Fail2ban blocks iOS photo viewer

[altramarine 21]

• Emby 3.0.8500.0
• CentOS 7.3.1611
• nginx server in reverse proxy (with SSL cert) that forwards emby destined traffic to a different local server running emby

I am trying to isolate an issue and would appreciate any guidance I can get.

 

Today I tried accessing my emby server using emby app on iPhone6 (iOS10.1.1).

While I was able to play videos and browse content, attempting to view photos resulted in an icon of a square instead of a photo.

 

Nginx access log shows the following when I first connect to emby server via https :

[14/Dec/2016:01:59:35 -0700] "GET /emby/system/info/public HTTP/1.1" 200 154 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"
[14/Dec/2016:01:59:35 -0700] "GET /emby/system/info/public HTTP/1.1" 200 154 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"
[14/Dec/2016:01:59:35 -0700] "GET /emby/users/public HTTP/1.1" 200 4 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"
[14/Dec/2016:01:59:36 -0700] "OPTIONS /emby/Branding/Configuration HTTP/1.1" 200 0 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"
[14/Dec/2016:01:59:36 -0700] "GET /emby/Branding/Configuration HTTP/1.1" 200 36 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"

and the following when I attempt to view a photo:

[14/Dec/2016:01:51:46 -0700] "OPTIONS /emby/Users/260d5779fde8465591853f596758c2c4/Items/61f2a22a9cad3b242c5d98cd6d88c043 HTTP/1.1" 200 0 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"
[14/Dec/2016:01:51:46 -0700] "GET /emby/Users/260d5779fde8465591853f596758c2c4/Items/61f2a22a9cad3b242c5d98cd6d88c043 HTTP/1.1" 200 761 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"
[14/Dec/2016:01:51:46 -0700] "OPTIONS /emby/Users/260d5779fde8465591853f596758c2c4/Items?MediaTypes=Photo&Filters=IsNotFolder&ParentId=31204eb0e8186def5dbf69b73dce1986&SortBy=SortName HTTP/1.1" 200 0 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"
[14/Dec/2016:01:51:46 -0700] "GET /emby/Users/260d5779fde8465591853f596758c2c4/Items?MediaTypes=Photo&Filters=IsNotFolder&ParentId=31204eb0e8186def5dbf69b73dce1986&SortBy=SortName HTTP/1.1" 200 63351 "http://localhost:12344/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100"

However, when I open firefox browser on the same iPhone and access emby that way, it displays photos fine and I get the following in the nginx access log:

[14/Dec/2016:01:58:08 -0700] "GET /web/index.html HTTP/1.1" 200 767 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /emby/Branding/Css.css?v=3.0.8500.0 HTTP/1.1" 200 0 "https://mydomainame.com/web/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /web/bower_components/emby-webcomponents/strings/en-US.json?v=1481705889011 HTTP/1.1" 200 16192 "https://mydomainame.com/web/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /web/strings/en-US.json?v=1481705889011 HTTP/1.1" 200 128133 "https://mydomainame.com/web/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /emby/Plugins/SecurityInfo HTTP/1.1" 200 67 "https://mydomainame.com/web/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /web/bower_components/emby-webcomponents/fonts/material-icons/2fcrYFNaTjcS6g4U3t-Y5ZjZjT5FdEJ140U2DJYC3mY.woff2 HTTP/1.1" 200 45648 "https://mydomainame.com/web/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /emby/system/info/public HTTP/1.1" 200 154 "https://mydomainame.com/web/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /emby/users/public HTTP/1.1" 200 4 "https://mydomainame.com/web/index.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /emby/users/public HTTP/1.1" 200 4 "https://mydomainame.com/web/login.html?serverid=f3d883f7b33446e89838c99d0415d8bc" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:58:09 -0700] "GET /emby/Branding/Configuration HTTP/1.1" 200 36 "https://mydomainame.com/web/login.html?serverid=f3d883f7b33446e89838c99d0415d8bc" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"

and this when I view the same photo:

[14/Dec/2016:01:51:03 -0700] "GET /emby/Users/260d5779fde8465591853f596758c2c4/Items/61f2a22a9cad3b242c5d98cd6d88c043 HTTP/1.1" 200 761 "https://mydomainame.com/web/itemlist.html?parentId=31204eb0e8186def5dbf69b73dce1986" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"
[14/Dec/2016:01:51:03 -0700] "GET /emby/Users/260d5779fde8465591853f596758c2c4/Items?MediaTypes=Photo&Filters=IsNotFolder&ParentId=31204eb0e8186def5dbf69b73dce1986&SortBy=SortName HTTP/1.1" 200 63351 "https://mtdomainame.com/web/itemlist.html?parentId=31204eb0e8186def5dbf69b73dce1986" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) FxiOS/5.3 Mobile/14B100 Safari/602.2.14"

what is this http://localhost:12344 emby ios app is looking for? I do not have anything of sorts in my network.

