Auto Ban of IPs

[Carlo 4561]

In looking at the server log today it was discovered IPs coming from China trying to discover vulnerability in emby.

In this case it was trying to run PHP files but this doesn't really matter.

In each case Emby logged a "HTTP Response 404" to the log.

 

What I would request as a FEATURE is an AUTO BAN of IPs (blacklist) for a given period of time.  So for example if x.x.x.x ip tried to access Emby and generated 5, 10 (insert #) of 404 errors it would get AUTO BANNED for Y amount of time which could be 15 minutes to an hour.

 

 

With the right settings for number of 404 errors and ban time this would quickly shut down these "port scans" and protect our Emby servers.

 

Carlo

[Jdiesel 1431]

Lots of folks are using Fail2Ban for this

[jfgilliam 26]

Would changing the port help?

[Carlo 4561]

Lots of folks are using Fail2Ban for this

There are several solutions that could be setup via some type of firewall.

That is more of a power user type feature and not your typical user.

 

So I was just thinking that since Luke has already added blacklisting to the server this would be an extension of that and it would surely help protect systems that aren't sitting behind an IP blocked firewall.

[CBers 7450]

@@cayars Use a reverse proxy (nginx) and put Emby behind it, and set it up to check against a list of blacklisted IP addresses.

 

You can also run a script to search the nginx logs fir failed attempts and auto-add them to the blacklisted IP address list.

 

@@Swynol wrote a good guide for setting up nginx.

 

@@PenkethBoy wrote a powershell script to extract and update the blacklisted IP address list.

[Carlo 4561]

I had started down that road previously but it's not an easy setup for a lay person to do.  More of a power user setup.

 

I was just thinking of the normal admin who installs Emby and how to help protect their systems.

[pir8radio 1312]

 

In looking at the server log today it was discovered IPs coming from China trying to discover vulnerability in emby.

In this case it was trying to run PHP files but this doesn't really matter.

In each case Emby logged a "HTTP Response 404" to the log.

 

What I would request as a FEATURE is an AUTO BAN of IPs (blacklist) for a given period of time.  So for example if x.x.x.x ip tried to access Emby and generated 5, 10 (insert #) of 404 errors it would get AUTO BANNED for Y amount of time which could be 15 minutes to an hour.

 

 

With the right settings for number of 404 errors and ban time this would quickly shut down these "port scans" and protect our Emby servers.

 

Carlo

 

 

 

It's pretty common and harmless if your server is secure.   They are not necessarily trying to find emby holes.  They are looking for common misconfigured servers, and holes people leave in their setups.     below are the top 13 or so from one of my servers, and the results look the same across all of my web servers.  Most of them look for default php setups.   And China is the main bad guy.

 

 

Edited October 9, 2018 by pir8radio

[Thuzad 50]

@pir8radio What software are you using for get this ?

[K-O-K 7]

@pir8radio What software are you using for get this ?

Yes! it would be really good to know what software is providing those stats!

@pir8radio

[Jdiesel 1431]

It is a nginx log analysis tool. There are many options out there but @@pir8radio appears to be using Weblog Expert.

[pir8radio 1312]

Oh, yea, its for nginx, apache, and IIS logs.. .you need to be running a reverse proxy for this to work...   But Jdiesel is correct they were all created using Weblog Expert.   Here is a post that shows some other stats you can get:  https://emby.media/community/index.php?/topic/35555-any-interest-in-a-tutorial-for-statsreverse-proxy/?p=335338

Edited October 17, 2018 by pir8radio