Stryk3rr3al 2 Posted August 25 Posted August 25 Hi everyone, I'm trying to get fail2ban working for Emby / Docker. Currently running in Ubuntu Mint Ubuntu 24.04 and have docker set to map the /config/logs directory to a local folder on the host. As far as I can tell I've got everything setup right but the filter is not matching anything it seems and it never logs failed logins to the jail. Also I don't recall where I noted them but I did see some weird charters in some kind of fail2ban logs for Emby. They were non-printable or invisible characters but I don't know that those would affect the regex especially since the manual regex test is passing. Does anyone have any ideas or see something overly obvious that I'm missing? Also worth nothing I manually tested the regex pattern and it matches. Docker Compose to map logs to local directory version: "2.3" services: emby: image: emby/embyserver:beta container_name: embyserver runtime: nvidia # Expose NVIDIA GPUs network_mode: host # Enable DLNA and Wake-on-Lan environment: - UID=1000 # The UID to run emby as (default: 2) - GID=1000 # The GID to run emby as (default 2) - GIDLIST=1000 # A comma-separated list of additional GIDs to run emby as (default: 2) #44,992 - NVIDIA_VISIBLE_DEVICES=all - NVIDIA_DRIVER_CAPABILITIES=compute,utility,video volumes: - /home/r3al/Desktop/Docker/Emby/programdata/:/config # Configuration directory - /media/r3al/New Volume/TT/TV/:/mnt/tv # Media directory - /media/r3al/New Volume/TT/Movies/:/mnt/movies # Media directory - /media/r3al/New Volume/TT/Live TV Recordings/:/mnt/mixed # Media directory - "/home/r3al/Desktop/Docker/Emby/logs/:/config/logs" ports: - 8096:8096 # HTTP port devices: # - /dev/nvidia-uvm:/dev/nvidia-uvm # Added nvidia devices here # - /dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools # Added nvidia devices here # - /dev/nvidia-modeset:/dev/nvidia-modeset # Added nvidia devices here # - /dev/nvidiactl:/dev/nvidiactl # Added nvidia devices here # - /dev/nvidia0:/dev/nvidia0 # Added nvidia devices here - /dev/dri:/dev/dri # VAAPI/NVDEC/NVENC render nodes - /dev/dri/renderD128:/dev/dri/renderD128 restart: on-failure /etc/fail2ban/filter.d/emby.conf [Definition] failregex = "http/1.1 Response 401 to <HOST>" /etc/fail2ban/jail.d/emby.local [emby] enabled = true port = 8096 filter = emby logpath = /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt maxretry = 3 findtime = 600 bantime = 43200 Working manual regex test sudo fail2ban-regex /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt "http/1.1 Response 401 to <HOST>" Manual Regex test returns Running tests ============= Use failregex line : http/1.1 Response 401 to <HOST> Use log file : /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt Use encoding : UTF-8 Results ======= Failregex: 14 total |- #) [# of hits] regular expression | 1) [14] http/1.1 Response 401 to <HOST> `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [339] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 474 lines, 0 ignored, 14 matched, 460 missed [processed in 0.23 sec] Other troubleshooting things sudo systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: enabled) Active: active (running) since Sat 2024-08-24 21:14:29 EDT; 16min ago Docs: man:fail2ban(1) Main PID: 51845 (fail2ban-server) Tasks: 7 (limit: 18710) Memory: 20.0M (peak: 21.5M) CPU: 5.311s CGroup: /system.slice/fail2ban.service └─51845 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Sudo fail2ban-client status Status |- Number of jail: 2 `- Jail list: emby, sshd sudo tail -f /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt 2024-08-25 01:30:00.040 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired. 2024-08-25 01:30:00.040 Error Server: Access token is invalid or expired. 2024-08-25 01:30:00.040 Info Server: http/1.1 Response 401 to 192.168.15.202. Time: 3ms. GET http://192.168.15.201:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4 2024-08-25 01:35:00.122 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired. 2024-08-25 01:35:00.122 Error Server: Access token is invalid or expired. 2024-08-25 01:35:00.122 Info Server: http/1.1 Response 401 to 192.168.15.202. Time: 2ms. GET http://192.168.15.201:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4 2024-08-25 01:36:59.424 Info HttpClient: GET https://www.mb3admin.com/admin/service/EmbyPackages.json 2024-08-25 01:40:00.076 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired. 2024-08-25 01:40:00.076 Error Server: Access token is invalid or expired. 