Jump to content

Can't Get Fail2Ban Working for Emby in Docker


Go to solution Solved by Stryk3rr3al,

Recommended Posts

Stryk3rr3al
Posted

Hi everyone, 

I'm trying to get fail2ban working for Emby / Docker. Currently running in Ubuntu Mint Ubuntu 24.04 and have docker set to map the /config/logs directory to a local folder on the host. 
As far as I can tell I've got everything setup right but the filter is not matching anything it seems and it never logs failed logins to the jail. Also I don't recall where I noted them but I did see some weird charters in some kind of fail2ban logs for  Emby. They were  non-printable or invisible characters but I don't know that those would affect the regex especially since the manual regex test is passing. Does anyone have any ideas or see something overly obvious that I'm missing? Also worth nothing I manually tested the regex pattern and it matches. 

Docker Compose to map logs to local directory

version: "2.3"
services:
  emby:
    image: emby/embyserver:beta
    container_name: embyserver
    runtime: nvidia # Expose NVIDIA GPUs
    network_mode: host # Enable DLNA and Wake-on-Lan
    environment:
      - UID=1000 # The UID to run emby as (default: 2)
      - GID=1000 # The GID to run emby as (default 2)
      - GIDLIST=1000 # A comma-separated list of additional GIDs to run emby as (default: 2)
#44,992
      - NVIDIA_VISIBLE_DEVICES=all
      - NVIDIA_DRIVER_CAPABILITIES=compute,utility,video
    volumes:
      - /home/r3al/Desktop/Docker/Emby/programdata/:/config # Configuration directory
      - /media/r3al/New Volume/TT/TV/:/mnt/tv # Media directory
      - /media/r3al/New Volume/TT/Movies/:/mnt/movies # Media directory
      - /media/r3al/New Volume/TT/Live TV Recordings/:/mnt/mixed # Media directory
      - "/home/r3al/Desktop/Docker/Emby/logs/:/config/logs"
    ports:
      - 8096:8096 # HTTP port
    devices:
#      - /dev/nvidia-uvm:/dev/nvidia-uvm # Added nvidia devices here
#      - /dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools # Added nvidia devices here
#      - /dev/nvidia-modeset:/dev/nvidia-modeset # Added nvidia devices here
#      - /dev/nvidiactl:/dev/nvidiactl # Added nvidia devices here
#      - /dev/nvidia0:/dev/nvidia0 # Added nvidia devices here
      - /dev/dri:/dev/dri # VAAPI/NVDEC/NVENC render nodes
      - /dev/dri/renderD128:/dev/dri/renderD128
    restart: on-failure



/etc/fail2ban/filter.d/emby.conf

[Definition]
failregex = "http/1.1 Response 401 to ‌‍‍<HOST>"

/etc/fail2ban/jail.d/emby.local

[emby]
enabled = true
port = 8096
filter = emby
logpath = /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt
maxretry = 3
findtime = 600
bantime = 43200


Working manual regex test

sudo fail2ban-regex /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt "http/1.1 Response 401 to ‌‍‍<HOST>"

Manual Regex test returns


Running tests
=============

Use   failregex line : http/1.1 Response 401 to ‌‍‍<HOST>
Use         log file : /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt
Use         encoding : UTF-8


Results
=======

Failregex: 14 total
|-  #) [# of hits] regular expression
|   1) [14] http/1.1 Response 401 to ‌‍‍<HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [339] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 474 lines, 0 ignored, 14 matched, 460 missed
[processed in 0.23 sec]

 

Other troubleshooting things

sudo systemctl status fail2ban

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Sat 2024-08-24 21:14:29 EDT; 16min ago
       Docs: man:fail2ban(1)
   Main PID: 51845 (fail2ban-server)
      Tasks: 7 (limit: 18710)
     Memory: 20.0M (peak: 21.5M)
        CPU: 5.311s
     CGroup: /system.slice/fail2ban.service
             └─51845 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Sudo fail2ban-client status

