fail2ban custom emby filter

[everydayevil 6]

Hello all,

 

I'm using the emby built in ssl for external announcement and i'm trying to write a fail2ban filter for direct emby log support.

In reviewing the logs i was only able to find a log line with the connecting IP in the HTTP 401 response. Initially I was just going to regex that however on further review I'm seeing non-auth fail 401 messages returned. That leaves me having to try to mangle together some multiline regex nightmare trying to match first the authentication failure line then the 401 for the <HOST> ip. I've been working on this all day, I'm not even sure it's possible.

 

I know many people use reverse proxy and fail2ban on the apache logs but i'd prefer to use the emby native ssl since it's there.

 

Has anyone figured out the regex for this?

_______________________________________________________________________________________________________________________________

 

2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied.

2016-02-14 15:55:43.8820 Error DtoUtils: ServiceBase<TRequest>::Service Exception
        *** Error Report ***
        Version: 3.0.5821.0
        Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh
        Operating system: Unix 3.19.0.25
        Processor count: 8
        64-Bit OS: True
        64-Bit Process: True
        Program data path: /var/lib/emby-server
        Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec  3 04:04:55 UTC 2015)
        Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe
        Invalid user or password entered.
        MediaBrowser.Controller.Net.SecurityException
          at MediaBrowser.Server.Implementations.Session.SessionManager+<AuthenticateNewSession>c__asyncC.MoveNext () <0x41c76b00 + 0x0080b> in <filename unknown>:0
        --- End of stack trace from previous location where exception was thrown ---
          at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () <0x7fa7314f36d0 + 0x00029> in <filename unknown>:0
          at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) <0x7fa7314f16b0 + 0x000a7> in <filename unknown>:0
          at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) <0x7fa7314f1630 + 0x0006b> in <filename unknown>:0
          at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) <0x7fa7314f15e0 + 0x0003a> in <filename unknown>:0
          at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () <0x7fa7314f1d10 + 0x00017> in <filename unknown>:0
          at MediaBrowser.Api.UserService+<Post>c__async1.MoveNext () <0x41c75ea0 + 0x00680> in <filename unknown>:0

2016-02-14 15:55:43.8849 Error HttpServer: Error processing request for /emby/Users/authenticatebyname
        *** Error Report ***
        Version: 3.0.5821.0
        Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh
        Operating system: Unix 3.19.0.25
       Processor count: 8
        64-Bit OS: True
        64-Bit Process: True
        Program data path: /var/lib/emby-server
        Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec  3 04:04:55 UTC 2015)
        Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe
        Invalid user or password entered.
        ServiceStack.HttpError
        No Stack Trace Available

2016-02-14 15:55:43.8913 Info HttpServer: HTTP Response 401 to <Offending IP>. Time: 32ms. https://<server address>:8920/emby/Users/authenticatebyname

____________________________________________________________________________________________________________________________________

 

It would be nice it the emby logs included the offending IP in the authentication failure line. That regex would be straight forward.

 

2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied from <Offending IP>
 

Thanks ahead of time

-everydayevil

[everydayevil 6]

For those interested...

 

I haven't gotten fail2ban working yet but I did just get a regex string to match what i'm looking for on regex101.

 

https://regex101.com/r/xW8dB4/2

 

The trick is useing a positive lookbehind. (I learned something new today!)

 

Once I get this working in failtoban i'll post the config for others.

[everydayevil 6]

A bug has been opened with fail2ban to support the NLog {$longdate} date/time format.

 

https://github.com/fail2ban/fail2ban/issues/1325

[everydayevil 6]

OK folks.... I got this working. I ended up over thinking it. Turns out that the multiline regex wasn't needed as i previously thought (also: I could not get it to work no matter what i tried).

401 messages on failed logins always reference authenticatebyname in the URL I was able to match on the 401 and then the authenticatebyname on the same line.

Also the time format is supported in both fail2ban version listed below and i've closed the bug requesting support inclusion for it.

 

for those interested in setting this up here is the overview.......

 

This is for Ubuntu 14.04 with fail2ban 0.8.11 (also confirmed with latest fail2ban 0.9.3)

 

You will need to create two files.

 

/etc/fail2ban/jail.local  - this allows you to customize the jail.conf without worrying about it getting overwritten by upgrades.

/etc/fail2ban/filter.d/emby.conf  - configuration file for emby-server log regex matching.

 

no other changes are needed. Copy and pate the info below the ----- lines for each listed file save, restart fail2ban.

