HOW TO: Fail2ban configuration using linux

[Zander3768 15]

I was re-configuring my setup & thought I'd add to this thread...

on debian (im using fedora server) I had to add a line in the jail.d/emby.local otherwise you will get the error: "Failed during configuration: Have not found any log file for emby jail"

backend=systemd

so it looks like this on my machine:

[emby]
enabled = true
filter = emby
logpath = /var/lib/emby/logs/embyserver.txt
port = 80,443
backend=systemd

I just wanted to share this in case it helps anyone else out in the future.

[Zander3768 15]

::Fail2ban with SELinux + Cloudflare Proxy::

Hey everyone, Just a followup to disregard my previous post. ( @Lukecan you plz kill that one, i don't want to share misinformation as I found a proper way)

I followed the OP steps but I noticed I was getting the following error on my Fedora-Server which I did not get on Ubuntu in the past:

sudo systemctl status fail2ban 
....
...fail2ban   [13521]: ERROR   Failed during configuration: Have not found any log file for emby jail....

Using fedora-server (SELinux), I wasn't able to read the emby logfile but I figured it all out and it works now. Here is what I did for anyone else that runs into the same issue. I hope this makes sense. I tried to explain myself the best I can - keep in mind I only have a little over a year of running Linux as my daily driver  (and I love it btw).

 

I was able to get fail2ban working properly using what the OP says along with adding the following steps.

The issue came down to SELinux.

I noticed rather than running the typical sudo systemctl start fail2ban, if I ran:

sudo fail2ban-client start

fail2ban started up fine.

I then stopped it so I could figure out why.

sudo fail2ban-client stop

I noticed someone mentioned SELinux not playing nice with some logs so I disabled it temporary with the command:

sudo setenforce 0

I then ran the command

sudo systemctl start fail2ban

it worked! But I had to figure out how and why.

So I stopped it again by running:

sudo systemctl stop fail2ban

turned SELinux back on:

sudo setenforce 1

(this is where my friend with way more Linux experience helped me make it work)

I ran the command :

sudo audit2allow -w -a

it spit out a lot of data which explains some of the issues.

I then ran the command:

sudo audit2allow -a -M mycertwatch

followed by:

sudo semodule -i mycertwatch.pp

(give it a minute).

Then I ran the command

sudo systemctl start fail2ban

and it worked by verifying it's status

sudo systemctl status fail2ban

Everything seems to be working now. fail2ban locally bans the IP as it should.

-------------------------------------------------

Now this works fine but I also run a cloudflare proxy with my server so I did a few more steps.

of course I went into my cloudflare.conf file

sudo nano /etc/fail2ban/action.d/cloudflare.conf

scrolled down and filled in the two main blanks:

cftoken = xxxx (cloudflare.com/profile/api-tokens)

cfuser = xxx@xxx.xxx  (cloudflare email)

then I went into my emby jail (ect/fail2ban/jail.d/emby.local) and added one line

action = cloudflare

saved it then reloaded fail2ban

sudo systemctl restart fail2ban

but when I got myself banned (i tested using a vpn IP), i wasn't really banned and could still access the page.

It turned out this was due to SELinux again not letting fail2ban talk with cloudflare which i discovered by looking at the fail2ban logfile:

sudo tail -f /var/log/fail2ban.log

((the -f lets u view the log file in real-time. just hit ctrl + c to exit))

So I ran the command again:

sudo audit2allow -w -a

yep, there it is:

So then I did:

sudo audit2allow -a -M mycertwatch

followed by this again

sudo semodule -i mycertwatch.pp

then I restarted fail2ban

sudo systemctl restart fail2ban

and checked the status

sudo systemctl status fail2ban

looks good. so i watched the log

sudo tail -f /var/log/fail2ban.log

fired up a VPN, got myself banned and it worked. It did take a couple of extra seconds longer than I expected though, but I assume this is just because of the process between fail2ban, my server, firewalld, cloudflare & the DNS Proxy (a lot happens in a short time-frame)

I was able to verify this on the cloudflare website under Security > WAF > Tools and it listed the banned IP in the Value.

I was then able to successfully remove my banned IP as well

sudo fail2ban-client unban --all

and so it seems to be working now.

 

I just wanted to share my findings here since it doesn't seem that well documented anywhere else and there doesn't seem to be a whole lot of conversation about using fail2ban aside from this and a couple other posts. I HIGHLY recommend using fail2ban with emby. It's a great resource once you get it all figured out. Also, make sure you find the [sshd] jail in the main jail and throw an enabled = true on there as well to protect yourself on there as well.

I hope this saves somebody a lot of time & headache.

Thanks.

[PaulE123 18]

Does fail2ban work correctly if using Emby Connect? I'm a Connect user and am wondering if I should set up fail2ban to harden defenses as it were... 

[Luke 37066]

6 hours ago, PaulE123 said:

Does fail2ban work correctly if using Emby Connect? I'm a Connect user and am wondering if I should set up fail2ban to harden defenses as it were... 

HI, work in what way?

[PaulE123 18]

5 hours ago, Luke said:

HI, work in what way?

Hi Luke,

It's my understanding that fail2ban will cordon off/ban particular IP addresses after multiple failed logins. Is this model compatible with Emby Connect that is run on a Reverse Proxy setup? My understanding of the model is a bit limited beyond this basic understanding, but the opening post of this thread suggests Emby Connect may not work properly with fail2ban configured...

Perhaps using Emby Connect, then fail2ban isn't necessary? Would appreciate any help/info, cheers

[Luke 37066]

On 3/25/2024 at 3:53 AM, PaulE123 said:

Hi Luke,

It's my understanding that fail2ban will cordon off/ban particular IP addresses after multiple failed logins. Is this model compatible with Emby Connect that is run on a Reverse Proxy setup? My understanding of the model is a bit limited beyond this basic understanding, but the opening post of this thread suggests Emby Connect may not work properly with fail2ban configured...

Perhaps using Emby Connect, then fail2ban isn't necessary? Would appreciate any help/info, cheers

With Emby Connect you're logging into our servers, so it's not really necessary.

[pbathuk 4]

I was going to start a new thread, but wanted to let people be aware of a change to the fail2ban config required based on my setup.

The logs now don't look identical to the 2019 view that was originally at the start of this thread, which means that the regex created does not work any longer. 

The second bit, and this could be 1 of 2 reasons: 1) I am running emby, via the linuxserver docker and 2)  running in docker, either way on my setup the logs have some strange characters (half width chracters).

After some playing around and trying to get myself banned (mobile into my own network) I have found the following reports the correct host in my case:

 

[INCLUDES]

before = common.conf

[Definition]

failregex = ^.* Info Server\: http\/1\.1 Response 403 to \u200c\u200d\u200d<HOST>\u200c\..*$

Note the \u200c\u200d 

\u200c means : ZERO WIDTH NON-JOINER

\u200d means : ZERO WIDTH JOINER

These characters appear to break <HOST> in fail2ban, but luckily are set as visable (\u200c is not in the log file, but is parsed in fail2ban)

 

Hope this helps someone else.

 

Cheers