Search the Community

Today I found on my Dashboard of my QNAP server version Version 4.8.8.0 four failed login attempts from three different IP addresses which iplocation.net placed into Singapore and listed the ISP as "Amazon Data Services Singapore" this is what one of the entries looks like. Failed Login Attempt from admin'-- on QNAP-NAS 54.151.223.193 8/5/2024, 1:09:25 PM Since I don't have a user called admin, it looks to me like that this was an attempt to get into my Emby Server. Since there are no entries in the log of the QNAP NAS listing these IP addresses, it looks like that this was just an attempt on the Emby server. There are a few questions that I have. Have I drawn the right conclusion that this was just an attempt on the Emby server since there is nothing in the QNAP security logs? Furthermore is there anything that I can or need to do to protect myself from these attempts to gain entry into my Emby server? I have 5 Users that I have allowed access to the Emby server but 4 have not logged in for several months. Only one user has successfully authenticated on 8/5/2024 about 20 minutes before and again 2 minutes after the failed login attempts. Thanks for any suggestions on how to handle these failed login attempts.

This was brought to my attention by a post on Reddit in r/selfhosted just a few hours ago. It seems images are available by the itemid even when unauthenticated. The OP claims to have attempted to contact the emby team regarding this and a few other issues with no response. I'm making this post to raise awareness as not everyone who frequents these forums will have seen the post on Reddit, and as it is posted publicly elsewhere it definitely deserves attention on the main forum. This is very troubling as it means that content that's available on the server can be determined without being logged in. Even more troubling if you're using emby for family pictures and videos as the pictures themselves can be viewed, and the thumbnail for videos can be viewed as well. I have tested this myself and can verify that it is a major problem. I could see cover art for movies, as well as pictures from my family photos library without being logged in. It seems that itemid's are incremental, so it's arbitrary to just guess a value until you get a valid hit. Leaking what movies and shows are on a server is definitely not great, but leaking actual personal content is just unacceptable in my opinion. Until something is done to address this I would not recommend using emby for personal/sensitive content if your server is publicly exposed. Steps to reproduce below. Replace <itemid> with the numerical value of a library item to test it while not logged in. https://<hostname:port>/emby/Items/<itemId>/Images/Primary

As subject say’s because I’d like to disable TLSv1.2 in my reverse proxy for security reasons. I remember reading a post quite while back the there were some clients that don’t but I can’t find that post at the moment. If not is there a list of clients that don’t yet support 1.3 ? As all main browsers have done so for a while now.. TLS1.3 caniuse.com

I searched but couldn't find a similar request. If one exists with or without all of the options below then please lock this one and point me in that direction. Now that all users are required to login with username and password at least once on each app/device it would be nice to have the option to use a one time password (OTP) for the initial login on any device but mainly TV apps and streaming devices where it's difficult to enter long strings. It doesn't need to be limited to initial login but should at least allow that. 1. Allow any user who is already logged in to an app or browser to generate a one time 4-6 character OTP for themselves to enter on a new app/device in order to login on said app. This would only log them into their account using the single OTP. 2. Allow an admin account to generate an OTP for any specified user to login. This would be useful for Emby admins to help remote users, particularly those who have difficulty with apps and on screen keyboard-remote combinations. Or to help household users while away from home... 3. The generated OTP would be associated with the corresponding user, either self or assigned by admin. No need to enter or select name on the app login screen, the OTP would suffice. 4. The OTP should be created with a short time to live, either fixed or configurable. I don't know enough about Emby Connect to suggest how it should/could work for those users. EDIT: Evidently Jellyfin has a similar feature called Quick Connect but I don't know if it also has the ability for admins to generate codes.

https://www.bleepingcomputer.com/news/security/qnap-takes-down-server-behind-widespread-brute-force-attacks/ FYI - Not directly related to emby, but useful info for QNAP owners.

FYI, there's a flaw in the specification for HTTP/2 that is actively being exploited (specifically, DoS attacks). MS has released updates that mitigates implementations such as .NET (Kestrel), though note that I believe the current mitigation disables HTTP/2. The long-term fix will be some sort of rate-limiter: https://www.cve.org/CVERecord?id=CVE-2023-44487 Details of the fix and the two new AppContext properties can be found here: https://github.com/dotnet/announcements/issues/277

Hi, Please can Emby stop resetting the EnableAutoUpdate flag in system.xml to True every time an update is applied. I know you want people to test new releases but it is a security concern to automatically apply updates. <EnableAutoUpdate>false</EnableAutoUpdate> I use a Windows service, so this does not directly apply - but for updates I need to stop the service and run the App as a standard task, but then it will automatically install the new update without any confirmation, once run, I then have to remember to then edit the sytem.xml file back to false again each time. Thanks.