 

Customize your port and any IP/s you want to exclude from monitoring for bans in jail.local

You can also set custom fail actions but I left the default of blocking the IP on all ports.

I'll be watching my logs for other failure types and update any new ones I notice.

Please do the same if you find any logs that need to be included in the regex.

 

**EDIT**

updated config for the new logfile naming convention.

Simply commented out the old logfile line in case anyone needs to refer back to the old config for some reason.

 

Thanks again to Luke for making the change to the log file naming convention!

 

_____________________________________________________

jail.local

-------------------------------------------------------------------------------------

[DEFAULT]
ignoreip = 127.0.0.0/8 <LAN Range> <trusted public IP if any>

[emby]
enabled = true
port = 8920
filter = emby
#logpath = /var/lib/emby-server/logs/server-*.txt

logpath = /var/lib/emby/logs/embyserver.txt
maxretry = 5
findtime = 600
bantime = 600
 

 

 

 

____________________________________________________________

emby.conf

-------------------------------------------------------------------------------------------------

 

# Fail2Ban filter for emby
#

[iNCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = emby-server

failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None

ignoreregex =

# DEV Notes:
#
#       Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords
#       Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames
#                     
# Author: everydayevil@everydayevil.com
____________________________________________________________________________________________

 

-everydayevil

Edited May 14, 2018 by everydayevil

[jant90 15]

Very nice. Have you seen any break-in attempts yet?

 

Oh, and it should be perfectly safe to edit it to "port = 8096,8920" right? As to monitor both http and https.

Edited February 20, 2016 by jant90

[Doonga 17]

Very cool! Thanks!

[everydayevil 6]

Very nice. Have you seen any break-in attempts yet?

 

Oh, and it should be perfectly safe to edit it to "port = 8096,8920" right? As to monitor both http and https.

 

Jant90,

 

Technically i think you can even not include that section. Fail2ban monitors the log file for regex matches not the port traffic.

I believe the port is included as a variable in certain ban action scripts. However since the default action is to ban on all ports it should not be needed. I just included it in mince for possible future use and because all the others had it.

 

I'll have to do some checking in the fail2ban documentation to see if/how to set multiple ports.

**UPDATE** I have confirmed that the correct format for multiple ports is as you showed. "port = 8096,8920" again this is only needed if you plan on writing a custom ban action to only block those ports. **END UPDATE**

 

I have not seen any break in attempts on my installation yet(only had it port forwarded for a few days). A work buddy of mine gets attempts all the time. However as he runs on windows this is of no benefit to him. (8^(

 

-everydayevil

Edited February 20, 2016 by everydayevil

[runtimesandbox 160]

Fantastic work! 

 

This should definitely go in the wiki somewhere

Edited February 24, 2016 by spudy12

[Bonfi 2]

Thanks, I was looking exactly for this.

I'll try it as soon as possible.

[Ciiss0u 0]

Got it working for emby on Debian 7 Wheezy and fail2ban 0.8.6-3wheezy3 :

 

my /etc/fail2ban/filter.d/emby-server.conf :

[Definition]

failregex = .* Info HttpServer: HTTP Response 401 to <HOST>?\. .*authenticatebyname
            .* Info HttpServer: HTTP Response 500 to <HOST>?\. .*mediabrowser/Users/None

ignoreregex =

Edited March 16, 2016 by Ciiss0u

[everydayevil 6]

 

Got it working for emby on Debian 7 Wheezy and fail2ban 0.8.6-3wheezy3 :

 

my /etc/fail2ban/filter.d/emby-server.conf :

[Definition]

failregex = .* Info HttpServer: HTTP Response 401 to <HOST>?\. .*authenticatebyname
            .* Info HttpServer: HTTP Response 500 to <HOST>?\. .*mediabrowser/Users/None

ignoreregex =

Ciiss0u,

 

Glad you got it working.

A couple of thoughts on your regex for the sake of clean, succinct code.

 

Your leading .* should not be needed as the date/time stamp is matched separately in the fail2ban code.

Also your optional match of literal '.' after <HOST> is redundant to the following '.*'

 

If i've missed something (would not be the first time) let me know.

 

-everydayevil

[techworld 3]

Hi,

 

I tried this on OMV, but it didn't work.

