seems ipban not working.

[ivantao8]

hi,
i insert this Jellyfin Recipe into LogFilesToParse entry in ipban.override.config.
tried wrong user/password,ipban didnt ban me.

already checked:
1.my jellyfin default log path:C:/ProgramData/Jellyfin/Server/log/log_{year-local}{month-local}{day-local}.log
2.jellyfin's log looks ok,same pattern as recipe's.checked by regex101.com.
3.ipban.config: didnt change any setting.

log:
2021-04-27 17:57:06.2108|WARN|DigitalRuby.IPBanCore.Logger|Initializing service 2021-04-27 17:57:06.3261|WARN|DigitalRuby.IPBanCore.Logger|Detecting os version... 2021-04-27 17:57:06.4720|WARN|DigitalRuby.IPBanCore.Logger|OS version detected: Name: Windows, Version: 10.0.19042, Friendly Name: Microsoft Windows 10 Pro, Description: Microsoft Windows 10.0.19042, app version: 1.6.0 2021-04-27 17:57:06.5304|WARN|DigitalRuby.IPBanCore.Logger|Running as a Windows service 2021-04-27 17:57:06.7003|WARN|DigitalRuby.IPBanCore.Logger|Preparing to run service 2021-04-27 17:57:06.7351|WARN|DigitalRuby.IPBanCore.Logger|Starting service 2021-04-27 17:57:06.7351|WARN|DigitalRuby.IPBanCore.Logger|Running service 2021-04-27 17:57:07.6131|WARN|DigitalRuby.IPBanCore.Logger|IPBan is free software created and refined over many years. 2021-04-27 17:57:07.6131|WARN|DigitalRuby.IPBanCore.Logger|Please consider upgrading to the pro version for more advanced functions, shared ban lists and much more. 2021-04-27 17:57:07.6131|WARN|DigitalRuby.IPBanCore.Logger|Learn more at https://ipban.com 2021-04-27 17:57:07.6131|INFO|DigitalRuby.IPBanCore.Logger|Initializing IPBan database at Data Source=C:\Program Files\IPBan\ipban.sqlite 2021-04-27 17:57:08.2670|WARN|DigitalRuby.IPBanCore.Logger|IPBan service started and initialized 2021-04-27 17:57:08.2670|WARN|DigitalRuby.IPBanCore.Logger|Log levels: True,True,True,True,False,False 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/Program Files/Microsoft/Exchange Server/*/TransportRoles/Logs/FrontEnd/ProtocolLog/**.log 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/Program Files/Smarter Tools/Smarter Mail/**/*.log 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/Program Files (x86)/Smarter Tools/Smarter Mail/**/*.log 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/SmarterMail/logs/**/*.log 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/Smarter Mail/logs/**/*.log 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/Program Files (x86)/Mail Enable/Logging/SMTP/SMTP-Activity-*.log 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/Program Files/Mail Enable/Logging/SMTP/SMTP-Activity-*.log 2021-04-27 17:57:10.0276|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/Program Files/Tomcat/logs/**/*access_log*.txt 2021-04-27 17:57:10.0434|INFO|DigitalRuby.IPBanCore.Logger|Adding log file to parse: C:/IPBanCustomLogs/**/*.log 2021-04-27 17:57:10.1555|WARN|DigitalRuby.IPBanCore.Logger|Loaded firewall type DigitalRuby.IPBanCore.IPBanWindowsFirewall 2021-04-27 17:57:10.1930|WARN|DigitalRuby.IPBanCore.Logger|Syncing firewall and ipban.sqlite database... 2021-04-27 17:57:10.3805|WARN|DigitalRuby.IPBanCore.Logger|0 total ip addresses in the ipban.sqlite database 2021-04-27 17:57:10.4203|WARN|DigitalRuby.IPBanCore.Logger|Initialized event viewer with query string: <QueryList><Query Id='1' Path='Security'><Select Path='Security'>*[System[(band(Keywords,9227875636482146304))]]</Select></Query><Query Id='2' Path='Security'><Select Path='Security'>*[System[(band(Keywords,9227875636482146304))]]</Select></Query><Query Id='3' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='4' Path='Application'><Select Path='Application'>*[System[(band(Keywords,40532396646334464))]]</Select></Query><Query Id='5' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='6' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='7' Path='System'><Select Path='System'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='8' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='9' Path='OpenSSH/Operational'><Select Path='OpenSSH/Operational'>*[System[(band(Keywords,4611686018427387904))]]</Select></Query><Query Id='10' Path='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'><Select Path='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'>*[System[(band(Keywords,4611686018427387904))]]</Select></Query><Query Id='11' Path='Application'><Select Path='Application'>*[System[(band(Keywords,36028797018963968))]]</Select></Query><Query Id='12' Path='System'><Select Path='System'>*[System[(band(Keywords,36028797018963968))]]</Select></Query></QueryList> 2021-04-27 17:57:10.4203|WARN|DigitalRuby.IPBanCore.Logger|Ignoring event viewer paths: VisualSVNServer 2021-04-27 17:57:10.5283|INFO|DigitalRuby.IPBanCore.Logger|Config file changed 2021-04-27 17:57:10.5510|INFO|DigitalRuby.IPBanCore.Logger|Local ip address: 10.10.10.8 2021-04-27 17:57:12.0465|INFO|DigitalRuby.IPBanCore.Logger|Remote ip address: 184.249.23.206 2021-04-27 17:57:18.3674|WARN|DigitalRuby.IPBanCore.Logger|Updating firewall with 0 entries... 2021-04-27 17:57:18.3703|INFO|DigitalRuby.IPBanCore.Logger|Firewall entries updated:

[jjxtra]

If you could post a section of your log file with some failed logins here that would be helpful.