I know for a fact emby app was working fine before.

The 2 major changes that may have affected it are:

• servers running emby and nginx were updated from CentOS7.3.1511 to 7.3.1611
• I re-installed emby server a week ago, but everything else is working fine. (Kodi, Chrome/Firefox browser)

Any ideas?

Many thanks!

 

 

[Luke 40077]

Hi, can you please attach the complete emby server log? thanks.

 

the localhost:12344 is an http server mounted inside the ios app.

[altramarine 21]

Thanks for the info about the address.

I stopped and restarted the emby server and replicated the issue, then grabbed the log.

Here is the log file:

 

http://dpaste.com/3SAE8ZQ

 

I hope that has sufficient info.

[pir8radio 1305]

This is confirmed by me as well.. on beta iphone app.  Images show when bypassing reverse proxy though.  Not sure the cause yet. Also seems to affect the users logo in the top right (second image). Only full sized images when clicked on have an issue for me, thumbnails show up fine. 

 

 

[pir8radio 1305]

Looks like when using HTTPS ONLY...   I would venture to say when using HTTPS via the IOS app this happens regardless of nginx.

Edited December 16, 2016 by pir8radio

[Luke 40077]

Thanks for the report.

[altramarine 21]

hey @@pir8radio,

 

were you able to bypass this issue?

 

I just added emby app on my ipad using http/internal IP and images show fine to reinforce that this behavior is https specific.

[pir8radio 1305]

hey @@pir8radio,

 

were you able to bypass this issue?

 

I just added emby app on my ipad using http/internal IP and images show fine to reinforce that this behavior is https specific.

 

No, I think this is an app issue that they will have to fix..

[CloseTurkey 2]

Im also having this issue in a reverse proxy environment. Is this being actively investigated? I can see this post is over a year old

[Luke 40077]

@@pir8radio is this still an issue for you?

[CloseTurkey 2]

[pir8radio 1305]

@@pir8radio is this still an issue for you?

 

No, I have not had this issue for a long time.  I'm not sure when it got fixed.

Edited March 4, 2018 by pir8radio

[Luke 40077]

thanks for the feedback.

[Harbinger1080 3]

I just experienced this myself tonight... I have fail2ban ban IPs after 5 403 responses in 10 minutes, and this issue tripped it.  This device was remote from my network.

 

just a quick sample from the nginx access log:

 

XX.XXX.XXX.XXX - - [16/May/2018:18:01:55 -0400] "GET /system/info/public HTTP/1.1" 403 162 "http://localhost:12344/index.html""Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302"

XX.XXX.XXX.XXX - - [16/May/2018:18:05:00 -0400] "GET /system/info/public HTTP/1.1" 403 162 "http://localhost:12344/index.html""Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302"

XX.XXX.XXX.XXX - - [16/May/2018:18:12:22 -0400] "GET /system/info/public HTTP/1.1" 403 162 "http://localhost:12344/index.html""Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302"

XX.XXX.XXX.XXX - - [16/May/2018:18:14:27 -0400] "GET /system/info/public HTTP/1.1" 403 162 "http://localhost:12344/index.html""Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302"

XX.XXX.XXX.XXX - - [16/May/2018:18:14:27 -0400] "GET /system/info/public HTTP/1.1" 403 162 "http://localhost:12344/index.html""Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302"

XX.XXX.XXX.XXX - - [16/May/2018:18:14:27 -0400] "GET /system/info/public HTTP/1.1" 403 162 "http://localhost:12344/index.html""Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E302"

Edited May 17, 2018 by Harbinger1080

[Luke 40077]

Did you resolve it?

[Harbinger1080 3]

Did you resolve it?

 

I did not-- I'm not sure what the fix is?  I unblocked the IP in fail2ban, but I don't really understand the root cause.  Is it an outdated/bad version of the IOS app?

[Luke 40077]

Have you tried disabling fail2ban altogether?

[Harbinger1080 3]

Yes, if I disable fail2ban it doesn't block the IP address and the device can connect.  However, I do want to block IPs that repeatedly hit 403 responses, as those are frequently bots probing my IP.

 

I'm more interested in why so many hits like that come through to my server?

[Luke 40077]

So many hits like what exactly?

[Luke 40077]

Those 403 urls you posted above are just the app trying to connect with previously saved credentials that may no longer be valid. i wouldn't block those with fail2ban.

[Harbinger1080 3]

Those 403 urls you posted above are just the app trying to connect with previously saved credentials that may no longer be valid. i wouldn't block those with fail2ban.

 

Ah, maybe that's it then-- the device may not have been used for a while and credentials were old.  I'll double check-- thanks!