempts_threshold: 5
If IP banning is not enabled, IP Ban Manager creates a Home Assistant repair warning with the required YAML and a link to the official HTTP documentation. It does not edit configuration.yaml automatically; that keeps existing http: settings, includes, comments, proxy configuration, and package layouts safe.
The options UI is the main workspace. Allowlist, ban list, and automatic-ban setting changes apply immediately; Home Assistant does not need to restart. The integration stores automatic-ban settings in its config entry and reapplies them when Home Assistant starts.
Open Settings > Devices & services > IP Ban Manager > Configure to:
- add safe defaults with checkboxes inside Allowed IPs
- edit Allowed IPs, one IP address, CIDR network, or IPv4 wildcard network per line
- enable or disable new automatic bans, automatic ban notifications, and the login-attempt threshold under Banned IPs
- edit Banned entries, one exact IP address per line
- edit Blocked networks, one CIDR network or IPv4 wildcard network per line
- view existing ban timestamps as readable local times in Banned IPs
- clear exact bans or managed blocked networks by emptying the matching field and submitting
Wildcard blocked-network entries such as 192.168.1.* are saved as 192.168.1.0/24. Exact banned IPs stay in Home Assistant's native live ban manager and ip_bans.yaml; CIDR and wildcard blocked networks are stored by IP Ban Manager and enforced behind the same native ban lookup. Allowed entries win over managed blocked networks, so you can block a subnet while keeping a trusted address allowed.
This gives you the practical behavior people expect from subnet banning without pretending Home Assistant's native ip_bans.yaml supports ranges. Exact IPs remain ordinary Home Assistant bans; managed networks are a small runtime layer that checks the same request path and still respects the allowlist first.
Existing exact banned IP rows are shown as IP - local ban time, oldest first. You can leave those timestamps in place when submitting; IP Ban Manager preserves the original ban date for unchanged bans. New exact banned IP rows can be entered as just the IP address, and Home Assistant records the current ban time when they are submitted. When the ban file is rewritten, entries are written oldest first so new exact bans appear at the bottom in both the UI and ip_bans.yaml.
The options UI validates edits before changing Home Assistant. It rejects all-Internet allowlist or blocked-network entries, IPs that are both allowed and exactly banned, and malformed entries. Service calls use the same safety posture for risky operations, including typo removals, allowlist networks that contain active exact bans, and clear-all ban requests without confirm: true.
The live hooks are installed at setup even if the initial allowlist is empty, so adding your first allowed IP later works immediately. If the integration is unloaded, those hooks are restored so Home Assistant is left in its normal state.
The integration also adds services for automations and scripts:
ban_allowlist.add_ip_banban_allowlist.remove_ip_banban_allowlist.remove_all_ip_bansban_allowlist.add_allowlist_networkban_allowlist.remove_allowlist_network
Adding an IP ban updates Home Assistant's live ban manager and persists to ip_bans.yaml. Removing a ban updates the live ban manager, clears any failed-login counter for that IP, and rewrites ip_bans.yaml. Clearing every ban requires confirm: true.
IP Ban Manager adds diagnostic sensors with count states and detailed attributes:
sensor.ip_ban_manager_active_banssensor.ip_ban_manager_allowlisted_networkssensor.ip_ban_manager_blocked_networkssensor.ip_ban_manager_failed_login_sources