Search the Community
Showing results for tags 'fail2ban'.
-
Hi everyone, I'm trying to get fail2ban working for Emby / Docker. Currently running in Ubuntu Mint Ubuntu 24.04 and have docker set to map the /config/logs directory to a local folder on the host. As far as I can tell I've got everything setup right but the filter is not matching anything it seems and it never logs failed logins to the jail. Also I don't recall where I noted them but I did see some weird charters in some kind of fail2ban logs for Emby. They were non-printable or invisible characters but I don't know that those would affect the regex especially since the manual regex test is passing. Does anyone have any ideas or see something overly obvious that I'm missing? Also worth nothing I manually tested the regex pattern and it matches. Docker Compose to map logs to local directory version: "2.3" services: emby: image: emby/embyserver:beta container_name: embyserver runtime: nvidia # Expose NVIDIA GPUs network_mode: host # Enable DLNA and Wake-on-Lan environment: - UID=1000 # The UID to run emby as (default: 2) - GID=1000 # The GID to run emby as (default 2) - GIDLIST=1000 # A comma-separated list of additional GIDs to run emby as (default: 2) #44,992 - NVIDIA_VISIBLE_DEVICES=all - NVIDIA_DRIVER_CAPABILITIES=compute,utility,video volumes: - /home/r3al/Desktop/Docker/Emby/programdata/:/config # Configuration directory - /media/r3al/New Volume/TT/TV/:/mnt/tv # Media directory - /media/r3al/New Volume/TT/Movies/:/mnt/movies # Media directory - /media/r3al/New Volume/TT/Live TV Recordings/:/mnt/mixed # Media directory - "/home/r3al/Desktop/Docker/Emby/logs/:/config/logs" ports: - 8096:8096 # HTTP port devices: # - /dev/nvidia-uvm:/dev/nvidia-uvm # Added nvidia devices here # - /dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools # Added nvidia devices here # - /dev/nvidia-modeset:/dev/nvidia-modeset # Added nvidia devices here # - /dev/nvidiactl:/dev/nvidiactl # Added nvidia devices here # - /dev/nvidia0:/dev/nvidia0 # Added nvidia devices here - /dev/dri:/dev/dri # VAAPI/NVDEC/NVENC render nodes - /dev/dri/renderD128:/dev/dri/renderD128 restart: on-failure /etc/fail2ban/filter.d/emby.conf [Definition] failregex = "http/1.1 Response 401 to <HOST>" /etc/fail2ban/jail.d/emby.local [emby] enabled = true port = 8096 filter = emby logpath = /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt maxretry = 3 findtime = 600 bantime = 43200 Working manual regex test sudo fail2ban-regex /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt "http/1.1 Response 401 to <HOST>" Manual Regex test returns Running tests ============= Use failregex line : http/1.1 Response 401 to <HOST> Use log file : /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt Use encoding : UTF-8 Results ======= Failregex: 14 total |- #) [# of hits] regular expression | 1) [14] http/1.1 Response 401 to <HOST> `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [339] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 474 lines, 0 ignored, 14 matched, 460 missed [processed in 0.23 sec] Other troubleshooting things sudo systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: enabled) Active: active (running) since Sat 2024-08-24 21:14:29 EDT; 16min ago Docs: man:fail2ban(1) Main PID: 51845 (fail2ban-server) Tasks: 7 (limit: 18710) Memory: 20.0M (peak: 21.5M) CPU: 5.311s CGroup: /system.slice/fail2ban.service └─51845 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Sudo fail2ban-client status Status |- Number of jail: 2 `- Jail list: emby, sshd sudo tail -f /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt 2024-08-25 01:30:00.040 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired. 2024-08-25 01:30:00.040 Error Server: Access token is invalid or expired. 2024-08-25 01:30:00.040 Info Server: http/1.1 Response 401 to 192.168.15.202. Time: 3ms. GET http://192.168.15.201:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4 2024-08-25 01:35:00.122 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired. 2024-08-25 01:35:00.122 Error Server: Access token is invalid or expired. 2024-08-25 01:35:00.122 Info Server: http/1.1 Response 401 to 192.168.15.202. Time: 2ms. GET http://192.168.15.201:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4 2024-08-25 01:36:59.424 Info HttpClient: GET https://www.mb3admin.com/admin/service/EmbyPackages.json 2024-08-25 01:40:00.076 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired. 2024-08-25 01:40:00.076 Error Server: Access token is invalid or expired. 