fail2ban does not work in time

happyreacer · 25. Januar 2017

I have a crazy problem with fail2ban.
I have two jails. nginx-404 and a self maked for emby.
for emby:
I have test it over the web and i can test more then 3 (it is my option) and i have no ban effect. some minutes later i can see in the protokols the fould login an the baned IP. Does the flashmemory plugin make the problem?
for nginx-404:
i test it over the web, too. But no effect. no ban no foulds. I dont no wy. I use the default plugin jail. and when i test it with

Code

fail2ban-regex .....

and it works. I dont know what is wrong?!?!

happyreacer · 27. Januar 2017

wrong filter...

raulfg3 · 27. Januar 2017

can you post the correct one to share this info ? ....

happyreacer · 27. Januar 2017

the options for the findtime was to hight
and the nginx-404 was not the right jail and filter for my seach. I have found the solution here: https://github.com/OpenMediaVa…diavault-fail2ban/pull/16 an make a jail and a filter for the omv-webgui.

tinh_x7 · 30. Januar 2017

My Emby's fail2ban filter isn't working either.
Do you guys have a working one?

happyreacer · 30. Januar 2017

do you have install emby direcly from the emby-debian repro?

tinh_x7 · 31. Januar 2017

Yes.

Do you have the same emby.conf like mine?

Code

ii  fail2ban                                                         0.8.13-1                          all          ban hosts that cause multiple authentication errors
ii  openmediavault-fail2ban                                          1.3.1                             all

log path: /var/lib/emby-server/logs/server-*.txt

Code

# Fail2Ban filter for emby
#


[INCLUDES]


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf




[Definition]


_daemon = emby-server


failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None


ignoreregex =


# DEV Notes:
#
#       Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords
#       Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames
#

Alles anzeigen

happyreacer · 31. Januar 2017

i had the same problem, but i delete many things from the filter and i think it looks like thees:

Code

[Definition]


_daemon = emby-server


failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None


ignoreregex =

Alles anzeigen

But to know for sure I have to check this evening

tinh_x7 · 31. Januar 2017

That's the same filter as mine.

What's your fail2ban version?

fail2ban 0.8.13-1

happyreacer · 31. Januar 2017

the same version,... i will look my options this evening

happyreacer · 31. Januar 2017

okay @tinh_x7 here are my settings:

emby installed from the emby-debian-repro.

my /etc/fail2ban/filter.d/emby.conf

Code

# Fail2Ban filter for emby
#


[INCLUDES]


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf




[Definition]


_daemon = emby-server


failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None


ignoreregex =


# DEV Notes:
#
#       Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords
#       Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames
#

Alles anzeigen

an my jail:

Name: emby
Port: 8920,8096
Max Rety: (for example) 3
Ban Time: (for example) 36000
Filter. emby
logpath: /var/lib/emby-server/logs/server-*.txt

And now it is very important: look at your fail2ban Options: Findtime: 0

tinh_x7 · 31. Januar 2017

So your Emby's filter is currently working for you?

happyreacer · 31. Januar 2017

Zitat von tinh_x7

So your Emby's filter is currently working for you?

yes

post your output from

Code

fail2ban-client status emby

tinh_x7 · 1. Februar 2017

Why you set findtime = 0?
I'm setting findtime & bantime = 900.

fail2ban-client status emby

Code

Status for the jail: emby
|- filter
|  |- File list:        /var/lib/emby-server/logs/server-63621141359.txt /var/lib/emby-server/logs/server-63621141259.txt /var/lib/emby-server/logs/server-63621141097.txt /var/lib/emby-server/logs/server-63621209438.txt /var/lib/emby-server/logs/server-63621198404.txt /var/lib/emby-server/logs/server-63621482518.txt /var/lib/emby-server/logs/server-63621138144.txt /var/lib/emby-server/logs/server-63621396091.txt /var/lib/emby-server/logs/server-63621146447.txt /var/lib/emby-server/logs/server-63621482331.txt /var/lib/emby-server/logs/server-63621141252.txt /var/lib/emby-server/logs/server-63621284597.txt /var/lib/emby-server/logs/server-63621141194.txt /var/lib/emby-server/logs/server-63621141153.txt /var/lib/emby-server/logs/server-63621141512.txt /var/lib/emby-server/logs/server-63621141386.txt /var/lib/emby-server/logs/server-63621141001.txt /var/lib/emby-server/logs/server-63621482563.txt /var/lib/emby-server/logs/server-63621229024.txt
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

happyreacer · 1. Februar 2017

your fail2ban-client status emby looks okay.
findtime:0 i see in time my testing resultat. i test wrong login and can see it in fail2ban-client status emby

Jetzt mitmachen!