The settings are on the Web Server tab. Setup > WebServer tab

Right. But where is the explanation of these settings?

I'm not sure these need any more explanition that is provided on the page.
- Enable turns it on
- Time to block is how much time to block
- etc

But what do they block? Under what circumstances? Is IP hack blocking responsible for this line in my log?

If so, why does it block it? There are no log entries preceding it indicating any unauthorized login attempts from that IP address (see fuller log excerpt in post above).

These settings look like they're obvious, but something unobvious is going on, so the first step to understanding that would seem to be understanding how IP hack blocking works...

Thanks!

By design it is supposed to block an IP when a certain amount of bad logon/password combos are submitted.

Shouldn't those bad logon/password combos be recorded in the log? I'm trying to work out why HS is blocking an IP address, when no unauthorized login attempts have first been recorded in the log. On the contrary, the log shows successful, authorized logins from the IP in question, before it's blocked without explanation...

The log excerpt is above, and I'm trying to work out what's going on. I find it particualrly frustrating that this feature seems to be totally undocumented, not just in HomeSeer, but in the entire googlesphere.

It is poorly documented because it is another case of us adding a feature quickly to answer calls from our users to do something about the hackers from China trying to gain access to computers so they can surf the Internet. We have not even decided if we are going to keep the feature since a lot of people just disable it.

It works by tracking how often an IP address hits the server and gains access without authentication.

It can be flawed because when your browser is retrieving certain types of files, it does so without authentication being required, and so those get chalked up to a hit of an unauthenticated access. However, this flaw is why the parameters can be configured.

When you first access a web page, the browser is retrieving graphic files and other objects before or while it is doing the authentication. The page won't render without authentication, but these objects increase the hit count before the authentication is done. When the authentication is done, your browser remembers your credentials until you close the browser, and so you do not get prompted again. However, one web page with only a few objects on it can actually cause 20 or more "GET" requests to the server because of all of the discrete objects on the page. People do not realize it, but your browser is sending authentication data MANY times for a single web page.

If we changed the logging to log each object rather than on the main page itself, then your log file would fill your hard drive in a VERY short time, and then we'd be getting calls from users telling us to stop filling their log files with useless junk.

Hope that helps - if it is failing on an authenticated access, then there are probably a lot of objects on the page being retrieved - try increasing the threshold levels and it should help.

Thanks Tink, that's a big help. I'll experiment with the number of invalid access hits parameter to see what works. My app needs to be reliable, but I'd still like some extra protection.

In fact, I too ended up turning it off - and lo and behold, there was the documentation! If you turn this feature off (it's on by default), then hit Save, the following explanation is seen on the Web Server Setup screen:

I never thought to turn a feature off to find documentation, but there it is.

Thanks again,

-jim.