Advisory: https://emby.media/support/articles/advisory-23-05.html A Full Report on the Incident is Available Now:

CONFIG UI How it works Click Add New Camera Button you set up an IP camera by giving it a friendly name, the URL to make it work (there is a link in the config UI that will take you to a website to help you) select the protocol and then decide if you want it to be saved to a m3u8 file. Click Save Repeat for number of cams you wish to add Run the Refresh Internet Channels Scheduled Task Advantages for saving to m3u8 file Now..... saving to m3u8 file has a massive advantage. you can now import this into the liveTV as a tuner and set up recording schedules for each of your cameras that are in the list. You will require to install the M3U TV Tuner Plugin in liveTV setup select m3u then just select the m3u8 file that the channel creates on the channel refresh and hit save After you hit save you'll see all your cameras Boom now you can create a recording or watch from you TV guide hehhehe PS it is a Channel so can be watched live and direct thru the channel created on your home page GOOD SOURCE TO FIND YOUR CAMERA AND MODEL TO GET THE PROTOCOL Connecting to IP Cameras (ispyconnect.com) RELEASE VERSION 1.0.0.0 - Initial Release to Catalogue TV Channel Logos Dark Light

Today I got an email from admin@emby.media saying I need to change my password for security reasons. My email app tells me this message might be a scam. Anyone knows this is genuine or not? Neither on the Emby website, nor in the forum, I could find information on this issue.

Server: 4.7.11.0 OS: WIN I mentioned this about a year ago, but normal Users are still able to modify playlists or delete whole playlists, and yes the playlist gets deleted in the file system, this is not just in the menu and clicking will result in an permission error, it is working. Also, they can see the exact storage location in the deletion dialog. Could this please get fixed in a very near update? thanks

Hi, I believe I have found something allowing users with a restricted account to a server to see all content on a server. I don't want to post how to recreate it publicly as then people might take advantage of it so preferably I would want to take this privately. But if not then I am more than happy to post about it here. Since the exploit is still working on the newest version available I am going to assume it has not been discovered before.

Is there any good Emby security hardening guide somewhere? Please share URL if any. What are the IoC (indicator of compromise) in case a box is vulnerable or compromised? @cayars

I'm running AndroidTV 2.0.77g. From the login screen, if you hold the back button, it will take you to the home screen of the last logged in user bypassing any required login credentials. You can reproduce this doing the following: 1. Log in to any user on the login screen or using manual login. 2. Navigate to the user menu at the top and choose log off which will also exit the app. 3. Launch the app which will take you back to the login screen. 4. Hold the back button on the remote until it gives you the message that it is taking you home. 5. You will now be on the home screen of the last logged in user.

Hi, I have a problem with regard to security, if the staff bookmarks a page that she has already had access to, that page even though she doesn't have access anymore, she can access normally. This problem go to plugin IPTV. Sorry if you don't have the right problem area or suggestions

Non-admin-user can visit the admin dashboard by typing in the url. They can see paths, active device and sent messages to other users.

Hi everyone. I have found a (Issue and this needs enhanced) because i have a friend who have downloaded a whole TV show to my mobile because both of us have the same Phone name and looks like than emby allow to see everyone devices as connected to emby through the list of downloads to device option let me explain in other words How I supposed to know wish iPhone is mine and the other 2 is my friend, as you can see there are 3 iPhone in the list because the devs don't have isolated it. I'm my moms tv with her accounts same thing (all device is listed) As you can see in above picture, I can allow to download my movies to any device from other users, it should have a isolated device list per users Like my computer and my smartphone and etc (My own devices only) .. But not showing me the device from others like my mom devices, it should be isolated between accounts (My user can download to my own device) (My moms can download to her device) I really don't understand why the devs don't have isolated the list by user. Like I have described above. Hopefully this will be fixed soon because is a security issue user may not be able to view devices from other users. Resume to do. Isolation between device account to don't allow users to download by mistake to a device from other users, so by this way the device is isolated by accounts and the retrieved(return or resulted) list was only the device from that user and not from the other. Kind Regards Enjoy? VOTE WITH LIKE NOT WITH +1 COMMENT Sent from my VOG-L29 using Tapatalk

