XSR 11 Posted January 31, 2019 Share Posted January 31, 2019 I have found program called IPBan that will automatically block IP address after too many failed login attempts occur in emby. Download IPBan from: https://github.com/DigitalRuby/IPBan Edit "Custom log entries, Windows" in IPBan.dll.config: PathAndMask and Regex <Source>IPBanCustom</Source> <PathAndMask>C:/IPBanCustomLogs/*.log</PathAndMask> <Recursive>true</Recursive> <Regex> <![CDATA[ ^\s*ipban\sfailed\slogin\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s(?<username>.+?)\s*,? ]]> </Regex> <PlatformRegex>Windows</PlatformRegex> <PingInterval>10000</PingInterval> <MaxFileSize>16777216</MaxFileSize> to (example) <Source>Emby</Source> <PathAndMask>C:/Users/Test/AppData/Roaming/Emby-Server/programdata/logs/embyserver.txt</PathAndMask> <Recursive>true</Recursive> <Regex> <![CDATA[ Warn\sHttpServer:\sAUTH-ERROR:\s(?<ipaddress>.+?)?\s-\sInvalid\suser\sor\spassword\sentered. ]]> </Regex> <PlatformRegex>Windows</PlatformRegex> <PingInterval>10000</PingInterval> <MaxFileSize>16777216</MaxFileSize> There are many more good settings to explore in IPBan.dll.config I have tested and that really works.. All credits goto the program creator! 4 Link to comment Share on other sites More sharing options...
Happy2Play 8282 Posted January 31, 2019 Share Posted January 31, 2019 Looks like a fail2ban option for Windows. Link to comment Share on other sites More sharing options...
Luke 37065 Posted January 31, 2019 Share Posted January 31, 2019 Cool, thanks ! Link to comment Share on other sites More sharing options...
rbjtech 4265 Posted August 21, 2019 Share Posted August 21, 2019 (edited) Thanks - just had a play with this and it looks as if some of the XML has changed as I could not get it to work with the example given above. My example below works on Beta 4.3.0.5 <LogFile> <Source>Emby</Source> <PathAndMask>C:\Users\USER\AppData\Roaming\Emby-Server\programdata\logs\embyserver.txt</PathAndMask> <Recursive>true</Recursive> <FailedLoginRegex> <![CDATA[ Warn\sHttpServer:\sAUTH-ERROR:\s(?<ipaddress>.+?)?\s-\sInvalid* ]]> </FailedLoginRegex> <PlatformRegex>Windows</PlatformRegex> <PingInterval>10000</PingInterval> <MaxFileSize>16777216</MaxFileSize> </LogFile> So in my setup, it pools embyserver.txt every 10 seconds and if it logs an AUTH-ERROR more than 5 times for the same IP address, then that IP gets banned for 60 minutes, then 24 hours, then 1 week etc. Devs - If you could possibly incorporate the 'username' into the same line somewhere, then it would be even more useful and log this in IPBan. Currently, emby logs this as two lines. 2019-08-22 00:02:06.446 Info UserManager: Authentication request for <username> has been denied.2019-08-22 00:02:06.447 Warn HttpServer: AUTH-ERROR: 1.1.1.1 - Invalid user or password entered. Could it possibly log something like this instead ? 2019-08-22 00:02:06.447 Warn HttpServer: AUTH-ERROR: 1.1.1.1 - <username> - Invalid user or password entered. Again - Thanks to the OP and DigitalRuby for IPBan Edited August 22, 2019 by rbjtech 3 Link to comment Share on other sites More sharing options...
MikeB111 48 Posted January 24, 2020 Share Posted January 24, 2020 Hey, thanks for the great info! I've been trying to understand how this works and I have a question. As best I can tell, when an IP address gets identified by IPBan as needing to be blocked, it creates a new Windows firewall rule. Is that correct? So here's my question. I'm running Symantec Endpoint Protection as my firewall/antivirus on my Windows 10 computer that is running my Emby server. Symantec seems to take control of the Windows Firewall and disable it. So will IPBan work with this setup, or will it be creating rules that never get used? Thanks in advance for any guidance! Link to comment Share on other sites More sharing options...
