Fail2Ban Questions

[Jdiesel 1113]

I was curios about setting up fail2ban on my server as an added layer off protection but have a few questions.

 

Do I need to run a reverse proxy with apache to use it?

 

Can I also use it to monitoring ssh attempts?

[mastrmind11 717]

I was curios about setting up fail2ban on my server as an added layer off protection but have a few questions.

 

Do I need to run a reverse proxy with apache to use it?

 

Can I also use it to monitoring ssh attempts?

You need a proxy, whether apache or nginx.  It monitors the access log of the web server to determine what to ban.  

Yes, it works with sshd.  And once it's set up, you'll be shocked at the amount of activity on that port.  I'm banning constantly.

[Swynol 375]

any way to view IP connections with nginx?

[horstepipe 356]

Hey

would anybody be so kind and share his/her fail2ban config for Emby Server behind nginx?

[all4dom 73]

So if I understand this correctly, fail2ban will tell me if there attempts to log into my system by anyone or anything?

[dcrdev 251]

So if I understand this correctly, fail2ban will tell me if there attempts to log into my system by anyone or anything?

 

Not only that - it will actively block them.

 

@ OP - I'd post my config, but I'm using Apache and not nginx.

[chef 3745]

Will this work with Caddy?

[dcrdev 251]

Will this work with Caddy?

 

If it produces log files and you're handy with regular expression then yes!

Edited March 19, 2018 by dcrdev

[CBers 6766]

So "wail2ban" is the Windows equivalent.

 

How does it know legitimate connections from bad ones?

[dcrdev 251]

So "wail2ban" is the Windows equivalent.

 

How does it know legitimate connections from bad ones?

 

It looks for patterns from certain ip addresses based on the requests and also in some cases the response code delivered from the server i.e. unauthorised responses. 

[CBers 6766]

It looks for patterns from certain ip addresses based on the requests and also in some cases the response code delivered from the server i.e. unauthorised responses.

So is it fully automatic?

 

Can you whitelist IP addresses?

[Jdiesel 1113]

So is it fully automatic?

 

Can you whitelist IP addresses?

 

For some services like SSH it is pretty much good to go out of the box. For services like Emby you would need to create your own jail so it knows what to look for in the logfiles. As of right now it takes a fair amount of setup. Once running it is automated. For example on my server after 3 failed SSH login attempts a temporary rule is added to my firewall to block that IP address for 60 minutes. After 60 minutes the rule is removed.

[Guest asrequested]

If I ever get the Unifi app server, I'd like to try running that on it. Can it run as standalone, or does it need to be intergrated with a proxy?

[Jdiesel 1113]

If I ever get the Unifi app server, I'd like to try running that on it. Can it run as standalone, or does it need to be intergrated with a proxy?

 

I don't believe it needs to be run with a proxy but it would likely make things much easier as you aren't starting from scratch. As far as I know you can point it at any log file granted you have configured the jail to parse the logfile correctly.

[Guest asrequested]

So it sounds like I can use it with the Unifi controller logs? I really want to get that app server. So that'll be something I'll look at.

[CBers 6766]

I don't believe it needs to be run with a proxy but it would likely make things much easier as you aren't starting from scratch. As far as I know you can point it at any log file granted you have configured the jail to parse the logfile correctly.

So just point it at the nginx log?

[dcrdev 251]

So just point it at the nginx log?

 

 

Yep.

[CBers 6766]

So "wail2ban" is the Windows equivalent.

 

Doesn't look like "wail2ban" is maintained any longer.

 

https://github.com/glasnt/wail2ban

[Guest asrequested]

The Unifi app server is run on Ubuntu. That's why I'm interested in this. Having said that, the Unifi controller now has the IPS, which should be pretty much the same thing. So by the time I get it, fail2ban may be redundant.

[Luke 36999]

This may help with fail2ban:

https://emby.media/community/index.php?/topic/57525-33111-log-file-rotation

[PrincessClevage 173]

Would any one be able to point me to a guid to setup wail2ban on win10 please? I have the out of the box running but that only monitors for failed attempts to rdp and sql sessions. Do I modify the config file to look at the emby log directory and a line for auth failed attempts?

[rbjtech 4220]

Would any one be able to point me to a guid to setup wail2ban on win10 please? I have the out of the box running but that only monitors for failed attempts to rdp and sql sessions. Do I modify the config file to look at the emby log directory and a line for auth failed attempts?

 

From my limited powershell script skills - I believe wail2ban.ps1 is only setup to read from the Windows Event Log entries - I see no ps script for reading external log files such as embyserver.txt - thus without modification, I don't think wail2ban will work with emby.

 

Ideally I would like Emby to log system events to the Windows Event log - but I think that is a big undertaking for the Emby team and probably not a priority for them .. 

[mastrmind11 717]

i can't see how logging to the event log is a big undertaking.  if C# is anything like any other non-.net programming language, you choose your logger based on the environment.  

[silver_2000 3]

Ive got fail2ban running on synology 

 

Now trying to figure out how to point fail2ban to the emby logs 

[silver_2000 3]

Ok I found it ,  just add this to jail.local 

 

[emby]

 

enabled = true

port = 8920,8096

logpath  =/var/packages/EmbyServer/target/var/logs/embyserver.txt

 

 

This is VERY cool, thanks to the community for putting this together.