Status
|- Number of jail:      2
`- Jail list:   emby, sshd

 

sudo tail -f /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt


2024-08-25 01:30:00.040 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired.
2024-08-25 01:30:00.040 Error Server: Access token is invalid or expired.
2024-08-25 01:30:00.040 Info Server: http/1.1 Response 401 to ‌‍‍192.168.15.202‌. Time: 3ms. GET http://‌‍‍192.168.15.201‌:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4
2024-08-25 01:35:00.122 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired.
2024-08-25 01:35:00.122 Error Server: Access token is invalid or expired.
2024-08-25 01:35:00.122 Info Server: http/1.1 Response 401 to ‌‍‍192.168.15.202‌. Time: 2ms. GET http://‌‍‍192.168.15.201‌:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4
2024-08-25 01:36:59.424 Info HttpClient: GET https://www.mb3admin.com/admin/service/EmbyPackages.json
2024-08-25 01:40:00.076 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired.
2024-08-25 01:40:00.076 Error Server: Access token is invalid or expired.
2024-08-25 01:40:00.076 Info Server: http/1.1 Response 401 to ‌‍‍192.168.15.202‌. Time: 3ms. GET http://‌‍‍192.168.15.201‌:8096/Users/4ab54b48711e48a7af67df8da7a587db/Items/Latest?Limit=12&ParentId=4
2024-08-25 01:43:48.212 Info Server: http/1.1 POST http://‌‍‍media.eternaltek.xyz‌/emby/Users/authenticatebyname?X-Emby-Client=Emby Web&X-Emby-Device-Name=Safari iOS&X-Emby-Device-Id=cdf1ca5b-4fe1-453d-a08b-22539010875d&X-Emby-Client-Version=4.9.0.29&X-Emby-Language=en-us. Source Ip: ‌‍‍172.58.127.8‌, Accept=application/json, Connection=close, Host=‌‍‍media.eternaltek.xyz‌, User-Agent=Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1, Accept-Encoding=gzip, deflate, br, Accept-Language=en-US,en;q=0.9, Content-Type=application/x-www-form-urlencoded; charset=UTF-8, Origin=‌‍‍https://media.eternaltek.xyz:23606‌, Referer=‌‍‍https://media.eternaltek.xyz:23606/web/index.html‌, Content-Length=12, X-TLS-Cipher=TLS_AES_128_GCM_SHA256, X-TLS-Protocol=TLSv1.3, X-TLS-SNI-Host=media.eternaltek.xyz, X-Real-IP=‌‍‍172.58.127.8‌, X-Forwarded-For=‌‍‍172.58.127.8‌, X-Forwarded-Proto=https, X-Forwarded-Port=23606, X-Forwarded-Host=‌‍‍media.eternaltek.xyz‌, X-TLS-Client-Intercepted=Unknown, sec-fetch-site=same-origin, sec-fetch-mode=cors, sec-fetch-dest=empty, priority=u=3, i
2024-08-25 01:43:48.212 Error DefaultAuthenticationProvider: Invalid username or password. No user named Dfv exists
2024-08-25 01:43:48.213 Error UserManager: Error authenticating with provider Default
        *** Error Report ***
        Version: 4.9.0.29
        Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
        Operating system: Linux version 6.8.0-41-generic (buildd@lcy02-amd64-100) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.
        OS/Process: x64/x64
        Framework: .NET 8.0.6
        Runtime: system/System.Private.CoreLib.dll
        Processor count: 10
        Data path: /config
        Application path: /system
        System.Exception: System.Exception: Invalid username or password.
           at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
           at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
        Source: Emby.Server.Implementations
        TargetSite: System.Threading.Tasks.Task`1[MediaBrowser.Controller.Authentication.ProviderAuthenticationResult] Authenticate(System.String, System.String, MediaBrowser.Controller.Entities.User)