chef 3745 Posted January 24, 2020 Share Posted January 24, 2020 (edited) I have read through the ipban GitHub, you can see here: https://github.com/DigitalRuby/IPBan/blob/master/IPBanCore/Windows/IPBanWindowsFirewall.cs That in windows it create new forward policy. I'm new to how windows firewall works, but if your firewall application reads these policies from those registry entries to create it's own protection then it it should work. Just a guess. Ipban has some kind of pro version, which might be how you use third party fire wall programs. You'd have to read their site to be sure. Edited January 24, 2020 by chef 1 Link to comment Share on other sites More sharing options...
rbjtech 4265 Posted January 24, 2020 Share Posted January 24, 2020 (edited) Hey, thanks for the great info! I've been trying to understand how this works and I have a question. As best I can tell, when an IP address gets identified by IPBan as needing to be blocked, it creates a new Windows firewall rule. Is that correct? So here's my question. I'm running Symantec Endpoint Protection as my firewall/antivirus on my Windows 10 computer that is running my Emby server. Symantec seems to take control of the Windows Firewall and disable it. So will IPBan work with this setup, or will it be creating rules that never get used? Thanks in advance for any guidance! I am almost certain your 3rd party firewall is going to adhere to standard windows firewall requests - or any program that adds rules during an installation for example (such as Emby ..) will not work with your 3rd party firewall. Therefore I see no reason why IPBan will not work just fine. Edited January 24, 2020 by rbjtech Link to comment Share on other sites More sharing options...
XSR 11 Posted January 20, 2021 Author Share Posted January 20, 2021 (edited) It's a long time since I had something to usefull to post regarding of IPBan. This regex is still working with IPBan 1.5.9 like that rbjtech has posted before: Warn\sServer:\sAUTH-ERROR:\s(?<ipaddress>.+?)?\s-\sInvalid* Now for Cloudflare user's it's possible to ban IP directly by using cloudflares api and IPBan together!! IPBan uses Windows Firewall to block fraffic but Cloudflare users benefits if Cloudflare Firewall does to the job before traffic goes to directly into origin server where emby is running. From ipban.config edit: <add key="ProcessToRunOnBan" value="C:\Program Files\IPBan\IPBan.exe|###IPADDRESS###"/> <add key="ProcessToRunOnUnban" value="C:\Program Files\IPBan\IPUnBan.exe|###IPADDRESS###"/> File called IPBan.exe will Ban blocked IP at using Cloudflares Firewall and IPUnBan.exe deletes the record. Source for IPBan.exe # ScriptPath if ($MyInvocation.MyCommand.CommandType -eq "ExternalScript") { $ScriptPath = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition } else { $ScriptPath = Split-Path -Parent -Path ([Environment]::GetCommandLineArgs()[0]) } $IPBlock = "$args".TrimStart('|') Write-Host "Blocking: $IPBlock" "C:\Program Files\PHP\7.4\php.exe" "$ScriptPath\blockip.php" $IPBlock Source for IPUnBan.exe # ScriptPath if ($MyInvocation.MyCommand.CommandType -eq "ExternalScript") { $ScriptPath = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition } else { $ScriptPath = Split-Path -Parent -Path ([Environment]::GetCommandLineArgs()[0]) } $IPBlock = "$args".TrimStart('|') Write-Host "UnBlocking: $IPBlock" "C:\Program Files\PHP\7.4\php.exe" "$ScriptPath\unblockip.php" $IPBlock I Used Win-PS2EXE.exe to create (compile) these files. Also you will need php.exe to be located in dir "C:\Program Files\PHP\7.4\" And for php blocking code I have used API using php script. In attachments I have source code for this php files. There you need to (only) edit from both files (get details from Cloudflare): $authemail = "--mail--"; $authkey = "--authkey--"; Put these php files in the same directory as IPBan (like C:\Program Files\IPBan). Now if ewerything is ok -> when IPBan blocks IP, then Cloudflare Firewall block same IP also! Less traffick that passes to your origin! php.zip Edited January 20, 2021 by XSR 2 Link to comment Share on other sites More sharing options...