By the way, I'm using HTTPS.

log path: /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-*.txt

Status for the jail: emby
|- filter
|  |- File list:	/media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607312743.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607372239.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607217634.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607459613.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607284033.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607489383.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607331595.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607307568.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607387642.txt
|  |- Currently failed:	0
|  `- Total failed:	0
`- action
   |- Currently banned:	0
   |  `- IP list:
   `- Total banned:	0

Edited August 23, 2016 by techworld

[everydayevil 6]

 

Hi,

 

I tried this on OMV, but it didn't work.

By the way, I'm using HTTPS.

log path: /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-*.txt

Status for the jail: emby
|- filter
|  |- File list:	/media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607312743.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607372239.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607217634.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607459613.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607284033.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607489383.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607331595.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607307568.txt /media/54bf67db-da31-4c50-bb3c-27140944b223/emby/logs/server-63607387642.txt
|  |- Currently failed:	0
|  `- Total failed:	0
`- action
   |- Currently banned:	0
   |  `- IP list:
   `- Total banned:	0

Techworld,

 

I've never used OMV but it seems to be based on Debian Wheezy which was confirmed to be working with this by another user.

You only posted the jail and not the conf so i can only assume that it's correct. The log path looks odd, but i'm going to again assume that is specific to OMV.

 

Subject to change by wifely whim, i'll try to set up a VM of OMV tonight and see if i can make it work.

 

more to come.....

 

-Everydayevil

Edited August 23, 2016 by everydayevil

[techworld 3]

I'd setup several fail2ban filters, but don't know why emby filter isn't work for me.

My log path is correct b/c that's where Emby's plugin is installed.

Not sure if this matter, but I tested on my own URL, not through Emby Connect.

 

/etc/fail2ban/filter.d/emby.conf

# Fail2Ban filter for emby
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = emby-server

failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None

ignoreregex =

# DEV Notes:
#
#       Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords
#       Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames
#

Edited August 23, 2016 by techworld

[everydayevil 6]

Techworld,

 

Sorry for the delay, I was unable to set up the VM on Monday night. I did however set it up this evening and found the issue.

 

This was my set up running in KVM.

 

OMV 2.2.6 Stone Burner (current stable)

openmediavault-omvextrasorg 2.13.2

    - enabled mono

    - openmediavault-fail2ban 1.1.5

    - openmediavault-emby 2.7

 

The log directory in your jail.local should be /var/lib/emby/logs/server-*.txt

everything else is exactly the same.

 

At this point is was able to confirm that fail2ban was parsing the emby logs.

There is an issue however...

 

in the fail2ban.log I kept getting this

 

'2016-08-23 21:59:49,775 fail2ban.filter : WARNING Unable to find a corresponding IP address for 192.168.1.3.'

 

After a bunch of digging i found a few things out.

The issues seems to be a parsing issue of the built in fail2ban regex helper '<host>' it is matching on the trailing '.' on the IP in the emby log.

I've compared the log files between my install and the OMV install and they both have the trailing '.' in the log file.

The version of fail2ban that installs is v0.8.6 what i have found is that there was an enhancement in 0.8.11 which enforces an alphanumeric end to the '<host>' match

 

from the release notes for fail2ban 0.8.11

* <HOST> is now enforced to end with an alphanumeric

I took a few tries at updating the failregex.py to match the regex pattern from my install but when i did that it just broke completely. Not sure if that was a type-o on my part or something to do with the precompiled .pyc files or something else entirely.

 

You may be able to upgrade the fail2ban version in Wheezy or DL direct from fail2ban.org.

I would assume the omv fail2ban.js files would continue working with a newer version as it just seems to point to the standard fail2ban directories.

 

I wish you luck!

-everydayevil

Edited August 24, 2016 by everydayevil

[techworld 3]

Hi,

 

 

Just want to let you guys know that I recently install OMV3, and the new version of Fail2ban is working withe above codes.

Thanks.

[Luke 39674]

Thanks for the info !

[techworld 3]

Hi,

 

I'm recently having many fail2ban logs errors.

The filter can't find the logs b/c it no longer exist.

