Search the Community
Showing results for tags 'brute force'.
I wanted to share my fail2ban configuration for people that want to protect against a brute force attack. Fail2ban is a piece of software that will monitor log files for a authentication failures then ban the source ip address after so many attempts to protect against a brute force attack. I searched around for an tutorial or how to on how to implement this for emby and came up short, so I decided to give it a try and got it to work without much trouble at all. I wouldn't consider myself an expert and this is my first how to I have every written so if I made a mistake or I'm wrong let me know, and use my instructions at your own risk. USE AT YOUR OWN RISK THIS PROBABLY WILL NOT WORK IF YOU ARE USING EMBY CONNECT I'm not using emby connect because I think it has some security problems listed here https://emby.media/community/index.php?/topic/80497-log-out-security-hole/ You need to install fail2ban For my setup with ubuntu 18.10 I used, (should be the same for debian but I haven't tested) sudo apt install fail2ban To get fail2ban working with emby there are two parts, filter and jail, they both have their directories (jail.d) (filter.d) in /etc/fail2ban/ cpeng@g5500:~$ cd /etc/fail2ban/ cpeng@g5500:/etc/fail2ban$ ls action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.conf The jail controls what happens with an authentication error and the filter tells how to read the log to find the error. Create a filter: cpeng@g5500:/etc/fail2ban$ sudo nano filter.d/emby.conf /etc/fail2ban/filter.d/emby.conf # Fail2Ban for emby # # [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user or password entered ignoreregex = EDIT: New failregex proposed (below) by @@nayr to catch 401 errors and attempts to find valid user names [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user HTTP Response 401 to <HOST>. The failregex tells what the log line will have in it that designates a fail and "<HOST>" designated the actual ip address. That error looked like this: 2019-12-24 11:12:00.326 Warn HttpServer: AUTH-ERROR: 10.9.162.31 - Invalid user or password entered. So I assumed that AUTH-ERROR will be unique to login errors which is why I started the filter with that. Next you have to create the jail in cpeng@g5500:/etc/fail2ban$ sudo nano jail.d/emby.local /etc/fail2ban/jail.d/emby.local [emby] enabled = true filter = emby logpath = /var/lib/emby/logs/embyserver.txt port = 80,443 I use a reverse proxy that uses ports 80,443, but if you aren't doing that then you want to block the default ports 8096,8920 The logpath may vary from distribution, you can find yours in your dashboard under paths. There are other options that you can add, my default ban time was 10 minutes and max number of retries was 5 which is default which seemed fine to me. The last thing you need to do is reload fail2ban so it re reads the files. sudo systemctl reload fail2ban Then test by entering the wrong password into emby and confirm that it blocks you. Check out the fail2ban.log at /var/log/fail2ban.log tail /var/log/fail2ban.log For testing this command might also come in handy: sudo fail2ban-client unban --all Hope this is helpful. P.S. I recently switched from plex to emby for the dvr service and so far I have been very impressed and happy with how it works. I got tired of all the bugs with plex, that would never get fixed, instead we got new "features" and new interfaces. The icing on the cake is how responsiveness the developers are on these forums.