Hallo zusammen Ich habe folgendes Problem. Mein Emby Server soll mittels HTTPS (über Port 443) und einem Zertifikat das von Certify the Web erstellt worden ist erreicht werden. Das Zertifikat habe ich aus dem IIS Exportiert und in den Emby Einstellungen Hinterlegt (auch mit dem Korrekten Passwort). Ich habe es auch mit dem Standard Port versucht und diesen auf meinem Router Freigegeben allerdings ohne erfolg. Leider kann ich mit der Error Meldung im Log File (Im Anhang) nichts anfangen. Ich danke bereits viel mal im Voraus für eure Hilfe Grüsse Fabian embyserver.txt

Morning, I have three users setup on my Emby server (Debian). Two are humans who need to log in or they cannot gain access. The third is a ghost account to allow DLNA access on my LAN. My problem is that although I've setup the DLNA user with a password, if I use a mobile connection to my server web interface to simulate WAN access, I can enter only the username and login without a password. This is potentially a major security hole. I've checked the settings against the human users and they are identical, plus I've restarted the server just in case something didn't take. To troubleshoot, I created a fourth user identical to one of the humans, but without a password. As expected, a remote connection can login with just the username. I then set a password and you can still login without a password. It's as if the password is ignored. Any ideas? Thanks

I have an Emby server (4.4.2.0) running on macOS Catalina. I have several users defined in the server. The server is accessible within my home network (via HTTP) and over the Internet (via HTTPS). Most ion my users have passwords defined but I have one, which is the 'family' user which is intended only for use within our home and so has no password defined. For this user I have unticked the box that says 'Allow remote connection to this server' but when I access the server remotely a ) The user still shows on the login screen b ) Clicking the user logs it in. This seems like quite a big security hole? Am I misunderstanding what the 'Allow remote connections to this server' option is supposed to do? How can I have a user that shows up on the login screen when accessed locally but does not show up and cannot log in when accessed remotely? Thanks, Chris

A fundamental question about security, especially because of the current problems caused by the so-called Emotet Trojan: I use the emby server under Windows10 on the same PC where my Kodi Client is installed. The data is stored on a Synology NAS. Under Windows direct, I did not set up network drives directly on this PC, but use the UNC paths for the libraries, e.g. \\IP\Share\folder\... Since emby does not allow you to specify credentials, the logged in Windows user must have access to this shares on the NAS. In case of a Trojan infestation of the PC, especially Emotet should have no problems with encrypting the complete data on the NAS with these read/write rights, even if the network drives have not been assigned directly under Windows. It would be much safer if the access is not done with the logged in Windows user, but with another user whose credentials have to be transferred in emby. According to my understanding, a Trojan infestation of the PC should then no longer be able to access the data directly from the operating system and possibly compromise them. So is it possible to transfer access data to network drives as well? Thanks a lot.