XSR 11 Posted January 20, 2021 Author Share Posted January 20, 2021 I know that last post from mine is difficult to understand, but it's true and mine config is working.. I always say to my friends "That is high Teck, if you get it running" Link to comment Share on other sites More sharing options...
rbjtech 4265 Posted January 20, 2021 Share Posted January 20, 2021 Very cool ! You can never have too many firewalls ! It's interesting that Cloudflare must effectively have a virtual firewall for every 'user' in order to be able to do this - as clearly you would have no authority banning any IP globally. Link to comment Share on other sites More sharing options...
rbjtech 4265 Posted February 2, 2021 Share Posted February 2, 2021 Slight update to the Regex now actually as I noticed that this was no longer capturing failed remote login attempts. It appears the log format has changed slightly - it was 'Warn HttpServer:' but has now been changed to 'Warn Server:' (no Http) So the config file is now - <LogFile> <Source>Emby</Source> <PathAndMask>C:\Users\USER\AppData\Roaming\Emby-Server\programdata\logs\embyserver.txt</PathAndMask> <Recursive>true</Recursive> <FailedLoginRegex> <![CDATA[ Warn\sServer:\sAUTH-ERROR:\s(?<ipaddress>.+?)?\s-\sInvalid* ]]> </FailedLoginRegex> <PlatformRegex>Windows</PlatformRegex> <PingInterval>10000</PingInterval> <MaxFileSize>16777216</MaxFileSize> </LogFile> example - from my embyserver.txt file - Warn Server: AUTH-ERROR: 85.255.237.217 - Invalid username or password entered After 5 tries - IPBan now blocks that remote IP on the Windows firewall until I restart IPBan. 2021-02-02 18:43:25.4747|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 85.255.237.217, , Emby, 2 2021-02-02 18:43:55.6663|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 85.255.237.217, , Emby, 4 2021-02-02 18:44:10.7715|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 85.255.237.217, , Emby, 5 2021-02-02 18:44:10.7878|WARN|DigitalRuby.IPBan.IPBanLog|Banning ip address: 85.255.237.217, user name: , config black listed: False, count: 5, extra info: 2021-02-02 18:44:10.8565|WARN|DigitalRuby.IPBan.IPBanLog|Updating firewall with 1 entries... 2021-02-02 18:44:25.9790|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 85.255.237.217, , Emby, 5 2021-02-02 18:44:25.9885|WARN|DigitalRuby.IPBan.IPBanLog|IP 85.255.237.217, , Emby ban pending. Now working again. 1 Link to comment Share on other sites More sharing options...
mdoliver 0 Posted July 1, 2021 Share Posted July 1, 2021 A regex used to detect IPs generated from invalid login and forbidden login attempts. Forbidden entries are created in embyserver.txt where usernames have their "Allow remote connections" option unchecked or denied. Kudos go to AS who I don't believe is on this forum. Valid for Emby v4.6.3.0 <LogFile> <Source>Emby</Source> <PathAndMask>C:\Users\USER\AppData\Roaming\Emby-Server\programdata\logs\embyserver.txt</PathAndMask> <Recursive>true</Recursive> <FailedLoginRegex> <![CDATA[ Warn\sServer:\sAUTH-ERROR:\s(?<ipaddress>.+?)?\s-\s(Invalid|Forbidden).* ]]> </FailedLoginRegex> <PlatformRegex>Windows</PlatformRegex> <PingInterval>10000</PingInterval> <MaxFileSize>16777216</MaxFileSize> </LogFile> Example extracts from embyserver.txt. Warn Server: AUTH-ERROR: <ipaddress> - Forbidden. Warn Server: AUTH-ERROR: <ipaddress> - Invalid username or password entered. Link to comment Share on other sites More sharing options...
crusher11 851 Posted July 16, 2021 Share Posted July 16, 2021 Is it possible to run this, or something similar, on a Synology setup? Link to comment Share on other sites More sharing options...
rbjtech 4265 Posted July 16, 2021 Share Posted July 16, 2021 (edited) 6 hours ago, crusher11 said: Is it possible to run this, or something similar, on a Synology setup? fail2ban is the unix version of IPBan - not sure if it has a synology version but I believe it's OS is unix based so worth a look. I would also investigate if it's something your reverse proxy can do as banning/blocking would be better done on the perimeter of the network anyway, rather than using the synology firewall. https://github.com/fail2ban/fail2ban/releases Edited July 16, 2021 by rbjtech Link to comment Share on other sites More sharing options...
crusher11 851 Posted July 16, 2021 Share Posted July 16, 2021 Well one thought I did have, if there is no Synology option, is I could run the Windows version with the CloudFlare code @XSR posted and that would theoretically work, if I pointed it to the right location for the log, right? Which achieves that. Requires my computer to be on, but that's true more often than not anyway. Although obviously running something on the Synology would be a better option. Link to comment Share on other sites More sharing options...
