Search the Community

Hello all, I'm using the emby built in ssl for external announcement and i'm trying to write a fail2ban filter for direct emby log support. In reviewing the logs i was only able to find a log line with the connecting IP in the HTTP 401 response. Initially I was just going to regex that however on further review I'm seeing non-auth fail 401 messages returned. That leaves me having to try to mangle together some multiline regex nightmare trying to match first the authentication failure line then the 401 for the <HOST> ip. I've been working on this all day, I'm not even sure it's possible. I know many people use reverse proxy and fail2ban on the apache logs but i'd prefer to use the emby native ssl since it's there. Has anyone figured out the regex for this? _______________________________________________________________________________________________________________________________ 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied. 2016-02-14 15:55:43.8820 Error DtoUtils: ServiceBase<TRequest>::Service Exception *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.25 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. MediaBrowser.Controller.Net.SecurityException at MediaBrowser.Server.Implementations.Session.SessionManager+<AuthenticateNewSession>c__asyncC.MoveNext () <0x41c76b00 + 0x0080b> in <filename unknown>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () <0x7fa7314f36d0 + 0x00029> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) <0x7fa7314f16b0 + 0x000a7> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) <0x7fa7314f1630 + 0x0006b> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) <0x7fa7314f15e0 + 0x0003a> in <filename unknown>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () <0x7fa7314f1d10 + 0x00017> in <filename unknown>:0 at MediaBrowser.Api.UserService+<Post>c__async1.MoveNext () <0x41c75ea0 + 0x00680> in <filename unknown>:0 2016-02-14 15:55:43.8849 Error HttpServer: Error processing request for /emby/Users/authenticatebyname *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.25 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. ServiceStack.HttpError No Stack Trace Available 2016-02-14 15:55:43.8913 Info HttpServer: HTTP Response 401 to <Offending IP>. Time: 32ms. https://<server address>:8920/emby/Users/authenticatebyname ____________________________________________________________________________________________________________________________________ It would be nice it the emby logs included the offending IP in the authentication failure line. That regex would be straight forward. 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied from <Offending IP> Thanks ahead of time -everydayevil