Jump to content

Log failed login attempts to emby


PrincessClevage

Recommended Posts

PrincessClevage

Hi there, I am attempting to setup wail2ban for multiple failed attempts to log into emby server. Wail2ban looks for failed attempts in Windows security log, is it possible to configure emby server to log failed attempts in a similar manner?

Link to post
Share on other sites
softworkz

We've had a request here: https://github.com/MediaBrowser/Emby/issues/3452

 

We couldn't make it a separate log file, but you can let fail2ban observe the main Emby logfile and watch out for entries like this:

AUTH-ERROR: {0} - {1}

where {0} is the source IP address and {1} is the error message.

 

For example:

2018-12-28 00:00:00.007 Error AUTH-ERROR: 1.1.1.1 - Invalid username or password entered.
Link to post
Share on other sites
PrincessClevage

We've had a request here: https://github.com/MediaBrowser/Emby/issues/3452

 

We couldn't make it a separate log file, but you can let fail2ban observe the main Emby logfile and watch out for entries like this:

AUTH-ERROR: {0} - {1}
where {0} is the source IP address and {1} is the error message.

 

For example:

2018-12-28 00:00:00.007 Error AUTH-ERROR: 1.1.1.1 - Invalid username or password entered.
Sorry I’m pretty new to fail2ban and have just found it. Might you be able to help where in fail2ban do we direct it to look at emby log directory and do we just place

AUTH-ERROR:

In the fail2ban config file some where so it flag any AUTH-ERROR: as a 1failed attempt?

Link to post
Share on other sites
Happy2Play

Sorry I’m pretty new to fail2ban and have just found it. Might you be able to help where in fail2ban do we direct it to look at emby log directory and do we just place

AUTH-ERROR:

In the fail2ban config file some where so it flag any AUTH-ERROR: as a 1failed attempt?

 

 

Might be better to ask here.

 

https://emby.media/community/index.php?/topic/52675-fail2ban-questions

Link to post
Share on other sites
Soggybottoms
I'm not quite sure if wail2ban will work with Emby, as it generates its firewall rules by monitoring events written to the 'Windows Event Viewer'. 

 

I don't think that Emby server for Windows writes anything to the Windows Event Viewer (sorry I'm running Emby on Linux), so you would need something that could monitor the 'embyserver.txt' log file, pick out the statements you're looking for, and add them to a custom event viewer log with a custom event id, so that wail2ban can pick those statements out and generate the firewall rules as necessary..

 

 

In regards to setting up fail2ban.. That would be pretty easy to do.. Once installed - 

 

Step 1 - Edit the jail.conf file to set the maxretry (how many failed attempts before fail2ban adds a firewalld/iptable rule), and bantime (length of ban before rule is removed) settings.

 

Step 2 - Create a jail.local file where your jail.conf file is located and edit it as follows (ignoring everything after the <---):

 

[emby-server] <--- This is the name of the jail you want to create


enabled  = true <--- (enables the jail)

port     = 8096 <--- (sets the port the service is listening on)

logpath  = /path/to/emby/logfile/embyserver.txt

backend  = polling <--- (method for gathering this info)

journalmatch =

 


Step 3 - Configure a filter for the jail you created to catch any failed auth attempts..

Sorry I'm not very good with REGEX expressions, but you could try something simplistic like this and see if it works:

 

failregex = AUTH-ERROR: <HOST> - Invalid username or password entered.

 

Check your jail status using the command: fail2ban-client status <jailname> (ex: fail2ban-client status emby-server)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...