2016-12-13 18:21:31,089 fail2ban.server [1820]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13

2016-12-13 18:21:31,118 fail2ban.filter [1820]: INFO    Set maxRetry = 3
2016-12-13 18:21:31,119 fail2ban.filter [1820]: INFO    Set findtime = 600
2016-12-13 18:21:31,120 fail2ban.actions[1820]: INFO    Set banTime = 900
2016-12-13 18:21:31,127 fail2ban.jail   [1820]: INFO    Creating new jail 'emby'
2016-12-13 18:21:31,128 fail2ban.jail   [1820]: INFO    Jail 'emby' uses poller
2016-12-13 18:21:31,128 fail2ban.jail   [1820]: INFO    Initiated 'polling' backend
2016-12-13 18:21:31,129 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63616969832.txt
2016-12-13 18:21:31,130 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63616914796.txt
2016-12-13 18:21:31,132 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63617164812.txt
2016-12-13 18:21:31,133 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63616905619.txt
2016-12-13 18:21:31,135 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63617056237.txt
2016-12-13 18:21:31,137 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63616915344.txt
2016-12-13 18:21:31,139 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63616914947.txt
2016-12-13 18:21:31,141 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63616809673.txt
2016-12-13 18:21:31,143 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63616914900.txt
2016-12-13 18:21:31,151 fail2ban.filter [1820]: INFO    Added logfile = /var/lib/emby-server/logs/server-63617169291.txt
2016-12-13 18:21:31,151 fail2ban.filter [1820]: INFO    Set maxRetry = 5
2016-12-13 18:21:31,152 fail2ban.filter [1820]: INFO    Set findtime = 600
2016-12-13 18:21:31,152 fail2ban.actions[1820]: INFO    Set banTime = 900
2016-12-13 18:21:31,166 fail2ban.jail   [1820]: INFO    Jail 'nextcloud' started
2016-12-13 18:21:31,167 fail2ban.jail   [1820]: INFO    Jail 'emby' started
2016-12-13 18:22:37,168 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914796.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914796.txt'
2016-12-13 18:22:37,168 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616905619.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616905619.txt'
2016-12-13 18:22:37,168 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616915344.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616915344.txt'
2016-12-13 18:22:37,168 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914947.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914947.txt'
2016-12-13 18:22:37,168 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616809673.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616809673.txt'
2016-12-13 18:22:37,168 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914900.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914900.txt'
2016-12-13 18:22:38,169 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914796.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914796.txt'
2016-12-13 18:22:38,169 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616905619.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616905619.txt'
2016-12-13 18:22:38,169 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616915344.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616915344.txt'
2016-12-13 18:22:38,169 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914947.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914947.txt'
2016-12-13 18:22:38,169 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616809673.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616809673.txt'
2016-12-13 18:22:38,169 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914900.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914900.txt'
2016-12-13 18:22:39,169 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914796.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914796.txt'
2016-12-13 18:22:39,170 fail2ban.filter [1820]: WARNING Too many errors. Setting the jail idle
2016-12-13 18:22:39,170 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616905619.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616905619.txt'
2016-12-13 18:22:39,170 fail2ban.filter [1820]: WARNING Too many errors. Setting the jail idle
2016-12-13 18:22:39,170 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616915344.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616915344.txt'
2016-12-13 18:22:39,170 fail2ban.filter [1820]: WARNING Too many errors. Setting the jail idle
2016-12-13 18:22:39,170 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914947.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914947.txt'
2016-12-13 18:22:39,170 fail2ban.filter [1820]: WARNING Too many errors. Setting the jail idle
2016-12-13 18:22:39,170 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616809673.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616809673.txt'
2016-12-13 18:22:39,170 fail2ban.filter [1820]: WARNING Too many errors. Setting the jail idle
2016-12-13 18:22:39,170 fail2ban.filter [1820]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63616914900.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63616914900.txt'
2016-12-13 18:22:39,170 fail2ban.filter [1820]: WARNING Too many errors. Setting the jail idle

This is my current logs as I'm posting:

/var/lib/emby-server/logs$ ls -la
total 1140
drwxr-xr-x  2 emby emby   4096 Dec 13 18:22 .
drwxr-xr-x 14 emby emby   4096 Nov 26 12:29 ..
-rw-r--r--  1 emby emby 853217 Dec 11 12:30 server-63616969832.txt
-rw-r--r--  1 emby emby  93486 Dec 12 18:40 server-63617056237.txt
-rw-r--r--  1 emby emby  31150 Dec 12 19:52 server-63617164812.txt
-rw-r--r--  1 emby emby  96755 Dec 13 17:55 server-63617169291.txt
-rw-r--r--  1 emby emby  53339 Dec 13 19:55 server-63617250091.txt

In addition, Emby showing my failed login attempts from WAN, but my fail2ban filter didn't log at all.

 

Edited December 14, 2016 by techworld

[kcprophecy 3]

Just set this up myself and everything is working good, thanks man!

[techworld 3]

Hi all,

 

My syslog keep getting these errors everyday.

Please help me fix this.