XSR 11 Posted July 17, 2021 Author Share Posted July 17, 2021 17 hours ago, crusher11 said: Well one thought I did have, if there is no Synology option, is I could run the Windows version with the CloudFlare code @XSR posted and that would theoretically work, if I pointed it to the right location for the log, right? Which achieves that. Requires my computer to be on, but that's true more often than not anyway. Although obviously running something on the Synology would be a better option. Use SMB to mount emby log folder (with letter) from Synology into your computer and edit IPBan's "PathAndMask" to point that mounted letter and emby log file. Then Cloudflare's IP banning works in realtime when your computer is on and emby traffick is routed trough Cloudflare. Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted April 25, 2022 Share Posted April 25, 2022 (edited) Heres a better way to push bans to Cloudflare... no need for php, no need for converting to exe, purely done via powershell $ip=$args[0] $email="YOUREMAILADDRESS" $apikey="APIKEY" if($ip -like '*:*') { Write-Host 'IPv6 Address! Cancelling operation' exit } $BODY = @{'mode' = 'block' 'configuration' = @{ 'target' = "ip" 'value' = "$ip" } 'notes' = 'IPBan' } $Jsonbody = $Body | ConvertTo-Json Invoke-WebRequest -Uri "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" -Method 'POST' -Body $JSONBODY -ContentType "application/json" -Headers @{'Accept'='application/json';'X-Auth-Email'="$email";'X-Auth-Key'="$apikey"} Still working on a clean way to unban Edit; threw this together,, might not be the cleanest way to get the job done, but it works fine $ip=$args[0] $email="EMAILADDRESS" $apikey="APPIKEY" if($ip -like '*:*') { Write-Host 'IPv6 Address! Cancelling operation' exit } $content=Invoke-WebRequest -Uri "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?page=1&per_page=1&mode=block&configuration.target=ip&configuration.value=$ip&match=all&order=mode&direction=desc" -Method 'GET' -ContentType "application/json" -Headers @{'Accept'='application/json';'X-Auth-Email'="$email";'X-Auth-Key'="$apikey"} $id=$content.tostring() -split "[`r`n]" | select-string "id" | Select-Object -First 1 | % {$_-replace ('"id": "')} | % {$_-replace ('",')} | % {$_-replace (" ")} Invoke-WebRequest -Uri "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$id" -Method 'DELETE' -ContentType "application/json" -Headers @{'Accept'='application/json';'X-Auth-Email'="$email";'X-Auth-Key'="$apikey"} And this is how I call these scripts within IPBan C:\Program Files\PowerShell\7\pwsh.exe|C:\path\to\script.PS1 ###IPADDRESS### Edited April 25, 2022 by Turbofiero 1 Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted April 27, 2022 Share Posted April 27, 2022 (edited) Ok so the documentation on cloudflares API is a little misleading, it does actually support both IPv4 and IPv6, so heres scripts that will also ban IPv6 addresses, along with logging added Block.ps1 # Cloudflare block IP $ip=$args[0] $date=Get-Date $logdate=Get-Date -format yyyy-MM-dd $logfile="$PSScriptRoot\Cloudflare-$logdate.log" # Replace API key & Email address $email="EMAILADDR" $apikey="APIKEY" Write-Output "$date Ban task started" >> $logfile # Check for IP arg if (!$args[0]) { Write-Output "$date Missing IP, Quitting..." >> $logfile exit } Write-Output "$date Attempting to block $ip" >> $logfile # Check if IP is IPv4 or IPv6 if($ip -like '*:*') { $ipv="ip6" } else { $ipv="ip" } $BODY = @{ 'configuration' = @{ 'target' = "$ipv" 'value' = "$ip" } 'mode' = 'block' 'notes' = "IPBan $date" } $Jsonbody = $Body | ConvertTo-Json # Actual ban operation Try { (Invoke-WebRequest -Uri "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" -Method 'POST' -Body $JSONBODY -ContentType "application/json" -Headers @{'Accept'='application/json';'X-Auth-Email'="$email";'X-Auth-Key'="$apikey"}) } catch { $message = $_ Write-Output "$date $message" >> $logfile Write-Output "$date Cloudflare API ERROR, Quitting..." >> $logfile exit } Write-Output "$date Task Finished Blocked $ipv $ip" >> $logfile Unblock.ps1 # Cloudflare unblock.ps1 $ip=$args[0] $date=Get-Date $logdate=get-date -format yyyy-MM-dd $logfile="$PSScriptRoot\Cloudflare-$logdate.log" # Replace API keys, Email address (AbuseIPDB API key not required) $email="EMAILADDR" $cfapikey="CFAPIKEY" $abuseipdbapikey="ABUSEIPDBAPIKEY" $score = 40 Write-Output "$date Unblock task started..." >> $logfile # Check for IP arg if (!