Jump to content

[Plugin] Firewall IP blocking with reverse lookup - Reworked


chef

Recommended Posts

chef

I have completely reworked this plugin, and it now uses a great service which will find out a whole lot of information about the brute force attacker.

It will figure out if it is happening from a Proxy source, give ISP/Device/Location and Date  information, while banning the IP from contacting the Server.


blacklistOctober26.thumb.png.648b3ebe522a8b77bd150c6a740d2877.png

 

backlistOctober27.png.cbb9c68a2f6da7d7ae8becbab1b593d7.png
DOWNLOAD: 

Blacklist.zip

 

Edited by chef
update plugin
  • Like 3
Link to comment
Share on other sites

maegibbons

Hi

 

I am generally a big believer in emby doing what it does best and leaving stuff outside of media to other tools.

 

HOWEVER, as a plugin based upon failed logins injecting block rules in to Windows firewall sounds interesting.

 

So please have a look at.

 

Krs

 

Mark

 

Sent from my SM-N976B using Tapatalk

Link to comment
Share on other sites

chef

Cool it works!  I've been testing using the Emby log to simulate the actions involved!

 

The Ban would have happened on the third attempt in 30 seconds! Just like a Brute force attack. 

2020-03-18 19:29:31.748 Info HttpServer: HTTP POST http://localhost:8096/emby/Users/authenticatebyname. UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
2020-03-18 19:29:31.753 Error UserManager: Error authenticating with provider Default
	*** Error Report ***
	Version: 4.3.1.0
	Command line: C:\Users\MediaServer\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp
	Operating system: Microsoft Windows NT 6.1.7601 Service Pack 1
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///C:/Users/MediaServer/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 8
	Program data path: C:\Users\MediaServer\AppData\Roaming\Emby-Server\programdata
	Application directory: C:\Users\MediaServer\AppData\Roaming\Emby-Server\system
	System.Exception: System.Exception: Invalid username or password
	   at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
	Source: Emby.Server.Implementations
	TargetSite: System.Threading.Tasks.Task`1[MediaBrowser.Controller.Authentication.ProviderAuthenticationResult] Authenticate(System.String, System.String, MediaBrowser.Controller.Entities.User)
	
2020-03-18 19:29:31.754 Info HttpClient: POST https://connect.emby.media/service/user/authenticate
2020-03-18 19:29:31.807 Info UserManager: Authentication request for Elliot has been denied.
2020-03-18 19:29:31.812 Info Firewall Ban: TESTING IP BAN: ::1
Edited by chef
  • Like 3
Link to comment
Share on other sites

chef

I have done it! 

 

Only caviot, EmbyServer.exe has to be started with Admin privileges, but I have successfully create a plugin in which will ban  bad login attempts  IPs.

 

It took a while to get it working, but it works.

 

I can see some issues, like making sure emby is elevated when it is run. 

  • Like 1
Link to comment
Share on other sites

chef

5e7563e9886f9_firewallBanexample.png

 

A whole day of testing and things are working very well in Windows. Once the IP is blocked the emby page becomes unresponsive. perfect!

 

1. I'm going to add a time out feature where the IP address will become active after a specific time.

2.Linux is next. I've got to do some research to figure out the best way to add rules to a Linux firewall.

Edited by chef
  • Like 1
Link to comment
Share on other sites

chef

I'm going to do another day of testing. Make sure that the removal of firewall rules is flawless. Then I'll post it on GitHub, and here in this thread.

 

Do you know if, when Emby restarts from an elevated process (it has been run as administrator) if the restarted process version is also run as administrator?

Link to comment
Share on other sites

chef

I've updated the main thread here with a video and download link.

 

This is very beta, if anyone is worried about what is happening at the system level, I would take a moment and read the github repo so they can see the uses of iptables in Linux and netsh.exe in Windows.

 

Thanks!

Edited by chef
  • Like 2
Link to comment
Share on other sites

PrincessClevage

Once this is stabilised this should be considered to be added as part of core emby build imo

Edited by PrincessClevage
  • Like 1
Link to comment
Share on other sites

chef

I've added a new feature.

 

The configuration keeps track of successful login IPs, device and users.

 

To combat DDOS attacks and brute Force, the server will create a Boolean value called "IsRegistered" and compare failed attempts device type, users and IPs to attempt to block access sooner if things aren't adding up.

  • Like 2
Link to comment
Share on other sites

PrincessClevage

Can be a slippery (for the masses) slope adding in additional logic. Appreciate the work Chef!

Link to comment
Share on other sites

maegibbons

I think the Emby developers have a similar thing being worked out for the core emby code.

 

Not sure of it will involve the firewall, but I believe emby will have a lockout system implemented in the near future.

 

[emoji2]

If it is coming after the Live TV upgrade and Channel Management that could still be 5 years or more away.

 

Can we not use your plug-in in the meantime?

 

Krs

 

Matk

 

Sent from my SM-N976B using Tapatalk

  • Like 2
Link to comment
Share on other sites

neik

If it is coming after the Live TV upgrade and Channel Management that could still be 5 years or more away.

 

Can we not use your plug-in in the meantime?

 

Krs

 

Matk

 

Sent from my SM-N976B using Tapatalk

 

Agree!

Once it gets into the Emby core this plugin would probably be obsolete but until then it would be a nice feature to use.

 

@@Luke, @@ebr, can this be included in the catalogue? Or any statement regarding what chef said?

Link to comment
Share on other sites

PrincessClevage

You can use it now, just download the zip file and place the dll into the plugin directory then restart emby server the check the plugin section under emby server management

Link to comment
Share on other sites

  • 2 months later...
  • 2 months later...
  • 1 month later...

I've come back to this plugin recently after I noticed that someone was hitting my domain repeatedly, trying to get past different user accounts.

I reinstalled this plugin back on my machine, and It worked!

 They are blocked. unless they change their IP and try hitting it again, they will stay blocked, and to be honest, this plugin will just ban them after three missed tries anyway.

This seems to be a working updated version of Blacklist plugin.

 

The image below shows the interface, but I removed the attackers IP because, I'm pretty sure that the community consists of much better hackers then that person, and I didn't want to cause them any real issues. LOL. 

blacklist-new.thumb.png.478e1e97ab3618c8c4c4d39a16415f18.png

 

 

Edited by chef
  • Like 1
Link to comment
Share on other sites

I've changed the first post with an update. I have figured out how to get a whole lot of hacker information in this plugin. If someone brute forces your server, this plugin will stop that from happening.

  • Thanks 1
Link to comment
Share on other sites

PrincessClevage
1 hour ago, chef said:

I've changed the first post with an update. I have figured out how to get a whole lot of hacker information in this plugin. If someone brute forces your server, this plugin will stop that from happening.

Any notifications of when blocks occur possible?

Edited by PrincessClevage
Link to comment
Share on other sites

9 hours ago, PrincessClevage said:

Any notifications of when blocks occur possible?

absolutely. Would you like to see it in the activity list on the dashboard, or a popup message sent out to logged in Admin users?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...