How can I properly setup Fail2Ban with Plex?
what are you trying to do with it? Youâre kinda mixing apples and oranges here since itâs designed for Apache
I am trying to prevent from brute force attacks against the login section for Plex.
@ChuckPa said:
what are you trying to do with it? Youâre kinda mixing apples and oranges here since itâs designed for Apache
fail2ban isnât limited to just protecting Apache. Just about any service that writes to a logfile when an authentication attempt fails can be protected.
Thanks to you both for that. Itâs hard to stay current on so much.
I think the real protection effort against brute force should probably be directed to the plex.tv (web) guys team (which Iâm willing to do) since it also handles the authentication for anyone getting into your PMS server. That said, letâs sort it out here and then let them take a look when all finalized. Sound good?
From a problem/solution definition position, is it fair to say:
a. someone knows your Plex username
or
b. has port scanned your WAN and found your entry point
Either having been found and Plex having responded with the expected âhandshakeâ to identify itself , the infiltrator proceeds to attempt access.
What youâre wanting to do is stop them as soon as they do get through, presuming they do, or do you want something else?
If you want to stop them once they gain access, the use of fail2ban makes more sense because the IP and sign-on name used will be in the log file.
What youâre hoping to do is:
- define a basic configuration of either allowed or known not-allowed domains/zones/addresses
- run in the background, monitoring for connections recorded in the log files which are identified in the configuration and take appropriate (tbd) action.
- define a default action to take when something unknown has gotten access to the PMS server
Am I in sync so far?
I am presuming that a scan was done and point was discovered where Plex responds. I want the system to ban the IP address attempting to login but fails after X amount of times and the ban is set for Y amount of time.
For example, Fail2Ban is currently implemented to protect SSH port, where someone attempts to connect, they have 5 attempts and if they fail on all 5 attempts their IP address is banned for 500 hours or whatever.
So I am trying to set something like that up for Plex that I have for Plex, someone tries to connect and fails 5 times and then they are banned for 500 hours.
It all depends on whether Plex logs failed attempts to a place and in a format fail2ban can access and understand.
Try reading the fail2ban documentation.
The standard lock out/ban, which requires a manual reset at Plex.tv (for a plex account) is 5 attempts. After that, itâs your decision how to handle it when they contact you. 
There is, at present, no limit on brute force PIN attempts. However, given there are 10,000 combinations, it will a) take time b) the offender will already have a valid username/IP youâre aware of (your login credentials) so that makes it a lot tougher to start. It the âneighborhood kidsâ that are the problem⊠hahaha
When a home user (PIN) does come through, itâs logged just like any other login and then subject to being logged by PlexPy.
Plexpy (a plug-in) will tell you everything about whoâs logging in and from where. It looks like, from the perspective of the plexpy author himself (we all had a chat about it with shared vs managed users), it will have what you need about extracting info.
The âtrickâ which is what would take action on Plexâs part is how to cause an action to be generated when a trigger is detected. That having been said, if Plexpy is giving you the info and feeding Fail2Ban, can you not take the appropriate action(s) at the router/firewall level?
I apologize if this is fragmented. There was a lot of discussion. I hope I was able to convey whatâs currently in place / viable and how things currently work?
The input to fail2ban is a standard system log file containing failed login attempts to a service by IP address.
The output of fail2ban is an iptables rule that blocks future attempts to connect from the IP address that failed login to the port the service is running on.
Well I am looking for the login attempts to stop completely after a set amount of times and then the IP to be banned.
Basically do what is being described in this article: http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/
I donât really want it where if someone attempts a brute force and as a safety measure Plex freezes up. I am looking for this to be an automated process where I do not have to watch the logs and then take action on the firewall level.
fail2ban configuration for Plex Media Server (PMS)
This was created using Fail2Ban v0.9.3 on Ubuntu
/etc/fail2ban/filter.d/plexmediaserver.conf
# Fail2Ban filter for plexmediaserver
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
failregex = ^ \[.*\] VERBOSE - We didn't receive any data from <HOST>:\d+ in time, dropping connection\.$
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
datepattern = %%b %%d, %%Y %%H:%%M:%%S.%%f
# Author: dthomson
/etc/fail2ban/jail.conf
[plexmediaserver]
enabled = true
logpath = /var/log/plexmediaserver/Plex_Media_Server.log
maxretry = 1
bantime = 172800
I had to create a symlink for the âPlex Media Server.logâ as fail2ban seems to error when files/folders have spaces in their names.
mkdir /var/log/plexmediaserver/
ln -f "/home/dthomson/Library/Application Support/Plex Media Server/Logs/Plex Media Server.log" "/var/log/plexmediaserver/Plex_Media_Server.log"
I had to add an ExecStartPost to the systemd service on Ubuntu to get the symlink to update when Plex Media Server restarts so that fail2ban can read the log file I have described in the jail.conf.
/etc/systemd/system/plexmediaserver.service
ExecStartPost=/bin/ln -f "/home/dthomson/Library/Application Support/Plex Media Server/Logs/Plex Media Server.log" "/var/log/plexmediaserver/Plex_Media_Server.log"
Start fail2ban
fail2ban-client start
If you want to see the list of IPs that are being banned.
iptables -L f2b-plexmediaserver -n
NOTE fail2ban doesnât like soft symlinks. It wonât detect them changing if/when you restart PMS.
There might be other log events that I havenât found yet, but this seemed to be the most prominent in terms of attacking. Happy Banning!
5 Likes
