Zander3768 15 Posted January 16 Share Posted January 16 I was re-configuring my setup & thought I'd add to this thread... on debian (im using fedora server) I had to add a line in the jail.d/emby.local otherwise you will get the error: "Failed during configuration: Have not found any log file for emby jail" backend=systemd so it looks like this on my machine: [emby] enabled = true filter = emby logpath = /var/lib/emby/logs/embyserver.txt port = 80,443 backend=systemd I just wanted to share this in case it helps anyone else out in the future. Link to comment Share on other sites More sharing options...
Zander3768 15 Posted February 9 Share Posted February 9 ::Fail2ban with SELinux + Cloudflare Proxy:: Hey everyone, Just a followup to disregard my previous post. ( @Lukecan you plz kill that one, i don't want to share misinformation as I found a proper way) I followed the OP steps but I noticed I was getting the following error on my Fedora-Server which I did not get on Ubuntu in the past: sudo systemctl status fail2ban .... ...fail2ban [13521]: ERROR Failed during configuration: Have not found any log file for emby jail.... Using fedora-server (SELinux), I wasn't able to read the emby logfile but I figured it all out and it works now. Here is what I did for anyone else that runs into the same issue. I hope this makes sense. I tried to explain myself the best I can - keep in mind I only have a little over a year of running Linux as my daily driver (and I love it btw).  I was able to get fail2ban working properly using what the OP says along with adding the following steps. The issue came down to SELinux. I noticed rather than running the typical sudo systemctl start fail2ban, if I ran: sudo fail2ban-client start fail2ban started up fine. I then stopped it so I could figure out why. sudo fail2ban-client stop I noticed someone mentioned SELinux not playing nice with some logs so I disabled it temporary with the command: sudo setenforce 0 I then ran the command sudo systemctl start fail2ban it worked! But I had to figure out how and why. So I stopped it again by running: sudo systemctl stop fail2ban turned SELinux back on: sudo setenforce 1 (this is where my friend with way more Linux experience helped me make it work) I ran the command : sudo audit2allow -w -a it spit out a lot of data which explains some of the issues. I then ran the command: sudo audit2allow -a -M mycertwatch followed by: sudo semodule -i mycertwatch.pp (give it a minute). Then I ran the command sudo systemctl start fail2ban and it worked by verifying it's status sudo systemctl status fail2ban Everything seems to be working now. fail2ban locally bans the IP as it should. ------------------------------------------------- Now this works fine but I also run a cloudflare proxy with my server so I did a few more steps. of course I went into my cloudflare.conf file sudo nano /etc/fail2ban/action.d/cloudflare.conf scrolled down and filled in the two main blanks: cftoken = xxxx (cloudflare.com/profile/api-tokens) cfuser = xxx@xxx.xxx (cloudflare email) then I went into my emby jail (ect/fail2ban/jail.d/emby.local) and added one line action = cloudflare saved it then reloaded fail2ban sudo systemctl restart fail2ban but when I got myself banned (i tested using a vpn IP), i wasn't really banned and could still access the page. It turned out this was due to SELinux again not letting fail2ban talk with cloudflare which i discovered by looking at the fail2ban logfile: sudo tail -f /var/log/fail2ban.log ((the -f lets u view the log file in real-time. just hit ctrl + c to exit)) So I ran the command again: sudo audit2allow -w -a yep, there it is: So then I did: sudo audit2allow -a -M mycertwatch followed by this again sudo semodule -i mycertwatch.pp then I restarted fail2ban sudo systemctl restart fail2ban and checked the status sudo systemctl status fail2ban looks good. so i watched the log sudo tail -f /var/log/fail2ban.log fired up a VPN, got myself banned and it worked. It did take a couple of extra seconds longer than I expected though, but I assume this is just because of the process between fail2ban, my server, firewalld, cloudflare & the DNS Proxy (a lot happens in a short time-frame) I was able to verify this on the cloudflare website under Security > WAF > Tools and it listed the banned IP in the Value. I was then able to successfully remove my banned IP as well sudo fail2ban-client unban --all and so it seems to be working now.  I just wanted to share my findings here since it doesn't seem that well documented anywhere else and there doesn't seem to be a whole lot of conversation about using fail2ban aside from this and a couple other posts. I HIGHLY recommend using fail2ban with emby. It's a great resource once you get it all figured out. Also, make sure you find the [sshd] jail in the main jail and throw an enabled = true on there as well to protect yourself on there as well. I hope this saves somebody a lot of time & headache. Thanks. Link to comment Share on other sites More sharing options...
PaulE123 18 Posted March 24 Share Posted March 24 Does fail2ban work correctly if using Emby Connect? I'm a Connect user and am wondering if I should set up fail2ban to harden defenses as it were... Link to comment Share on other sites More sharing options...
Luke 37066 Posted March 25 Share Posted March 25 6 hours ago, PaulE123 said: Does fail2ban work correctly if using Emby Connect? I'm a Connect user and am wondering if I should set up fail2ban to harden defenses as it were... HI, work in what way? Link to comment Share on other sites More sharing options...
PaulE123 18 Posted March 25 Share Posted March 25 5 hours ago, Luke said: HI, work in what way? Hi Luke, It's my understanding that fail2ban will cordon off/ban particular IP addresses after multiple failed logins. Is this model compatible with Emby Connect that is run on a Reverse Proxy setup? My understanding of the model is a bit limited beyond this basic understanding, but the opening post of this thread suggests Emby Connect may not work properly with fail2ban configured... Perhaps using Emby Connect, then fail2ban isn't necessary? Would appreciate any help/info, cheers Link to comment Share on other sites More sharing options...
Luke 37066 Posted March 26 Share Posted March 26 On 3/25/2024 at 3:53 AM, PaulE123 said: Hi Luke, It's my understanding that fail2ban will cordon off/ban particular IP addresses after multiple failed logins. Is this model compatible with Emby Connect that is run on a Reverse Proxy setup? My understanding of the model is a bit limited beyond this basic understanding, but the opening post of this thread suggests Emby Connect may not work properly with fail2ban configured... Perhaps using Emby Connect, then fail2ban isn't necessary? Would appreciate any help/info, cheers With Emby Connect you're logging into our servers, so it's not really necessary. 1 Link to comment Share on other sites More sharing options...
pbathuk 4 Posted Sunday at 09:16 PM Share Posted Sunday at 09:16 PM I was going to start a new thread, but wanted to let people be aware of a change to the fail2ban config required based on my setup. The logs now don't look identical to the 2019 view that was originally at the start of this thread, which means that the regex created does not work any longer. The second bit, and this could be 1 of 2 reasons: 1) I am running emby, via the linuxserver docker and 2) running in docker, either way on my setup the logs have some strange characters (half width chracters). After some playing around and trying to get myself banned (mobile into my own network) I have found the following reports the correct host in my case:  [INCLUDES] before = common.conf [Definition] failregex = ^.* Info Server\: http\/1\.1 Response 403 to \u200c\u200d\u200d<HOST>\u200c\..*$ Note the \u200c\u200d \u200c means : ZERO WIDTH NON-JOINER \u200d means : ZERO WIDTH JOINER These characters appear to break <HOST> in fail2ban, but luckily are set as visable (\u200c is not in the log file, but is parsed in fail2ban)  Hope this helps someone else.  Cheers 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now