2024-08-25 01:40:00.076 Info Server: http/1.1 Response 401 to 192.168.15.202. Time: 3ms. GET http://192.168.15.201:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4 2024-08-25 01:43:48.212 Info Server: http/1.1 POST http://media.eternaltek.xyz/emby/Users/authenticatebyname?X-Emby-Client=Emby Web&X-Emby-Device-Name=Safari iOS&X-Emby-Device-Id=cdf1ca5b-4fe1-453d-a08b-22539010875d&X-Emby-Client-Version=4.9.0.29&X-Emby-Language=en-us. Source Ip: 172.58.127.8, Accept=application/json, Connection=close, Host=media.eternaltek.xyz, User-Agent=Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1, Accept-Encoding=gzip, deflate, br, Accept-Language=en-US,en;q=0.9, Content-Type=application/x-www-form-urlencoded; charset=UTF-8, Origin=https://media.eternaltek.xyz:23606, Referer=https://media.eternaltek.xyz:23606/web/index.html, Content-Length=12, X-TLS-Cipher=TLS_AES_128_GCM_SHA256, X-TLS-Protocol=TLSv1.3, X-TLS-SNI-Host=media.eternaltek.xyz, X-Real-IP=172.58.127.8, X-Forwarded-For=172.58.127.8, X-Forwarded-Proto=https, X-Forwarded-Port=23606, X-Forwarded-Host=media.eternaltek.xyz, X-TLS-Client-Intercepted=Unknown, sec-fetch-site=same-origin, sec-fetch-mode=cors, sec-fetch-dest=empty, priority=u=3, i 2024-08-25 01:43:48.212 Error DefaultAuthenticationProvider: Invalid username or password. No user named Dfv exists 2024-08-25 01:43:48.213 Error UserManager: Error authenticating with provider Default *** Error Report *** Version: 4.9.0.29 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Linux version 6.8.0-41-generic (buildd@lcy02-amd64-100) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2. OS/Process: x64/x64 Framework: .NET 8.0.6 Runtime: system/System.Private.CoreLib.dll Processor count: 10 Data path: /config Application path: /system System.Exception: System.Exception: Invalid username or password. at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser) at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken) Source: Emby.Server.Implementations TargetSite: System.Threading.Tasks.Task`1[MediaBrowser.Controller.Authentication.ProviderAuthenticationResult] Authenticate(System.String, System.String, MediaBrowser.Controller.Entities.User) 2024-08-25 01:43:48.213 Info UserManager: Authentication request for Dfv has been denied. 2024-08-25 01:43:48.214 Warn Server: AUTH-ERROR: 172.58.127.8 - Invalid username or password entered. 2024-08-25 01:43:48.214 Error Server: Invalid username or password entered. 2024-08-25 01:43:48.214 Info Server: http/1.1 Response 401 to 172.58.127.8. Time: 3ms. POST http://media.eternaltek.xyz/emby/Users/authenticatebyname?X-Emby-Client=Emby Web&X-Emby-Device-Name=Safari iOS&X-Emby-Device-Id=cdf1ca5b-4fe1-453d-a08b-22539010875d&X-Emby-Client-Version=4.9.0.29&X-Emby-Language=en-us
-
I wanted to share my fail2ban configuration for people that want to protect against a brute force attack. Fail2ban is a piece of software that will monitor log files for a authentication failures then ban the source ip address after so many attempts to protect against a brute force attack. I searched around for an tutorial or how to on how to implement this for emby and came up short, so I decided to give it a try and got it to work without much trouble at all. I wouldn't consider myself an expert and this is my first how to I have every written so if I made a mistake or I'm wrong let me know, and use my instructions at your own risk. USE AT YOUR OWN RISK THIS PROBABLY WILL NOT WORK IF YOU ARE USING EMBY CONNECT I'm not using emby connect because I think it has some security problems listed here https://emby.media/community/index.php?/topic/80497-log-out-security-hole/ You need to install fail2ban For my setup with ubuntu 18.10 I used, (should be the same for debian but I haven't tested) sudo apt install fail2ban To get fail2ban working with emby there are two parts, filter and jail, they both have their directories (jail.d) (filter.d) in /etc/fail2ban/ cpeng@g5500:~$ cd /etc/fail2ban/ cpeng@g5500:/etc/fail2ban$ ls action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.conf The jail controls what happens with an authentication error and the filter tells how to read the log to find the error. Create a filter: cpeng@g5500:/etc/fail2ban$ sudo nano filter.d/emby.conf /etc/fail2ban/filter.d/emby.conf # Fail2Ban for emby # # [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user or password entered ignoreregex = EDIT: New failregex proposed (below) by @@nayr to catch 401 errors and attempts to find valid