I wanted to share my fail2ban configuration for people that want to protect against a brute force attack. Fail2ban is a piece of software that will monitor log files for a authentication failures then ban the source ip address after so many attempts to protect against a brute force attack. I searched around for an tutorial or how to on how to implement this for emby and came up short, so I decided to give it a try and got it to work without much trouble at all. I wouldn't consider myself an expert and this is my first how to I have every written so if I made a mistake or I'm wrong let me know, and use my instructions at your own risk. USE AT YOUR OWN RISK THIS PROBABLY WILL NOT WORK IF YOU ARE USING EMBY CONNECT I'm not using emby connect because I think it has some security problems listed here https://emby.media/community/index.php?/topic/80497-log-out-security-hole/ You need to install fail2ban For my setup with ubuntu 18.10 I used, (should be the same for debian but I haven't tested) sudo apt install fail2ban To get fail2ban working with emby there are two parts, filter and jail, they both have their directories (jail.d) (filter.d) in /etc/fail2ban/ cpeng@g5500:~$ cd /etc/fail2ban/ cpeng@g5500:/etc/fail2ban$ ls action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.conf The jail controls what happens with an authentication error and the filter tells how to read the log to find the error. Create a filter: cpeng@g5500:/etc/fail2ban$ sudo nano filter.d/emby.conf /etc/fail2ban/filter.d/emby.conf # Fail2Ban for emby # # [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user or password entered ignoreregex = EDIT: New failregex proposed (below) by @@nayr to catch 401 errors and attempts to find valid user names [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user HTTP Response 401 to <HOST>. The failregex tells what the log line will have in it that designates a fail and "<HOST>" designated the actual ip address. That error looked like this: 2019-12-24 11:12:00.326 Warn HttpServer: AUTH-ERROR: 10.9.162.31 - Invalid user or password entered. So I assumed that AUTH-ERROR will be unique to login errors which is why I started the filter with that. Next you have to create the jail in cpeng@g5500:/etc/fail2ban$ sudo nano jail.d/emby.local /etc/fail2ban/jail.d/emby.local [emby] enabled = true filter = emby logpath = /var/lib/emby/logs/embyserver.txt port = 80,443 I use a reverse proxy that uses ports 80,443, but if you aren't doing that then you want to block the default ports 8096,8920 The logpath may vary from distribution, you can find yours in your dashboard under paths. There are other options that you can add, my default ban time was 10 minutes and max number of retries was 5 which is default which seemed fine to me. The last thing you need to do is reload fail2ban so it re reads the files. sudo systemctl reload fail2ban Then test by entering the wrong password into emby and confirm that it blocks you. Check out the fail2ban.log at /var/log/fail2ban.log tail /var/log/fail2ban.log For testing this command might also come in handy: sudo fail2ban-client unban --all Hope this is helpful. P.S. I recently switched from plex to emby for the dvr service and so far I have been very impressed and happy with how it works. I got tired of all the bugs with plex, that would never get fixed, instead we got new "features" and new interfaces. The icing on the cake is how responsiveness the developers are on these forums.

Click "SIGN IN" on https://emby.media , take me to http://app.emby.media/#!/startup/welcome.html This should be https as a basic requirement for all the modern apps/websites.

So I found a pretty big issue today while signing into Emby. I changed my Emby password yesterday, but when I went to sign on today I accidentally used my old password and my old password STILL WORKED! I am able to sign in with both my old AND new password. I feel like this is a pretty big security flaw. While writing this, I'm starting to question whether or not this is a bug. My old Emby user password was the same as my connect password, so are you able to sign into your Emby user account on the web dashboard (this one, specifically: https://memester.cf/u/rrqj90.png) usingyour connect password?

A bit like this topic https://emby.media/community/index.php?/topic/73224-emby-shows-unknown-users/ and this topic https://emby.media/community/index.php?/topic/71982-server-security-compromised/ I have also found my emby setup to have been compromised. In my case like some of these users I found a user called "computerguyiptv" on my system (showing as a cloud user). Having just spent the better part of a couple of hours digging in to this I am pretty happy to say that while you guys are clearly working on the security, it sounds like long standing defaults are making a right mess of this. In my case I did not have an admin password set and remote access was turned on. As far as I can tell those two were both defaults when I installed Emby as a package on my Synology NAS a couple of years ago. I actually wasn't aware Emby was using uPnP to add a port forward and it turns out my router kindly does not show uPnP added entries alongside user added ones, so from my point of view there was no remote acces, hence my lack of caring about an admin password. It sounds like you guys have changed some defaults now and also changed it to not allow remote access without a password. That sounds great, but can I check that these are retrospective changes applying to running systems, not just newly installed ones? My guess is not as I was up to date and I still got caught. Having since pulled my activity log from the database I actually feel a little sick going through finding events that were not me. I can see remote users accessing my content and have been for the last month. People even connecting their smart TV's to it. This has left me feeling really uneasy about my emby install, which at this point I am considering deleting to be certain they have not placed a malicious file in the system for a later date. That said I am not seeing a sane/easy way to backup current settings, so that may be slightly more annoying. What scares me the most about all of this is I work in the IT industry, I am a developer by trade and I had not noticed this nor prevented it. That tells me your average user is really going to struggle with this. I had not gone hunting through all the advanced settings looking for defaults like remote access. Feeling really unimpressed, especially since I pay for the premium service. Would appreciate your thoughts and some reassurance that this is being taken seriously as an issue. Thanks Craig