 

Emby Version 3.2.7.0

 

Fail2ban version:

ii  fail2ban                                                         0.8.13-1                          all          ban hosts that cause multiple authentication errors
ii  openmediavault-fail2ban                                          1.3.1                             all          OpenMediaVault Fail2ban plugin

errors:

2017-03-11 15:31:53,981 fail2ban.filter [1731]: INFO    Set maxRetry = 3
2017-03-11 15:31:53,983 fail2ban.filter [1731]: INFO    Set findtime = 600
2017-03-11 15:31:53,983 fail2ban.actions[1731]: INFO    Set banTime = 900
2017-03-11 15:31:53,994 fail2ban.jail   [1731]: INFO    Creating new jail 'emby'
2017-03-11 15:31:53,994 fail2ban.jail   [1731]: INFO    Jail 'emby' uses poller
2017-03-11 15:31:53,995 fail2ban.jail   [1731]: INFO    Initiated 'polling' backend
2017-03-11 15:31:53,996 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624343707.txt
2017-03-11 15:31:53,998 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624423623.txt
2017-03-11 15:31:54,000 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624515031.txt
2017-03-11 15:31:54,001 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624430206.txt
2017-03-11 15:31:54,003 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624682825.txt
2017-03-11 15:31:54,004 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624593811.txt
2017-03-11 15:31:54,005 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624593578.txt
2017-03-11 15:31:54,006 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624510022.txt
2017-03-11 15:31:54,009 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624769223.txt
2017-03-11 15:31:54,010 fail2ban.filter [1731]: INFO    Added logfile = /var/lib/emby-server/logs/server-63624832247.txt
2017-03-11 15:31:54,010 fail2ban.filter [1731]: INFO    Set maxRetry = 5
2017-03-11 15:31:54,013 fail2ban.filter [1731]: INFO    Set findtime = 600
2017-03-11 15:31:54,013 fail2ban.actions[1731]: INFO    Set banTime = 900
2017-03-11 15:31:54,028 fail2ban.jail   [1731]: INFO    Jail 'nextcloud' started
2017-03-11 15:31:54,055 fail2ban.jail   [1731]: INFO    Jail 'emby' started
2017-03-11 15:33:02,516 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624343707.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624343707.txt'
2017-03-11 15:33:02,516 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624423623.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624423623.txt'
2017-03-11 15:33:02,516 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624430206.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624430206.txt'
2017-03-11 15:33:02,516 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624510022.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624510022.txt'
2017-03-11 15:33:03,518 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624343707.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624343707.txt'
2017-03-11 15:33:03,518 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624423623.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624423623.txt'
2017-03-11 15:33:03,518 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624430206.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624430206.txt'
2017-03-11 15:33:03,518 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624510022.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624510022.txt'
2017-03-11 15:33:04,519 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624343707.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624343707.txt'
2017-03-11 15:33:04,520 fail2ban.filter [1731]: WARNING Too many errors. Setting the jail idle
2017-03-11 15:33:04,520 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624423623.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624423623.txt'
2017-03-11 15:33:04,520 fail2ban.filter [1731]: WARNING Too many errors. Setting the jail idle
2017-03-11 15:33:04,520 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624430206.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624430206.txt'
2017-03-11 15:33:04,520 fail2ban.filter [1731]: WARNING Too many errors. Setting the jail idle
2017-03-11 15:33:04,520 fail2ban.filter [1731]: ERROR   Unable to get stat on /var/lib/emby-server/logs/server-63624510022.txt because of: [Errno 2] No such file or directory: '/var/lib/emby-server/logs/server-63624510022.txt'

Edited March 12, 2017 by techworld

[bncbnc83 2]

Thank you for this. its working fine.

But if i restart emby its stops working until i restart fail2ban. Someone who has a solution ?

[Luke 39674]

What does "stops working" mean?

[bncbnc83 2]

Hi Luke

 

Sorry for my bad explanation...

Fail2ban does not see the new log file when emby restarts.

Edited November 7, 2017 by bncbnc83

[bncbnc83 2]

Anyone ?

[mastrmind11 722]

Have you tested this?  the regex is just a wildcard for any emby server log, so when the log file rolls, the regex picks up the new one generated.  I see the fail2ban error when the old log is removed after it rolls out, but fail2ban picks up the new one.  It's not ideal, but I'm too lazy to figure out a better method, and my server isn't active enough for me to care.  Another method might be to monitor your server's access logs instead of emby's, much like fail2ban's sshd implementation.