$args[0]) { Write-Output "$date Missing IP, Quitting..." >> $logfile exit } Write-Output "$date Starting unblock of $ip" >> $logfile # Check against AbuseIPDB, Helpful so as not to unban known abusive IPs, Remove "<#" and "#>" to use this <# Try { $confidence=Invoke-WebRequest -Uri "https://api.abuseipdb.com/api/v2/check?ipAddress=$ip&maxAgeInDays=90" -Method 'GET' -ContentType "application/json" -Headers @{'Accept'='application/json';'Key'="$abuseipdbapikey"} | Select-Object -Expand Content| % {$_-replace ('.*abuseConfidenceScore":|,"country.*')} } Catch { $message = $_ Write-Output "$date $message" >> $logfile Write-Output "$date AbuseIPDB API ERROR" >> $logfile } Write-Output "$date Confidence score: $confidence" >> $logfile If ($score –lt $confidence) { Write-Output "$date Score above threshold, will not remove ban" >> $logfile exit } #> # Get ID of Cloudflare block rule Try { $content=Invoke-WebRequest -Uri "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?page=1&per_page=20&mode=block&configuration.target=ip&configuration.value=$ip&match=all&order=mode&direction=desc" -Method 'GET' -Headers @{'Accept'='application/json';'X-Auth-Email'="$email";'X-Auth-Key'="$cfapikey"} } catch { $message = $_ Write-Output "$date $message" >> $logfile Write-Output "$date Cloudflare API ERROR, unable to get ID of IP, Quitting..." >> $logfile exit } $id=$content.tostring() -split "[`r`n]" | select-string "id" | Select-Object -First 1 | % {$_-replace ('"id": "|",| ')} Write-Output "$date Got ID of block rule: $id..." >> $logfile # Remove ban Try { Invoke-WebRequest -Uri "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$id" -Method 'DELETE' -ContentType "application/json" -Headers @{'Accept'='application/json';'X-Auth-Email'="$email";'X-Auth-Key'="$cfapikey"} } catch { $message = $_ Write-Output "$date $message" >> $logfile Write-Output "$date Cloudflare API ERROR, Quitting..." >> $logfile exit } Write-Output "$date Task Finished Unbanned $ip" >> $logfile I have submitted pull requests to add this to IPBan/Recipes/Windows/Integrations on github, but I just wanted to update this here, for anyone that come across it Edited April 27, 2022 by Turbofiero Link to comment Share on other sites More sharing options...
Canaletto 2 Posted February 19 Share Posted February 19 On 7/2/2021 at 1:26 AM, mdoliver said: A regex used to detect IPs generated from invalid login and forbidden login attempts. Forbidden entries are created in embyserver.txt where usernames have their "Allow remote connections" option unchecked or denied. Hi, I'm in the process of configuring it. Do you have an idea for a regex to log successful connections, but also unsuccessful ones in order to extract the username? Merci Link to comment Share on other sites More sharing options...
Soundpool 2 Posted Monday at 02:44 PM Share Posted Monday at 02:44 PM I know I'm replying to a very old thread, but I was wondering if there's an updated Regex expression for ipban (preferably 4.8.5.0). Seemed more appropriately to reply here than create a new thread. I know Emby has a built-in anti-brute force now, but it doesn't actually ban IP's, just temporarily. Rather have repeat-offender completely blocked out. As I already run Ipban (RDP), it seems like a nice addition to have it monitor Emby logins as well. Now it seems the logging has changed over the years, making the templates above not work anymore. Since my skills with Regex expressions are pretty crap, I was hoping someone else had (or is able to) updated it. Link to comment Share on other sites More sharing options...
jaycedk 381 Posted Monday at 03:09 PM Share Posted Monday at 03:09 PM (edited) Not sure if this helps in any way, but have a look. The last post, has a new way of doing it. Edited Monday at 03:10 PM by jaycedk Link to comment Share on other sites More sharing options...
