Search the Community
Showing results for tags 'fail2ban'.
I wanted to share my fail2ban configuration for people that want to protect against a brute force attack. Fail2ban is a piece of software that will monitor log files for a authentication failures then ban the source ip address after so many attempts to protect against a brute force attack. I searched around for an tutorial or how to on how to implement this for emby and came up short, so I decided to give it a try and got it to work without much trouble at all. I wouldn't consider myself an expert and this is my first how to I have every written so if I made a mistake or I'm wrong let me know, and use my instructions at your own risk. USE AT YOUR OWN RISK THIS PROBABLY WILL NOT WORK IF YOU ARE USING EMBY CONNECT I'm not using emby connect because I think it has some security problems listed here https://emby.media/community/index.php?/topic/80497-log-out-security-hole/ You need to install fail2ban For my setup with ubuntu 18.10 I used, (should be the same for debian but I haven't tested) sudo apt install fail2ban To get fail2ban working with emby there are two parts, filter and jail, they both have their directories (jail.d) (filter.d) in /etc/fail2ban/ cpeng@g5500:~$ cd /etc/fail2ban/ cpeng@g5500:/etc/fail2ban$ ls action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.conf The jail controls what happens with an authentication error and the filter tells how to read the log to find the error. Create a filter: cpeng@g5500:/etc/fail2ban$ sudo nano filter.d/emby.conf /etc/fail2ban/filter.d/emby.conf # Fail2Ban for emby # # [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user or password entered ignoreregex = EDIT: New failregex proposed (below) by @@nayr to catch 401 errors and attempts to find valid user names [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user HTTP Response 401 to <HOST>. The failregex tells what the log line will have in it that designates a fail and "<HOST>" designated the actual ip address. That error looked like this: 2019-12-24 11:12:00.326 Warn HttpServer: AUTH-ERROR: 10.9.162.31 - Invalid user or password entered. So I assumed that AUTH-ERROR will be unique to login errors which is why I started the filter with that. Next you have to create the jail in cpeng@g5500:/etc/fail2ban$ sudo nano jail.d/emby.local /etc/fail2ban/jail.d/emby.local [emby] enabled = true filter = emby logpath = /var/lib/emby/logs/embyserver.txt port = 80,443 I use a reverse proxy that uses ports 80,443, but if you aren't doing that then you want to block the default ports 8096,8920 The logpath may vary from distribution, you can find yours in your dashboard under paths. There are other options that you can add, my default ban time was 10 minutes and max number of retries was 5 which is default which seemed fine to me. The last thing you need to do is reload fail2ban so it re reads the files. sudo systemctl reload fail2ban Then test by entering the wrong password into emby and confirm that it blocks you. Check out the fail2ban.log at /var/log/fail2ban.log tail /var/log/fail2ban.log For testing this command might also come in handy: sudo fail2ban-client unban --all Hope this is helpful. P.S. I recently switched from plex to emby for the dvr service and so far I have been very impressed and happy with how it works. I got tired of all the bugs with plex, that would never get fixed, instead we got new "features" and new interfaces. The icing on the cake is how responsiveness the developers are on these forums.
Hello all, I'm using the emby built in ssl for external announcement and i'm trying to write a fail2ban filter for direct emby log support. In reviewing the logs i was only able to find a log line with the connecting IP in the HTTP 401 response. Initially I was just going to regex that however on further review I'm seeing non-auth fail 401 messages returned. That leaves me having to try to mangle together some multiline regex nightmare trying to match first the authentication failure line then the 401 for the <HOST> ip. I've been working on this all day, I'm not even sure it's possible. I know many people use reverse proxy and fail2ban on the apache logs but i'd prefer to use the emby native ssl since it's there. Has anyone figured out the regex for this? _______________________________________________________________________________________________________________________________ 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied. 2016-02-14 15:55:43.8820 Error DtoUtils: ServiceBase<TRequest>::Service Exception *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 22.214.171.124 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 126.96.36.199/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. MediaBrowser.Controller.Net.SecurityException at MediaBrowser.Server.Implementations.Session.SessionManager+<AuthenticateNewSession>c__asyncC.MoveNext () <0x41c76b00 + 0x0080b> in <filename unknown>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () <0x7fa7314f36d0 + 0x00029> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) <0x7fa7314f16b0 + 0x000a7> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) <0x7fa7314f1630 + 0x0006b> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) <0x7fa7314f15e0 + 0x0003a> in <filename unknown>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () <0x7fa7314f1d10 + 0x00017> in <filename unknown>:0 at MediaBrowser.Api.UserService+<Post>c__async1.MoveNext () <0x41c75ea0 + 0x00680> in <filename unknown>:0 2016-02-14 15:55:43.8849 Error HttpServer: Error processing request for /emby/Users/authenticatebyname *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 188.8.131.52 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 184.108.40.206/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. ServiceStack.HttpError No Stack Trace Available 2016-02-14 15:55:43.8913 Info HttpServer: HTTP Response 401 to <Offending IP>. Time: 32ms. https://<server address>:8920/emby/Users/authenticatebyname ____________________________________________________________________________________________________________________________________ It would be nice it the emby logs included the offending IP in the authentication failure line. That regex would be straight forward. 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied from <Offending IP> Thanks ahead of time -everydayevil