SOLVED: Fail2Ban Installation & Docker Logs Ubuntu

[LittleFluffyCloud]

I have had jellyfin installed for ages using the docker image in portainer (because youtube said!) on a raspberry pi running ubuntu server 22.04 (and I love it ofcourse! ).

Today I have installed caddyserver to reverse proxy it to a no ip domain. To make it safer I'd like to run fail2ban, I was trying to follow the instructions here https://jellyfin.org/docs/general/networking/fail2ban.

I am stuck with the requirements of what to put in for my log location, the instructions suggest it would be at /config/log/ for a docker install, but this is not a location on my machine. I suspect this is a bit of a noob misunderstanding of docker, but where can I find this and what exactly should I put in the config?

Thanks!

[TheDreadPirate]

You need to provide the path you configured in portainer where /config is mounted. Then add the log path.

An example. You mounted /config at /docker/jellyfin/config. You'd provide this path to fail2ban.

/docker/jellyfin/config/log

[LittleFluffyCloud]

So I guess for me it is this location as per portainer 

   

which when I navigate to has this folder location for jellyfin logs

/portainer/Files/AppData/Config/Jellyfin/log

which means my config should have this path

logpath = /portainer/Files/AppData/Config/Jellyfin/log/jellyfin*.log

[LittleFluffyCloud]

The service failed to start, I am gessing some error in my configs?

Code:

[jellyfin]

backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = jellyfin
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /portainer/Files/AppData/Config/Jellyfin/log/jellyfin*.log
action = iptables-allports[name=jellyfin, chain=DOCKER-USER]

Code:

[Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.

[LittleFluffyCloud]

So the issue was there weren't any logs that matched the specified regex at the log path. I created a file and fail2ban loaded. But when I ran the test regex it didn't work. Then I entered different regex for the logs that appear in the folder already

   

then failed to log in 5 times on a test account and ran the test regex and got this result which I think means it didn't work

Running tests
=============

Use  failregex filter file : jellyfin, basedir: /etc/fail2ban
Use      single line : /path_to_logs/*.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.06 sec]

|- Missed line(s):
|  /path_to_logs/*.log
`-

[TheDreadPirate]

Remove the port and protocol lines. They aren't necessary for jails that read logs.

Also, I think the fail2ban docs need to be updated. Jellyfin USED to write the current day's logs to jellyfin.log, but now it is log_YYYYMMDD.log.

I recall working through this earlier this year. I ended up setting up a cronjob that runs at midnight that creates a symlink called jellyfin.log that symlinks to the log for the current day.

Code:

chris@rat-trap:/var/log/jellyfin$ cat /etc/fail2ban/jail.d/jellyfin.local
[jellyfin]

backend = auto
enabled = true
filter = jellyfin
maxretry = 5
bantime = 86400
findtime = 43200
logpath = /var/log/jellyfin/jellyfin.log
banaction = iptables-allports

[jellyfin-testing]

backend = auto
enabled = true
filter = jellyfin
maxretry = 5
bantime = 86400
findtime = 43200
logpath = /docker/containers/jellyfin-stable-data/config/log/jellyfin.log
banaction = iptables-allports

Code:

chris@rat-trap:/var/log/jellyfin$ ls -lrt
total 7160
lrwxrwxrwx 1 root     root         34 Sep 28 00:01 jellyfin.log -> /var/log/jellyfin/log_20240928.log
-rw-r--r-- 1 jellyfin jellyfin 826505 Sep 28 19:46 log_20240928.log

Code:

chris@rat-trap:/docker/containers/jellyfin-stable-data/config/log$ ll
total 1608
lrwxrwxrwx 1 root     root         67 Sep 28 00:01 jellyfin.log -> /docker/containers/jellyfin-stable-data/config/log/log_20240928.log
-rw-r--r-- 1 jellyfin jellyfin 413124 Sep 28 18:46 log_20240928.log

My cronjob runs this script at a minute past midnight.

Code:

#!/bin/bash

rm /var/log/jellyfin/jellyfin.log
NEWFILE=$(ls -lrt /var/log/jellyfin/* | egrep -v "FFmpeg|record|upload" | tail -1 | awk '{print $NF}')
ln -s $NEWFILE /var/log/jellyfin/jellyfin.log

rm /docker/containers/jellyfin-stable-data/config/log/jellyfin.log
NEWFILE=$(ls -lrt /docker/containers/jellyfin-stable-data/config/log/* | egrep -v "FFmpeg|record|upload" | tail -1 | awk '{print $NF}')
ln -s $NEWFILE /docker/containers/jellyfin-stable-data/config/log/jellyfin.log

Root's crontab.

Code:

# m h  dom mon dow   command
1 0 * * * rotateJellyfinLog

[LittleFluffyCloud]

I made the changes that you suggested, removing the port and protocol lines. I also noticed the docs say add this to .local

action = iptables-allports[name=jellyfin, chain=DOCKER-USER]

but you had just

banaction = iptables-allports

so updated that as well and restarted fail2ban and I am now blocked from vpn and cell service so all working thanks!

it's probably worth noting that fail2ban was not running from docker, not sure if that makes a difference!