How can I stop Fail2ban from banning my external IP when attempting to access my Plex server?

[glassman81]

I have a fairly simple setup using fail2ban with NGINX Proxy Manager. In this setup, I have Plex exposed to the outside and routed internally using my reverse proxy, and that works fine without fail2ban. The problem is when I try to use fail2ban, my external IP immediately gets banned when attempting to access my Plex server. If I check my proxy host access logs, I'm getting successive 401 errors that seem to match the regex filter in fail2ban's filter.d directory. Here is my regex filter:

[INCLUDES]

[Definition]

failregex = ^.* (405|404|403|401|\-) (405|404|403|401) - .* \[Client <HOST>\] \[Length .*\] .* \[Sent-to <F-CONTAINER>.*</F-CONTAINER>\] <F-USERAGENT>".*"</F-USERAGENT> .*$
ignoreregex = ^.* (404|\-) (404) - .*".*(\.png|\.txt|\.jpg|\.ico|\.js|\.css)(/)*?" \[Client <HOST>\] \[Length .*\] ".*" .*$

In my jail.d config, I have 'maxretry' set to 4, and the 'logpath' specifically includes all the nginx proxy manager's proxy host access and error logs. Here is that config:

[npm]
enabled = true
ignoreip = 127.0.0.1/8 10.10.10.0/24 10.10.0.0/24
action = cloudflare-apiv4
         %(action_mwl)s
chain = INPUT
logpath = /log/npm/default-host_access.log
          /log/npm/proxy-host-*_access.log
          /log/npm/proxy-host-*_error.log
maxretry = 4
bantime  = -1
findtime = 86400
destemail = <My email address>
sender = fail2ban@notification
sendername = fail2ban

And as referenced in the first paragraph, If I look at the the plex proxy host access log, I can find four 401 errors when I attempted to access my plex server at the time it was banned from a mobile client with an outside IP:

[09/Jun/2023:19:24:58 -0700] - 200 200 - GET https <redacted url> "/?X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 4266] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"
[09/Jun/2023:19:24:58 -0700] - 401 401 - GET https <redacted url> "/media/subscriptions/scheduled?X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 82] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"
[09/Jun/2023:19:24:58 -0700] - 200 200 - GET https <redacted url> "/media/providers" [Client <redacted ipv6>] [Length 4849] [Gzip -] [Sent-to 10.10.10.4] "PlexMediaServer/1.29.0.6244-819d3678c" "-"
[09/Jun/2023:19:24:58 -0700] - 200 200 - GET https <redacted url> "/media/providers?includePreferences=1&X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 8849] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"
[09/Jun/2023:19:24:58 -0700] - 401 401 - GET https <redacted url> "/activities?X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 82] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"
[09/Jun/2023:19:24:58 -0700] - 401 401 - GET https <redacted url> "/media/subscriptions?includeGrabs=1&X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 82] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"
[09/Jun/2023:19:24:58 -0700] - 200 200 - GET https <redacted url> "/clients?X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 90] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"
[09/Jun/2023:19:24:58 -0700] - 401 401 - GET https <redacted url> "/activities?X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 82] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"
[09/Jun/2023:19:24:58 -0700] - 200 200 - GET https <redacted url> "/media/providers?includePreferences=1&X-Plex-Language=en-US&X-Plex-Device-Name=iPhone" [Client <redacted ipv6>] [Length 8849] [Gzip -] [Sent-to 10.10.10.4] "PlexMobile/8.20 (iPhone; iOS 16.5; Scale/3.00)" "-"

I've only modified the above log to remove the public IP and URL. My question is, since the 401's here aren't really affecting my access as I'm still being authenticated, is there a way to change my regex filter to get Fail2ban to ignore these particular entries (I admit that I don't know much about regex), or is it better to change some specific part of my configuration in the NGINX proxy manager, and if so, what would that be?

[sebres]

Please provide the log excerpt for successful as well as for failed attempts (that must be banned), so both type of messages.
The issue is - the failregex needs to be adjusted to match 401 failures but at the same time to ignore 401 for handshake, access attempt without authorization etc.
And please don't redact the log with <redacted ...>, just replace it how it is with some different URI, IP, etc (for IP one uses typically 192.0.2.1 or 2001:db8::1).

If you'd not see the difference between real failures and your false positive attempts, it'd be impossible to write proper failregex (see #2514 (comment) for detailed description of similar problem).
The only way would be then to increase maxretry and/or decrease findtime, just... it's ugly.
So correct way is to find better log (if it is logged also in PAM or elsewhere), to force the server to log a real authorization attempts etc.

[glassman81]

Thanks for the reply. Interestingly, I attempted to get rid of the 401 errors by including this line in my plex proxy host entry (the advanced tab):

proxy_set_header X-Plex-Token $http_x_plex_token;

I saw in some article that my 401 errors could be related to the plex token, so I tried that. It didn't work, but when I modified the line to instead use my actual token, like below, it did work and the 401 errors disappeared:

proxy_set_header X-Plex-Token 9ZQmvC4hJ8qkLMZEqhdf;

As for the regex pattern, I really wish I knew more about that in general, because like you said, this does seem to be a false positive scenario, and as of now, writing a good regex filter is beyond my understanding.

[sebres]

To rewrite failregex in order to avoid false positive, the log messages must contain something that uniquely identify a failure or expected 401... Show both types of messages (as requested above) and I can help by writing of good failregex.

Although if all the 401th messages (expected and real failures) are the same - it will be impossible to construct a proper regex.