Approved Log failed login attempts to emby

[PrincessClevage 174]

Hi there, I am attempting to setup wail2ban for multiple failed attempts to log into emby server. Wail2ban looks for failed attempts in Windows security log, is it possible to configure emby server to log failed attempts in a similar manner?

[Luke 39654]

The upcoming 3.6 release logs failed attempts in a manner that is compliant with fail2ban. @@softworkz can provide more insight. thanks.

[softworkz 4493]

We've had a request here: https://github.com/MediaBrowser/Emby/issues/3452

 

We couldn't make it a separate log file, but you can let fail2ban observe the main Emby logfile and watch out for entries like this:

AUTH-ERROR: {0} - {1}

where {0} is the source IP address and {1} is the error message.

 

For example:

2018-12-28 00:00:00.007 Error AUTH-ERROR: 1.1.1.1 - Invalid username or password entered.

[PrincessClevage 174]

We've had a request here: https://github.com/MediaBrowser/Emby/issues/3452

 

We couldn't make it a separate log file, but you can let fail2ban observe the main Emby logfile and watch out for entries like this:

AUTH-ERROR: {0} - {1}

where {0} is the source IP address and {1} is the error message.

 

For example:

2018-12-28 00:00:00.007 Error AUTH-ERROR: 1.1.1.1 - Invalid username or password entered.

Sorry I’m pretty new to fail2ban and have just found it. Might you be able to help where in fail2ban do we direct it to look at emby log directory and do we just place

AUTH-ERROR:

In the fail2ban config file some where so it flag any AUTH-ERROR: as a 1failed attempt?

[Happy2Play 9355]

Sorry I’m pretty new to fail2ban and have just found it. Might you be able to help where in fail2ban do we direct it to look at emby log directory and do we just place

AUTH-ERROR:

In the fail2ban config file some where so it flag any AUTH-ERROR: as a 1failed attempt?

 

 

Might be better to ask here.

 

https://emby.media/community/index.php?/topic/52675-fail2ban-questions

[Luke 39654]

To be honest I'm not a fail2ban expert, we simply adjusted our logging based on best practices. Thanks.

[Soggybottoms 3]

I'm not quite sure if wail2ban will work with Emby, as it generates its firewall rules by monitoring events written to the 'Windows Event Viewer'. 

 

I don't think that Emby server for Windows writes anything to the Windows Event Viewer (sorry I'm running Emby on Linux), so you would need something that could monitor the 'embyserver.txt' log file, pick out the statements you're looking for, and add them to a custom event viewer log with a custom event id, so that wail2ban can pick those statements out and generate the firewall rules as necessary..

 

 

In regards to setting up fail2ban.. That would be pretty easy to do.. Once installed - 

 

Step 1 - Edit the jail.conf file to set the maxretry (how many failed attempts before fail2ban adds a firewalld/iptable rule), and bantime (length of ban before rule is removed) settings.

 

Step 2 - Create a jail.local file where your jail.conf file is located and edit it as follows (ignoring everything after the <---):

 

[emby-server] <--- This is the name of the jail you want to create

enabled  = true <--- (enables the jail)

port     = 8096 <--- (sets the port the service is listening on)

logpath  = /path/to/emby/logfile/embyserver.txt

backend  = polling <--- (method for gathering this info)

journalmatch =

 

Step 3 - Configure a filter for the jail you created to catch any failed auth attempts..

Sorry I'm not very good with REGEX expressions, but you could try something simplistic like this and see if it works:

 

failregex = AUTH-ERROR: <HOST> - Invalid username or password entered.

 

Check your jail status using the command: fail2ban-client status <jailname> (ex: fail2ban-client status emby-server)