BAlGaInTl 288 Posted February 7, 2019 Posted February 7, 2019 (edited) So with the recent updates to Emby logging with the new server version, I thought I would try my hand at fail2ban. My server is running the most recent stable OpenMediaVault (OMV) with the fail2ban plugin, with Emby running in Docker. I struggled with it for a while and just couldn't get it to work. I delved deeper and determined it did seem to be working, but not as I expected. I've determined that: - The failregex statement is working - The emby jail is identifying the failed login - IPTables rule is being created But I can just keep putting in wrong user/pass combinations, and I'm never actually blocked. I set rules that only allowed 2 attempts, and only blocked for 500 seconds for testing. So, here is some of what I have done: OMV fail2ban settings for emby jail: Name: emby Port: 8096 Max Retry: 2 Ban Time: 500 Filter: emby Log path: /pathto/embyserver.txt I created a custom emby.conf file with the following: # Fail2Ban configuration file for Emby 4.x.x.x # # Author: BAlGaInTl # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] failregex = .AUTH-ERROR: <HOST> - Invalid username or password entered. ignoreregex = Then I hammered the server login and monitored "fail2ban-client status emby" Status for the jail: emby |- Filter | |- Currently failed: 0 | |- Total failed: 2 | `- File list: /pathto/embyserver.txt `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.86.226 Everything looks good. So I checked the iptables using "iptables -L -n -v" and found the following entry Chain f2b-emby (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 192.168.86.226 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 So am I missing something? Why can I continue to log in after failed login attempts? If I manually create a rule using "iptables -I INPUT -s 192.168.86.226 -j DROP" it immediately blocks the same computer. I admit this is my first time playing around with anything other than the defaults for fail2ban and iptables, and I've never tried to track down an issue in this way. Any help or insight is appreciated. I feel like I've gotten "almost" there on my own... just don't know what I'm missing. Edited February 11, 2019 by BAlGaInTl
sfatula 207 Posted February 7, 2019 Posted February 7, 2019 Can you post the complete output of iptables -L, once you have triggered the rule. I.e., not just the rule you posted, all iptables rules.
BAlGaInTl 288 Posted February 8, 2019 Author Posted February 8, 2019 Can you post the complete output of iptables -L, once you have triggered the rule. I.e., not just the rule you posted, all iptables rules. I triggered it again and did an iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-emby tcp -- anywhere anywhere multiport dports 8096 Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:8096 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (1 references) target prot opt source destination DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-emby (1 references) target prot opt source destination REJECT all -- desktop-bei15gu.lan anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
BAlGaInTl 288 Posted February 8, 2019 Author Posted February 8, 2019 And this is iptables -L -n -v Chain INPUT (policy ACCEPT 2351 packets, 456K bytes) pkts bytes target prot opt in out source destination 0 0 f2b-emby tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8096 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 45690 53M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 45690 53M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 26803 45M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 87 4577 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 18800 7594K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 2396 packets, 1691K bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination 81 4265 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8096 Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 18800 7594K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 45690 53M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 18800 7594K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 1012K 1244M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-emby (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 192.168.86.226 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
sfatula 207 Posted February 9, 2019 Posted February 9, 2019 What does it show on your server dashboard, specifically the section for the server connection details for in home (lan) and wan access?
BAlGaInTl 288 Posted February 10, 2019 Author Posted February 10, 2019 (edited) LAN: http://172.17.0.2:8096/ WAN: https://mydomain.com:port/ I do notice now that the LAN address is actually 192.168.86.x I'm guessing that IP is a docker thing? Edited February 10, 2019 by BAlGaInTl
Soggybottoms 3 Posted February 10, 2019 Posted February 10, 2019 Hi, I don't know much about OMV, but I am assuming that iptables/fail2ban is being ran by the host (and not inside the docker container). If so, check out this blog post - http://blog.amigapallo.org/2016/04/14/configuring-fail2ban-and-iptables-to-get-along-with-docker/ As stated in the blog post it sounds like you'll need to modify the action statement to add rules to point to the FORWARD chain, and not INPUT as your output shows above. The link I found shows a ban action configuration file that you can modify (his example is: fail2ban-postfix-action.conf) for the emby jail you created and test out to see if that will fix your issue. Make sure to update your emby jail configuration file to reflect the new action configuration (as per his example: banaction = fail2ban-postfix-action) Good luck 1
sfatula 207 Posted February 11, 2019 Posted February 11, 2019 That sounds right since fail2ban runs on input only by default. There is clearly forwarding going on here. I just don't know docker. 1
BAlGaInTl 288 Posted February 11, 2019 Author Posted February 11, 2019 Hi, I don't know much about OMV, but I am assuming that iptables/fail2ban is being ran by the host (and not inside the docker container). If so, check out this blog post - http://blog.amigapallo.org/2016/04/14/configuring-fail2ban-and-iptables-to-get-along-with-docker/ As stated in the blog post it sounds like you'll need to modify the action statement to add rules to point to the FORWARD chain, and not INPUT as your output shows above. The link I found shows a ban action configuration file that you can modify (his example is: fail2ban-postfix-action.conf) for the emby jail you created and test out to see if that will fix your issue. Make sure to update your emby jail configuration file to reflect the new action configuration (as per his example: banaction = fail2ban-postfix-action) Good luck That sounds right since fail2ban runs on input only by default. There is clearly forwarding going on here. I just don't know docker. Thanks for the insight. I was actually able to get it working by creating a custom action for the Emby docker based on the link above, as well as this article I found that gave a good explaination: https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/ It's working now. So I had to Create a custom jail reference Create a custom action and reference it in the jail Create a custom filter Now that I know how to do it, I could apply it to any other docker I think. Thank you all for the assistance.
Ratatouille 14 Posted July 11, 2019 Posted July 11, 2019 Thanks for the insight. I was actually able to get it working by creating a custom action for the Emby docker based on the link above, as well as this article I found that gave a good explaination: https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/ It's working now. So I had to Create a custom jail reference Create a custom action and reference it in the jail Create a custom filter Now that I know how to do it, I could apply it to any other docker I think. Thank you all for the assistance. Would you mind posting in detail the 3 steps above, in order to achieve it since i am running OMV and emby and lets encrypt/ fail2ban dockers?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now