2024-08-25 01:43:48.213 Info UserManager: Authentication request for Dfv has been denied.
2024-08-25 01:43:48.214 Warn Server: AUTH-ERROR: 172.58.127.8 - Invalid username or password entered.
2024-08-25 01:43:48.214 Error Server: Invalid username or password entered.
2024-08-25 01:43:48.214 Info Server: http/1.1 Response 401 to ‌‍‍172.58.127.8‌. Time: 3ms. POST http://‌‍‍media.eternaltek.xyz‌/emby/Users/authenticatebyname?X-Emby-Client=Emby Web&X-Emby-Device-Name=Safari iOS&X-Emby-Device-Id=cdf1ca5b-4fe1-453d-a08b-22539010875d&X-Emby-Client-Version=4.9.0.29&X-Emby-Language=en-us

 

  • Solution
Stryk3rr3al
Posted (edited)

And here's the problem 
 

sudo tail -f /var/log/fail2ban.log 

2024-08-25 08:31:44,263 fail2ban.filtersystemd  [55063]: NOTICE  [emby] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.

 

It's searching the system journal entries instead of the log I specified. Editing the jail file to set the backend to auto seems to have fixed the issue. 

[emby]
enabled = true
port = 8096
filter = emby
logpath = /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt
maxretry = 5
findtime = 900
bantime = 43200
backend = auto

 

The fix has been validated in the logs. 

sudo tail -f /var/log/fail2ban.log

2024-08-25 08:44:56,318 fail2ban.jail           [55948]: INFO    Jail 'sshd' started
2024-08-25 08:44:56,319 fail2ban.jail           [55948]: DEBUG   Starting jail 'emby'
2024-08-25 08:44:56,320 fail2ban.filterpyinotify[55948]: DEBUG   [emby] filter started (pyinotifier)
2024-08-25 08:44:56,323 fail2ban.filterpyinotify[55948]: MSG     Log presence detected for file /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt
2024-08-25 08:44:56,324 fail2ban.jail           [55948]: INFO    Jail 'emby' started
2024-08-25 08:44:56,325 fail2ban.filtersystemd  [55948]: INFO    [sshd] Jail is in operation now (process new journal entries)
2024-08-25 08:44:56,327 fail2ban.transmitter    [55948]: DEBUG   Status: ready
2024-08-25 08:44:56,328 fail2ban.filter         [55948]: DEBUG   Seek to find time 1693053896.3279676 (2023-08-26 08:44:56), file size 196864
2024-08-25 08:44:56,334 fail2ban.filter         [55948]: DEBUG   Position 0 from 196864, found time 1724567849.0 (2024-08-25 02:37:29) within 1 seeks
2024-08-25 08:44:56,340 fail2ban.filtersystemd  [55948]: DEBUG   [sshd] Invalidate signaled, take a little break (rotation ends)
2024-08-25 08:45:00,110 fail2ban.filterpyinotify[55948]: DEBUG   Event queue size: 16
2024-08-25 08:45:00,127 fail2ban.filterpyinotify[55948]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2024-08-25 08:45:00,128 fail2ban.filter         [55948]: WARNING [emby] Detected a log entry 4h after the current time in operation mode. This looks like a timezone problem. Treating such entries as if they just happened.
2024-08-25 08:45:00,129 fail2ban.filter         [55948]: WARNING [emby] Please check a jail for a timing issue. Line with odd timestamp: 2024-08-25 12:45:00.109 Warn Server: AUTH-ERROR: 192.168.15.202 - Access token is invalid or expired



Status for the jail: emby
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /home/r3al/Desktop/Docker/Emby/logs/embyserver.txt
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:


Also I did adjust the filter because I don't think I need the "" marks

[Definition]
failregex = http/1.1 Response 401 to ‌‍‍<HOST>

 

Edited by Stryk3rr3al
  • Like 1
  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...