Soundpool 2 Posted Tuesday at 05:21 PM Share Posted Tuesday at 05:21 PM Thanks for the suggestion, but doesn't seem to help much. That whole thread is regarding fail2ban and Linux, I'm trying to get Ipban working on Windows. Now a Regex string may work regardless, but his does not work for me. Link to comment Share on other sites More sharing options...
visproduction 122 Posted yesterday at 02:02 PM Share Posted yesterday at 02:02 PM SP, You can manually update the host file as admin in Windows with the IP address followed by 127.0.0.1. It is also possible to large block IP's or entire countries this way. https://duckduckgo.com/?q=windows+host+IP+block+blacklist+countries&ia=web A large black list does affect the server start up time. Hope that helps. Link to comment Share on other sites More sharing options...
rbjtech 4265 Posted yesterday at 04:21 PM Share Posted yesterday at 04:21 PM On 23/04/2024 at 18:21, Soundpool said: Thanks for the suggestion, but doesn't seem to help much. That whole thread is regarding fail2ban and Linux, I'm trying to get Ipban working on Windows. Now a Regex string may work regardless, but his does not work for me. Yep - it now appears the logs are not using the previously method.. Infact - it appears they are not formulating a decent error log at all for failed auth .. All they appear to be logging is via the UserManager - the IP info is now in a different http response message, unrelated to the failure .. oh dear. Luckily I use Scripter-X to send alerts via 'On Auth failure' so that continues to work just fine (I got a pushover alert with this test) but if you are using fail2ban or ipban at the server level (and not upstream on a reverse proxy) then this is now going to require some more work. 2024-04-25 16:51:53.652 Error DefaultAuthenticationProvider: Invalid username or password. No user named Baduser exists 2024-04-25 16:51:53.653 Info UserManager: Authentication request for Baduser has been denied. 2024-04-25 16:51:53.661 Debug Notifications: Sending notification: Failed Login Attempt from Baduser on <server> 2024-04-25 16:51:53.661 Error Server: Invalid username or password entered. 2024-04-25 16:51:53.661 Info Server: http/1.1 Response 403 to 1.2.3.4. Time: 10ms. POST http:/<server>/emby/Users/authenticatebyname?... 2024-04-25 16:51:53.716 Info HttpClient: POST https://api.pushover.net/1/messages.json @Luke- Hi - Any reason why the previous log entry for failed Auth was changed ? Link to comment Share on other sites More sharing options...
Soundpool 2 Posted yesterday at 06:07 PM Share Posted yesterday at 06:07 PM 3 hours ago, visproduction said: SP, You can manually update the host file as admin in Windows with the IP address followed by 127.0.0.1. It is also possible to large block IP's or entire countries this way. https://duckduckgo.com/?q=windows+host+IP+block+blacklist+countries&ia=web A large black list does affect the server start up time. Hope that helps. Thanks for the input, it may not be a bad idea to geoblock the most risk-prone countries to possibly avoid some malicious attemps. However as a brute-force mitigator this alone seems not sufficient. 1 hour ago, rbjtech said: Yep - it now appears the logs are not using the previously method.. Infact - it appears they are not formulating a decent error log at all for failed auth .. All they appear to be logging is via the UserManager - the IP info is now in a different http response message, unrelated to the failure .. oh dear. Luckily I use Scripter-X to send alerts via 'On Auth failure' so that continues to work just fine (I got a pushover alert with this test) but if you are using fail2ban or ipban at the server level (and not upstream on a reverse proxy) then this is now going to require some more work. 2024-04-25 16:51:53.652 Error DefaultAuthenticationProvider: Invalid username or password. No user named Baduser exists 2024-04-25 16:51:53.653 Info UserManager: Authentication request for Baduser has been denied. 2024-04-25 16:51:53.661 Debug Notifications: Sending notification: Failed Login Attempt from Baduser on <server> 2024-04-25 16:51:53.661 Error Server: Invalid username or password entered. 2024-04-25 16:51:53.661 Info Server: http/1.1 Response 403 to 1.2.3.4. Time: 10ms. POST http:/<server>/emby/Users/authenticatebyname?... 2024-04-25 16:51:53.716 Info HttpClient: POST https://api.pushover.net/1/messages.json @Luke- Hi - Any reason why the previous log entry for failed Auth was changed ? Thanks for the input and validating I'm not actually crazy I'm indeed running ipban on my (Windows) host machine, so too bad to hear it may not be possible, or at the very least: difficult. I am running NPM in a docker container however, if it's possible and not to difficult (I'm not an expert) to setup fail2ban or ipban here., I wouldn't object to this. In fact that might even be better, as it may also provide brute-force security for my other apps this way? (like Ombi for instance) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now