[ivantao8]

thanks for replying.
partial jellyfin log:
[2021-05-01 09:45:11.698 +08:00] [INF] [146] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "uuu" has been denied (IP: "120.244.220.157").
[2021-05-01 09:45:14.709 +08:00] [INF] [61] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "iii" has been denied (IP: "120.244.220.157").
[2021-05-01 09:45:18.489 +08:00] [INF] [61] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "ooo" has been denied (IP: "120.244.220.157").

ipban didnt output anyting since i had restarted the service several times which already pasted above.
ipban service is running:

PS C:\Users\ivan> get-service ipban

Status   Name               DisplayName
------   ----               -----------
Running  IPBAN              ipban

date

PS C:\Users\ivan> date

2021年5月1日 10:57:07

ipban didnt output anyting

PS C:\Users\ivan> ls 'C:\Program Files\IPBan\logfile.txt'


    目录: C:\Program Files\IPBan


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2021/4/27     17:57          21494 logfile.txt

[smdhome]

Did you ever get this issue resolved? I seem to have the same problem. Nothing logged from IPBAN for successful or failed logins to Jellyfin. The log file path was checked and the regex expressions checked out OK on regex101.com.

Please let me know if you know anything more. Thank you.

[DeVermoeideRaaf]

Hello,

I have a similar problem.
OS is W10x64 Enterprise 22H2 build 19045.4355.

I'm running nginx and want to filter by referrer via ipban.
I installed ipban via powershell as shown in the readme.
Then I defined a new logfile definition in ipban.config file.

Here it is:

<LogFile>
<Source>Nginx_referrer_lock</Source>
<PathAndMask>c:/nginx/logs/access.log</PathAndMask>
<FailedLoginRegex>
<![CDATA[
^(?<ipaddress>[^\s]+)\s-\s.*\s\[.*\]\s"".*""\s2[0-9][0-9]\s[0-9]*\s""-""\s"".*""\s"".*""[^\n]*$
]]>
</FailedLoginRegex>
<FailedLoginRegexTimestampFormat></FailedLoginRegexTimestampFormat>
<SuccessfulLoginRegex></SuccessfulLoginRegex>
<SuccessfulLoginRegexTimestampFormat></SuccessfulLoginRegexTimestampFormat>
<PlatformRegex>Windows</PlatformRegex>
<PingInterval>10000</PingInterval>
<MaxFileSize>0</MaxFileSize>
<FailedLoginThreshold>0</FailedLoginThreshold>
</LogFile>

The regex should mask if we have a successful http status (2xx) and referrer is "-".

Here a log snippet from nginx access.log:

123.456.789.01 - - [29/Apr/2024:08:44:37 +0200] "GET /folder1/file HTTP/1.1" 200 368 "-" "python-requests/2.25.1" "-"
123.456.789.01 - - [29/Apr/2024:09:47:34 +0200] "GET /folder1/file HTTP/1.1" 200 312 "https://www.came-from-here.abcd/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
123.456.789.01 - SillyUserName [28/Apr/2024:13:18:12 +0200] "GET /folder2/Start.html HTTP/1.1" 200 10269 "https://www.came-from-there.abcd/folder2/start.html" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"

The first should not be allowed to access, so the regex should fit to that.
Second and third are OK, regex should not fit.

The nginx log format is standard one:

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

Tested with the recommended regex101 - works as expected.
See https://regex101.com/r/56XJDP/1

Debug is switched on in ipban nlog.config.
Now the snippet from the ipban logfile.txt:

2024-04-29 00:18:34.3316|DEBUG|IPBan|Parsing log file text 
123.456.789.01 - - [29/Apr/2024:00:18:25 +0200] "GET /folder1/file HTTP/1.1" 200 368 "-" "python-requests/2.25.1" "-"
123.456.789.01 - - [29/Apr/2024:00:18:26 +0200] "GET /folder1/file HTTP/1.1" 200 312 "https://www.came-from-here.abcd/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
123.456.789.01 - SillyUserName [29/Apr/2024:00:18:28 +0200] "GET /folder2/Start.html HTTP/1.1" 200 10269 "https://www.came-from-there.abcd/folder2/start.html" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
...
2024-04-29 00:18:42.2155|DEBUG|IPBan|No delegate to update

The whitelist ip rule does exist it the firewall, the logfile states "Updating global whitelist with 1 ip addressess".
So I guess that ipban has write access to Windows Defender Firewall.

What could be the problem?
What did I do wrong?

Thanks!

[jjxtra]

I don't understand what the problem is. Are you having a problem whitelisting ip addresses? Or are you having a problem detecting failed login attempts in your nginx log?

[DeVermoeideRaaf]

The problem is the detection of failed login attempts.