How can I stop Fail2ban from banning my external IP when attempting to access my Plex server? #3524
-
I have a fairly simple setup using fail2ban with NGINX Proxy Manager. In this setup, I have Plex exposed to the outside and routed internally using my reverse proxy, and that works fine without fail2ban. The problem is when I try to use fail2ban, my external IP immediately gets banned when attempting to access my Plex server. If I check my proxy host access logs, I'm getting successive 401 errors that seem to match the regex filter in fail2ban's filter.d directory. Here is my regex filter:
In my jail.d config, I have 'maxretry' set to 4, and the 'logpath' specifically includes all the nginx proxy manager's proxy host access and error logs. Here is that config:
And as referenced in the first paragraph, If I look at the the plex proxy host access log, I can find four 401 errors when I attempted to access my plex server at the time it was banned from a mobile client with an outside IP:
I've only modified the above log to remove the public IP and URL. My question is, since the 401's here aren't really affecting my access as I'm still being authenticated, is there a way to change my regex filter to get Fail2ban to ignore these particular entries (I admit that I don't know much about regex), or is it better to change some specific part of my configuration in the NGINX proxy manager, and if so, what would that be? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Please provide the log excerpt for successful as well as for failed attempts (that must be banned), so both type of messages. If you'd not see the difference between real failures and your false positive attempts, it'd be impossible to write proper failregex (see #2514 (comment) for detailed description of similar problem). |
Beta Was this translation helpful? Give feedback.
Please provide the log excerpt for successful as well as for failed attempts (that must be banned), so both type of messages.
The issue is - the failregex needs to be adjusted to match 401 failures but at the same time to ignore 401 for handshake, access attempt without authorization etc.
And please don't redact the log with
<redacted ...>
, just replace it how it is with some different URI, IP, etc (for IP one uses typically192.0.2.1
or2001:db8::1
).If you'd not see the difference between real failures and your false positive attempts, it'd be impossible to write proper failregex (see #2514 (comment) for detailed description of similar problem).
The only way would be then to increase
ma…