Jump to content
chef

Firewall IP blocking plugin w/ ipstack reverse lookup

Recommended Posts

chef
Posted (edited)

I have written a plugin which will ban IP address at a system level if customizable conditions are met for faulty logins in Emby.



There are a couple caviots to this plugin:

1. The Emby server application must be started with Administrator rights (Windows) or as root (Linux)

2. Windows is fully tested, Linux needs some testing. It would be great to speak with a Linux server admin about iptables specifically.

3. This plugin will use the ipstack.com API to reverse lookup the address which gets blocked and will give you location data in the UI (yes...yes... I know about VPN's masking actual location data)

4. The GitHub repository can be found here: https://github.com/chefbennyj1/Emby.Blacklist

I would love to get some feedback about the code from any Linux Distro user, and it should be read over prior to any Linux user installing and running this plugin. It instantiates IPTABLES which I can not test properly.

DOWNLOAD: Blacklist.zip Edited by chef
  • Like 3

Share this post


Link to post
Share on other sites
maegibbons

Hi

 

I am generally a big believer in emby doing what it does best and leaving stuff outside of media to other tools.

 

HOWEVER, as a plugin based upon failed logins injecting block rules in to Windows firewall sounds interesting.

 

So please have a look at.

 

Krs

 

Mark

 

Sent from my SM-N976B using Tapatalk

Share this post


Link to post
Share on other sites
chef
Posted (edited)

Cool it works!  I've been testing using the Emby log to simulate the actions involved!

 

The Ban would have happened on the third attempt in 30 seconds! Just like a Brute force attack. 

2020-03-18 19:29:31.748 Info HttpServer: HTTP POST http://localhost:8096/emby/Users/authenticatebyname. UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
2020-03-18 19:29:31.753 Error UserManager: Error authenticating with provider Default
	*** Error Report ***
	Version: 4.3.1.0
	Command line: C:\Users\MediaServer\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp
	Operating system: Microsoft Windows NT 6.1.7601 Service Pack 1
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///C:/Users/MediaServer/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 8
	Program data path: C:\Users\MediaServer\AppData\Roaming\Emby-Server\programdata
	Application directory: C:\Users\MediaServer\AppData\Roaming\Emby-Server\system
	System.Exception: System.Exception: Invalid username or password
	   at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
	Source: Emby.Server.Implementations
	TargetSite: System.Threading.Tasks.Task`1[MediaBrowser.Controller.Authentication.ProviderAuthenticationResult] Authenticate(System.String, System.String, MediaBrowser.Controller.Entities.User)
	
2020-03-18 19:29:31.754 Info HttpClient: POST https://connect.emby.media/service/user/authenticate
2020-03-18 19:29:31.807 Info UserManager: Authentication request for Elliot has been denied.
2020-03-18 19:29:31.812 Info Firewall Ban: TESTING IP BAN: ::1
Edited by chef
  • Like 3

Share this post


Link to post
Share on other sites
maegibbons

Cool....

 

Sent from my SM-N976B using Tapatalk

Share this post


Link to post
Share on other sites
chef

I have done it! 

 

Only caviot, EmbyServer.exe has to be started with Admin privileges, but I have successfully create a plugin in which will ban  bad login attempts  IPs.

 

It took a while to get it working, but it works.

 

I can see some issues, like making sure emby is elevated when it is run. 

  • Like 1

Share this post


Link to post
Share on other sites
chef
Posted (edited)

5e7563e9886f9_firewallBanexample.png

 

A whole day of testing and things are working very well in Windows. Once the IP is blocked the emby page becomes unresponsive. perfect!

 

1. I'm going to add a time out feature where the IP address will become active after a specific time.

2.Linux is next. I've got to do some research to figure out the best way to add rules to a Linux firewall.

Edited by chef
  • Like 1

Share this post


Link to post
Share on other sites
PrincessClevage

Nice Dish Chef,

Where can I find the plugin?

Share this post


Link to post
Share on other sites
chef

I'm going to do another day of testing. Make sure that the removal of firewall rules is flawless. Then I'll post it on GitHub, and here in this thread.

 

Do you know if, when Emby restarts from an elevated process (it has been run as administrator) if the restarted process version is also run as administrator?

Share this post


Link to post
Share on other sites
chef
Posted (edited)

I've updated the main thread here with a video and download link.

 

This is very beta, if anyone is worried about what is happening at the system level, I would take a moment and read the github repo so they can see the uses of iptables in Linux and netsh.exe in Windows.

 

Thanks!

Edited by chef
  • Like 2

Share this post


Link to post
Share on other sites
PrincessClevage
Posted (edited)

Once this is stabilised this should be considered to be added as part of core emby build imo

Edited by PrincessClevage
  • Like 1

Share this post


Link to post
Share on other sites
chef

I've added a new feature.

 

The configuration keeps track of successful login IPs, device and users.

 

To combat DDOS attacks and brute Force, the server will create a Boolean value called "IsRegistered" and compare failed attempts device type, users and IPs to attempt to block access sooner if things aren't adding up.

  • Like 2

Share this post


Link to post
Share on other sites
PrincessClevage

Can be a slippery (for the masses) slope adding in additional logic. Appreciate the work Chef!

Share this post


Link to post
Share on other sites
neik

@@chef, do you plan on publishing this to the official PlugIn catalogue?

Share this post


Link to post
Share on other sites
chef
Posted (edited)
Edited by chef
  • Like 1

Share this post


Link to post
Share on other sites
maegibbons

I think the Emby developers have a similar thing being worked out for the core emby code.

 

Not sure of it will involve the firewall, but I believe emby will have a lockout system implemented in the near future.

 

[emoji2]

If it is coming after the Live TV upgrade and Channel Management that could still be 5 years or more away.

 

Can we not use your plug-in in the meantime?

 

Krs

 

Matk

 

Sent from my SM-N976B using Tapatalk

  • Like 2

Share this post


Link to post
Share on other sites
neik

If it is coming after the Live TV upgrade and Channel Management that could still be 5 years or more away.

 

Can we not use your plug-in in the meantime?

 

Krs

 

Matk

 

Sent from my SM-N976B using Tapatalk

 

Agree!

Once it gets into the Emby core this plugin would probably be obsolete but until then it would be a nice feature to use.

 

@@Luke, @@ebr, can this be included in the catalogue? Or any statement regarding what chef said?

Share this post


Link to post
Share on other sites
PrincessClevage

You can use it now, just download the zip file and place the dll into the plugin directory then restart emby server the check the plugin section under emby server management

Share this post


Link to post
Share on other sites
chef

I've updated the download link on the first post.

Share this post


Link to post
Share on other sites
mrjurek

I keep my fingers crossed.

Please add * .dll file to download.

Share this post


Link to post
Share on other sites
chef

Share this post


Link to post
Share on other sites
chef

I've come back to this plugin recently after I noticed that someone was hitting my domain repeatedly, trying to get past different user accounts.

I reinstalled this plugin back on my machine, and It worked!

 They are blocked. unless they change their IP and try hitting it again, they will stay blocked, and to be honest, this plugin will just ban them after three missed tries anyway.

This seems to be a working updated version of Blacklist plugin.

 

The image below shows the interface, but I removed the attackers IP because, I'm pretty sure that the community consists of much better hackers then that person, and I didn't want to cause them any real issues. LOL. 

blacklist-new.thumb.png.478e1e97ab3618c8c4c4d39a16415f18.png

 

Blacklist.zip

Edited by chef
  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...