2024-08-25 01:40:00.076 Info Server: http/1.1 Response 401 to 192.168.15.202. Time: 3ms. GET http://192.168.15.201:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4 2024-08-25 01:43:48.212 Info Server: http/1.1 POST http://media.eternaltek.xyz/emby/Users/authenticatebyname?X-Emby-Client=Emby Web&X-Emby-Device-Name=Safari iOS&X-Emby-Device-Id=cdf1ca5b-4fe1-453d-a08b-22539010875d&X-Emby-Client-Version=4.9.0.29&X-Emby-Language=en-us. Source Ip: 172.58.127.8, Accept=application/json, Connection=close, Host=media.eternaltek.xyz, User-Agent=Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1, Accept-Encoding=gzip, deflate, br, Accept-Language=en-US,en;q=0.9, Content-Type=application/x-www-form-urlencoded; charset=UTF-8, Origin=https://media.eternaltek.xyz:23606, Referer=https://media.eternaltek.xyz:23606/web/index.html, Content-Length=12, X-TLS-Cipher=TLS_AES_128_GCM_SHA256, X-TLS-Protocol=TLSv1.3, X-TLS-SNI-Host=media.eternaltek.xyz, X-Real-IP=172.58.127.8, X-Forwarded-For=172.58.127.8, X-Forwarded-Proto=https, X-Forwarded-Port=23606, X-Forwarded-Host=media.eternaltek.xyz, X-TLS-Client-Intercepted=Unknown, sec-fetch-site=same-origin, sec-fetch-mode=cors, sec-fetch-dest=empty, priority=u=3, i 2024-08-25 01:43:48.212 Error DefaultAuthenticationProvider: Invalid username or password. No user named Dfv exists 2024-08-25 01:43:48.213 Error UserManager: Error authenticating with provider Default *** Error Report *** Version: 4.9.0.29 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Linux version 6.8.0-41-generic (buildd@lcy02-amd64-100) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2. OS/Process: x64/x64 Framework: .NET 8.0.6 Runtime: system/System.Private.CoreLib.dll Processor count: 10 Data path: /config Application path: /system System.Exception: System.Exception: Invalid username or password. at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser) at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken) Source: Emby.Server.Implementations TargetSite: System.Threading.Tasks.Task`1[MediaBrowser.Controller.Authentication.ProviderAuthenticationResult] Authenticate(System.String, System.String, MediaBrowser.Controller.Entities.User) 2024-08-25 01:43:48.213 Info UserManager: Authentication request for Dfv has been denied. 2024-08-25 01:43:48.214 Warn Server: AUTH-ERROR: 172.58.127.8 - Invalid username or password entered. 2024-08-25 01:43:48.214 Error Server: Invalid username or password entered. 2024-08-25 01:43:48.214 Info Server: http/1.1 Response 401 to 172.58.127.8. Time: 3ms. POST http://media.eternaltek.xyz/emby/Users/authenticatebyname?X-Emby-Client=Emby Web&X-Emby-Device-Name=Safari iOS&X-Emby-Device-Id=cdf1ca5b-4fe1-453d-a08b-22539010875d&X-Emby-Client-Version=4.9.0.29&X-Emby-Language=en-us
Solution Stryk3rr3al 2 Posted August 25 Author Solution Posted August 25 (edited) And here's the problem sudo tail -f /var/log/fail2ban.log 2024-08-25 08:31:44,263 fail2ban.filtersystemd [55063]: NOTICE [emby] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. It's searching the system journal entries instead of the log I specified. Editing the jail file to set the backend to auto seems to have fixed the issue. [emby] enabled = true port = 8096 filter = emby logpath = /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt maxretry = 5 findtime = 900 bantime = 43200 backend = auto The fix has been validated in the logs. sudo tail -f /var/log/fail2ban.log 2024-08-25 08:44:56,318 fail2ban.jail [55948]: INFO Jail 'sshd' started 2024-08-25 08:44:56,319 fail2ban.jail [55948]: DEBUG Starting jail 'emby' 2024-08-25 08:44:56,320 fail2ban.filterpyinotify[55948]: DEBUG [emby] filter started (pyinotifier) 2024-08-25 08:44:56,323 fail2ban.filterpyinotify[55948]: MSG Log presence detected for file /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt 2024-08-25 08:44:56,324 fail2ban.jail [55948]: INFO Jail 'emby' started 2024-08-25 08:44:56,325 fail2ban.filtersystemd [55948]: INFO [sshd] Jail is in operation now (process new journal entries) 2024-08-25 08:44:56,327 fail2ban.transmitter [55948]: DEBUG Status: ready 2024-08-25 08:44:56,328 fail2ban.filter [55948]: DEBUG Seek to find time 1693053896.3279676 (2023-08-26 08:44:56), file size 196864 2024-08-25 08:44:56,334 fail2ban.filter [55948]: DEBUG Position 0 from 196864, found time 1724567849.0 (2024-08-25 02:37:29) within 1 seeks 2024-08-25 08:44:56,340 fail2ban.filtersystemd [55948]: DEBUG [sshd] Invalidate signaled, take a little break (rotation ends) 2024-08-25 08:45:00,110 fail2ban.filterpyinotify[55948]: DEBUG Event queue size: 16 2024-08-25 08:45:00,127 fail2ban.filterpyinotify[55948]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 > 2024-08-25 08:45:00,128 fail2ban.filter [55948]: WARNING [emby] Detected a log entry 4h after the current time in operation mode. This looks like a timezone problem. Treating such entries as if they just happened. 2024-08-25 08:45:00,129 fail2ban.filter [55948]: WARNING [emby] Please check a jail for a timing issue. Line with odd timestamp: 2024-08-25 12:45:00.109 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired Status for the jail: emby |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: Also I did adjust the filter because I don't think I need the "" marks [Definition] failregex = http/1.1 Response 401 to <HOST> Edited August 25 by Stryk3rr3al 1 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now