DLNA Errors; jellyfin's documentation for fail2ban is false and not working

[Tone]

I noticed my logs are getting huge (~90MB per day), so my fail2ban isn't working anymore because of the size.

I noticed the problem comes from the DLNA plugin:

Code:

  at Rssdp.Infrastructure.SsdpCommunicationsServer.SendFromSocket(Socket socket, Byte[] messageData, IPEndPoint destination, CancellationToken cancellationToken)                                                  │
│[2025-10-23 14:17:08.828 +00:00] [ERR] [140] Rssdp.Infrastructure.SsdpCommunicationsServer: Error sending socket message from "172.16.17.1" to "239.255.255.250:1900"                                              │
│System.Net.Sockets.SocketException (101): Network is unreachable                                                                                                                                                    │
│  at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.CreateException(SocketError error, Boolean forAsyncThrow)                                                                                            │
│  at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.SendToAsync(Socket socket, CancellationToken cancellationToken)                                                                                      │
│  at Rssdp.Infrastructure.SsdpCommunicationsServer.SendFromSocket(Socket socket, Byte[] messageData, IPEndPoint destination, CancellationToken cancellationToken)                                                  │
│  at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)                                                                                                      │
│  at Rssdp.Infrastructure.SsdpCommunicationsServer.SendFromSocket(Socket socket, Byte[] messageData, IPEndPoint destination, CancellationToken cancellationToken)                                                  │
│  at System.Threading.Tasks.Task.WhenAll(IEnumerable`1 tasks)                                                                                                                                                      │
│  at Rssdp.Infrastructure.SsdpCommunicationsServer.SendMulticastMessage(String message, Int32 sendCount, IPAddress fromLocalIPAddress, CancellationToken cancellationToken)                                        │
│  at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)                                                                                      │
│  at System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1.MoveNext(Thread threadPoolThread)                                                                                            │
│  at System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(IAsyncStateMachineBox box, Boolean allowInlining)                                                                                            │
│  at System.Threading.Tasks.Task.RunContinuations(Object continuationObject)                                                                                                                                      │
│  at System.Threading.Tasks.Task.DelayPromise.CompleteTimedOut()                                                                                                                                                  │
│  at System.Threading.TimerQueueTimer.Fire(Boolean isThreadPool)                                                                                                                                                  │
│  at System.Threading.ThreadPoolWorkQueue.Dispatch()                                                                                                                                                              │
│  at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()                                                                                                                                          │
│--- End of stack trace from previous location ---                                                                                                             

I've installed jellyfin with docker (official repo) and used it first in normal nat-mode.
However, I got problems with my reverse proxy in combination with the webos client, so I had to directly connect my tv with jellyfin.
So I set network_mode to host.
This was many months (if not years) ago.

But if I read the log correctly the dlna-plugin still uses the docker-nat-ip  172.16.17.1, which I guess is causing the problem.

I havn't found this IP anywhere in the configuration, so I don't know, why it uses this IP anymore.

Anyone has a idea how I can fix it?

[Tone]

Ok, I checked with tcpdump.
Looks like it uses the normal host ip.
Don‘t know where the log gets the old ip.

But then the question is what else is the issue.

[Tone]

Looks like I could solve it with adding this to my docker file:

Code:

cap_add:
      - NET_BROADCAST

BUT
I noticed my original problem is still there (fail2ban doesn't work).
I know this is a jellyfin forum and not fail2ban, but the offical jellyfin documention provides a fail2ban filter and this is painfully slow (at least on my system).

This is my filter:

Code:

│$ cat /etc/fail2ban/filter.d/jellyfin.conf

[Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.

And thats how long f2b need for 600 lines:

Code:

fail2ban-regex /var/lib/jellyfin/config/log/log_20251024.log "/etc/fail2ban/filter.d/jellyfin.conf" --print-all-matched


Running tests
=============

Use  failregex filter file : jellyfin, basedir: /etc/fail2ban
Use        log file : /var/lib/jellyfin/config/log/log_20251024.log
Use        encoding : UTF-8


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|  1) [1] ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [317] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [1] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 604 lines, 0 ignored, 1 matched, 603 missed
[processed in 79.86 sec]

|- Matched line(s):
|  [2025-10-24 07:59:19.118 +00:00] [INF] [56] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "erg" has been denied (IP: "192.168.10.146").
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 603 lines

80 seconds!!

in comparison I tested the apache-auth filter:

Code:

fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf --print-all-matched


Running tests
=============

Use  failregex filter file : apache-auth, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use        log file : /var/log/apache2/error.log
Use        encoding : UTF-8


Results
=======

Prefregex: 101 total
|  ^\[\]\s\[(:?error|(?!evasive)\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))(:\d{1,5})?\] (?:AH\d+: )?(?P<content>.+)$
`-

Failregex: 79 total
|-  #) [# of hits] regular expression
|  1) [79] ^client (?:denied by server configuration|used wrong authentication scheme)\b
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [107] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 107 lines, 0 ignored, 79 matched, 28 missed
[processed in 0.01 sec]

Ok, just 100 line and not 600, but 0.01s vs 80s!

Looks like something is wrong here.



EDIT:
I completly removed my old logs and now it works fine. But my fail2ban-problem is still there.

But I think I finally found the reason, but still investigating how to fix it.

Code:

fail2ban-client status jellyfin

Status for the jail: jellyfin
|- Filter
|  |- Currently failed: 0
|  |- Total failed:    21
|  `- File list:        /var/lib/jellyfin/config/log/log_20251019.log /var/lib/jellyfin/config/log/log_20251018.log /var/lib/jellyfin/config/log/log_20251020.log
`- Actions
  |- Currently banned: 0
  |- Total banned:    1
  `- Banned IP list:

f2b does not update the file list. See, last file is log_20251020.log. but in reality my last log is log_20251024.log

[Tone]

Ok, last update:

It's a fail2ban limitation.
It just reads the files at start and jellyfin always has a different names for the current log (date), so f2b will always work just a day if you're not restarting it daily.

So the offical documenation (https://jellyfin.org/docs/general/post-i...d/fail2ban) doesn't really work, which is very dangerous, because people test it and it will work, but after a day, it's all over.

PLEASE make at least a warning in the documentaion for now, so that people do not lull themselves into a false sense of security.

In the meantime, I created this feature request:
https://features.jellyfin.org/posts/3541...an-support

As a workaround, you probably can fiddle around with the logging.json as described here
https://github.com/jellyfin/jellyfin/iss...2089208548