user names [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user HTTP Response 401 to <HOST>. The failregex tells what the log line will have in it that designates a fail and "<HOST>" designated the actual ip address. That error looked like this: 2019-12-24 11:12:00.326 Warn HttpServer: AUTH-ERROR: 10.9.162.31 - Invalid user or password entered. So I assumed that AUTH-ERROR will be unique to login errors which is why I started the filter with that. Next you have to create the jail in cpeng@g5500:/etc/fail2ban$ sudo nano jail.d/emby.local /etc/fail2ban/jail.d/emby.local [emby] enabled = true filter = emby logpath = /var/lib/emby/logs/embyserver.txt port = 80,443 I use a reverse proxy that uses ports 80,443, but if you aren't doing that then you want to block the default ports 8096,8920 The logpath may vary from distribution, you can find yours in your dashboard under paths. There are other options that you can add, my default ban time was 10 minutes and max number of retries was 5 which is default which seemed fine to me. The last thing you need to do is reload fail2ban so it re reads the files. sudo systemctl reload fail2ban Then test by entering the wrong password into emby and confirm that it blocks you. Check out the fail2ban.log at /var/log/fail2ban.log tail /var/log/fail2ban.log For testing this command might also come in handy: sudo fail2ban-client unban --all Hope this is helpful. P.S. I recently switched from plex to emby for the dvr service and so far I have been very impressed and happy with how it works. I got tired of all the bugs with plex, that would never get fixed, instead we got new "features" and new interfaces. The icing on the cake is how responsiveness the developers are on these forums.
-
Hello all, I'm using the emby built in ssl for external announcement and i'm trying to write a fail2ban filter for direct emby log support. In reviewing the logs i was only able to find a log line with the connecting IP in the HTTP 401 response. Initially I was just going to regex that however on further review I'm seeing non-auth fail 401 messages returned. That leaves me having to try to mangle together some multiline regex nightmare trying to match first the authentication failure line then the 401 for the <HOST> ip. I've been working on this all day, I'm not even sure it's possible. I know many people use reverse proxy and fail2ban on the apache logs but i'd prefer to use the emby native ssl since it's there. Has anyone figured out the regex for this? _______________________________________________________________________________________________________________________________ 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied. 2016-02-14 15:55:43.8820 Error DtoUtils: ServiceBase<TRequest>::Service Exception *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.25 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. MediaBrowser.Controller.Net.SecurityException at MediaBrowser.Server.Implementations.Session.SessionManager+<AuthenticateNewSession>c__asyncC.MoveNext () <0x41c76b00 + 0x0080b> in <filename unknown>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () <0x7fa7314f36d0 + 0x00029> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) <0x7fa7314f16b0 + 0x000a7> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) <0x7fa7314f1630 + 0x0006b> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) <0x7fa7314f15e0 + 0x0003a> in <filename unknown>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () <0x7fa7314f1d10 + 0x00017> in <filename unknown>:0 at MediaBrowser.Api.UserService+<Post>c__async1.MoveNext () <0x41c75ea0 + 0x00680> in <filename unknown>:0 2016-02-14 15:55:43.8849 Error HttpServer: Error processing request for /emby/Users/authenticatebyname *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.25 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. ServiceStack.HttpError No Stack Trace Available 2016-02-14 15:55:43.8913 Info HttpServer: HTTP Response 401 to <Offending IP>. Time: 32ms. https://<server address>:8920/emby/Users/authenticatebyname ____________________________________________________________________________________________________________________________________ It would be nice it the emby logs included the offending IP in the authentication failure line. That regex would be straight forward. 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied from <Offending IP> Thanks ahead of time -everydayevil
- 51 replies
-
- fail2ban
- authentication
-
(and 1 more)
Tagged with: