Jump to content

Search the Community

Showing results for tags 'Security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • General
    • Announcements
    • Emby Premiere Purchase/Subscription Support
    • Feature Requests
    • Tutorials and Guides
  • Emby Server
    • General/Windows
    • Android Server
    • Asustor
    • FreeBSD
    • Linux
    • NetGear ReadyNAS
    • MacOS
    • QNAP
    • Synology
    • TerraMaster NAS
    • Thecus
    • Western Digital
    • DLNA
    • Live TV
  • Emby Apps
    • Amazon Alexa
    • Android Mobile
    • Android TV / Fire TV
    • Emby Theater
    • iOS
    • Apple TV
    • Kodi
    • Raspberry Pi
    • Roku
    • Samsung Smart TV
    • Sony PlayStation
    • LG Smart TV
    • Web App
    • Windows Media Center
    • Plugins
  • Language-specific support
    • Arabic
    • Dutch
    • French
    • German
    • Italian
    • Portuguese
    • Russian
    • Spanish
    • Swedish
  • Community Contributions
    • Ember for Emby
    • Fan Art & Videos
    • Tools and Utilities
    • Web App CSS
  • Other
    • Non-Emby General Discussion
    • Developer API
    • Hardware
    • Media Clubs
    • Legacy Support


  • Emby Blog

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Guest

    New password needed?

    Today I got an email from admin@emby.media saying I need to change my password for security reasons. My email app tells me this message might be a scam. Anyone knows this is genuine or not? Neither on the Emby website, nor in the forum, I could find information on this issue.
  2. Server: OS: WIN I mentioned this about a year ago, but normal Users are still able to modify playlists or delete whole playlists, and yes the playlist gets deleted in the file system, this is not just in the menu and clicking will result in an permission error, it is working. Also, they can see the exact storage location in the deletion dialog. Could this please get fixed in a very near update? thanks
  3. Hi, I believe I have found something allowing users with a restricted account to a server to see all content on a server. I don't want to post how to recreate it publicly as then people might take advantage of it so preferably I would want to take this privately. But if not then I am more than happy to post about it here. Since the exploit is still working on the newest version available I am going to assume it has not been discovered before.
  4. HSEmbyBox

    Emby security hardening

    Is there any good Emby security hardening guide somewhere? Please share URL if any. What are the IoC (indicator of compromise) in case a box is vulnerable or compromised? @cayars
  5. I'm running AndroidTV 2.0.77g. From the login screen, if you hold the back button, it will take you to the home screen of the last logged in user bypassing any required login credentials. You can reproduce this doing the following: 1. Log in to any user on the login screen or using manual login. 2. Navigate to the user menu at the top and choose log off which will also exit the app. 3. Launch the app which will take you back to the login screen. 4. Hold the back button on the remote until it gives you the message that it is taking you home. 5. You will now be on the home screen of the last logged in user.
  6. Salve mi piacerebbe sapere se è possibile con emby essere visti sulle smart v. Ho provato ma oltre a vedersi il server quando voglio vedere le tv in diretta vedo solo uno schermo nero. Grazie
  7. CURRENT STATUS: SSO: Not yet planned LDAP: Development COMPLETED - BETA AVAILABLE >180 direct endorsements >30 MONTHS (>2.5 years) >12,000 views PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP This would greatly expand Emby's usage, and possibly more enterprise level adoption, user templating, user groups, SSO, etc. There are also users who have completely abandoned Emby and ended subscriptions due to the lack of this necessary basic functionality. Note: SAML2 is also part of this request. (header auth is also acceptable, at a minimum.) Context: I am trying to use something like openfire as a Instant Messaging solution which already supports LDAP and SAML2. So this would allow the current user of emby to seamlessly use web-based instant messenger with the same username and password as Emby without the need to enter them into a form. This would also allow universal login to be shared with my home PC's, Spiceworks, Ombii, Organizr, etc. The multitude of possible flexible functionality this could add is truly incredible. THIS NEEDS TO BE DONE, myself and others cannot manage a userbase with proprietary passwords for a single service (with no self-service password reset/recovery), when things that have only months of development implement it within days, easily. Status: LDAP - Development Completed - BETA AVAILABLE! Common LDAP solutions to test against:​Open LDAP​ (Open Source) [use this] ApacheDS OpenDJ 389 Directory Server Microsoft Active Directory SSL is NOT actually needed, but Emby team insisted on it anyways: Simply offering a toggle option for auth to send plaintext or encrypted passwords would work just fine. It is ironic to claim the need to be overly security conscious of user passwords, while lagging behind on basic SSL. If SAML is implemented, a SAML request/response can just be signed by an x509 and it is just as secure as TLS using SSL. SSL does not need to be natively supported, as it is perfectly possible to run it through an SSL reverse proxy tunnel and have the same effect. SSL Feature Request: https://emby.media/community/index.php?/topic/33983-ssl-integrationsupport/&do=findComment&comment=322526As of now username and password is encrypted client-side as security as SSL is not natively implemented. Emby team has said this impedes the adoption of both SSO and LDAP. Please see our SSL request topic; like, comment, and endorse it to show how many people would enjoy/gain from this basic security. Ways to satisfy this FR: Direct LDAP connector SAML2 connector General SSO functionality (SSO Header, etc) Allowing user header auth NGINX auth support RADIUS Authentication Other features that are inherently possible if this is implemented: Self service passwords Ability for users to invite users/guests Expiring Accounts (after duration/trigger) Unified credentials for many services Corporate level authentication security User groups Mass User management Update 1: I encourage others to work on this but I am currently seeing what I can do to develop a solution to this myself. If you have experience in this LDAP/SSO/SAML2/SSL/.NET contact myself, @@Luke, @@ebr or the Emby team to let them know, any help is greatly appreciated! By everyone! Update 2: I know there is always the question of "well how many users actually want/will use this", so I compiled a list of some of the other threads/sites where people request this (to apparently no effectiveness in motivating the team). Update 3 (18 MONTH UPDATE): This request has now hit 18 months in age, NO progress made thus far whatsoever. ( ) Update 4: This FR is now the 4th most liked post ON THE ENTIRE FORUM and the 3rd most liked FR ON THE ENTIRE FORUM (ever), the 1st most liked active FR ON THE ENTIRE FORUM and over 4000 views. Counting endorsements besides those on this thread show over 115 direct requests/endorsements for this basic functionality. Lets get this moving guys, this is getting to be a bit much. Almost 2 years waiting on this now. Source Update 5 (9/20/2017): This feature request is now the MOST DESIRED REQUEST EVER MADE TO EMBY, sadly, that has not merited any progress at all. The staff has been working on things they believe Emby users want or may want, but it is clear what people want. We can only hope now our wishes are respected instead of being told what we want and having our requests dismissed. Source Update 6 [2 year update] (10/17/2017): Two years and not a single bit of progress has been made. TWO YEARS!!! To say this is disappointing is an understatement. The entire reason I went from Plex to Emby was because of local user management. THIS IS THE ONLY REASON, so naturally I wanted to have complete control over my users, but after TWO YEARS, still nothing. Update 7 (3/6/2018): DEVELOPMENT HAS STARTED!!! Check Luke's recent comments, if you want to test it out, download the latest beta and install/configure the LDAP plugin to test and give feedback!!! Update 8 (4/6/2018): Development on the LDAP connector has completed from what I gather, not sure if this is only a beta or a primary release; SSO is still a plan for the future but has not been touched. Progress made by other users (looks to be nearly, if not fully complete): https://github.com/MediaBrowser/Emby/pull/1885 https://github.com/MediaBrowser/Emby/pull/2139 Exploits shown by other users against Emby (emphasizing the need for a centralized authentication solution): https://emby.media/community/index.php?/topic/12335-unauthenticated-access-over-the-internet-to-logs-folder/ https://emby.media/community/index.php?/topic/20376-all-folders-visible-to-all-users-after-upgrade/ Related FR that could be helpful: https://emby.media/community/index.php?/topic/46635-support-for-logging-users-in-though-url-scheme/?hl=user Any of these could be interesting to have compatibility with: http://lemonldap-ng.org/welcome/ https://github.com/Jasig/cas http://passportjs.org/ https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/ LDAP/SSO/SAML Requests (~180 endorsements) [>12,000 views] > 95 endorsements on this post ~ 30 endorsementshttps://github.com/MediaBrowser/Emby/issues/1146 > 35 endorsementshttps://www.bountysource.com/issues/24943821-authenticate-users-using-ldap > 14 endorsements​https://feathub.com/tidusjar/Ombi/+122 > 4 endorsementshttps://www.reddit.com/r/emby/comments/5o44wd/creating_deleting_updating_users_with_the_api/ Interview, in article comments user said lack of LDAP STOPPED him from using Emby (Emby is actually losing customers due to the lack of this NECESSARY basic functionality):https://www.linux.com/news/software/multimedia/856128-exclusive-interview-emby-founder-luke-pulverenti Duplicate, user had no progress on first 2 posts (no one from Emby actually tracked this or even replied to him):http://emby.media/community/index.php?/topic/861-mb3-and-active-directory/ http://emby.media/community/index.php?/topic/867-mb3-and-active-directory/ Auth announcement, user 'Drashna' in comments requested LDAP/ADhttp://emby.media/community/index.php?/blog/1/entry-177-manage-your-home-with-emby-users/ Various similar requestshttps://github.com/MediaBrowser/Emby/issues/2494 https://github.com/MediaBrowser/Emby/issues/2493 https://forum.yunohost.org/t/integration-emby/912 http://emby.media/community/index.php?/topic/13081-active-directory-integration/ http://emby.media/community/index.php?/topic/11200-media-browser-3-server-ldap-active-directory/ External SQL auth request:http://emby.media/community/index.php?/topic/27986-emby-and-shared-mysql-database/ http://emby.media/community/index.php?/topic/23509-authenticate-users-via-external-mysql-database/ http://emby.media/community/index.php?/topic/12001-external-login-to-mysql/ #ADFS #SSO #LDAP #ActiveDirectory #MSAD #SAML #SAML2.0 #SAML1.1 #PingFederate #OKTA #LemonLDAP #JASIG #authentication #auth #TLS #SSL #Usergroup #usertemplate #header #authheader #headerauth #security #hardening #authhardening #authenticationheader #externalauth #centralauth #centralizedauth #centralizeddb #exploit #authexploit #security #loginhardening #authenticationhardening #accesscontrol #.NET #SelfService #RADIUS
  8. FoxBlackeagle

    EMBY über HTTPS

    Hallo zusammen Ich habe folgendes Problem. Mein Emby Server soll mittels HTTPS (über Port 443) und einem Zertifikat das von Certify the Web erstellt worden ist erreicht werden. Das Zertifikat habe ich aus dem IIS Exportiert und in den Emby Einstellungen Hinterlegt (auch mit dem Korrekten Passwort). Ich habe es auch mit dem Standard Port versucht und diesen auf meinem Router Freigegeben allerdings ohne erfolg. Leider kann ich mit der Error Meldung im Log File (Im Anhang) nichts anfangen. Ich danke bereits viel mal im Voraus für eure Hilfe Grüsse Fabian embyserver.txt
  9. I wanted to share my fail2ban configuration for people that want to protect against a brute force attack. Fail2ban is a piece of software that will monitor log files for a authentication failures then ban the source ip address after so many attempts to protect against a brute force attack. I searched around for an tutorial or how to on how to implement this for emby and came up short, so I decided to give it a try and got it to work without much trouble at all. I wouldn't consider myself an expert and this is my first how to I have every written so if I made a mistake or I'm wrong let me know, and use my instructions at your own risk. USE AT YOUR OWN RISK THIS PROBABLY WILL NOT WORK IF YOU ARE USING EMBY CONNECT I'm not using emby connect because I think it has some security problems listed here https://emby.media/community/index.php?/topic/80497-log-out-security-hole/ You need to install fail2ban For my setup with ubuntu 18.10 I used, (should be the same for debian but I haven't tested) sudo apt install fail2ban To get fail2ban working with emby there are two parts, filter and jail, they both have their directories (jail.d) (filter.d) in /etc/fail2ban/ cpeng@g5500:~$ cd /etc/fail2ban/ cpeng@g5500:/etc/fail2ban$ ls action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.conf The jail controls what happens with an authentication error and the filter tells how to read the log to find the error. Create a filter: cpeng@g5500:/etc/fail2ban$ sudo nano filter.d/emby.conf /etc/fail2ban/filter.d/emby.conf # Fail2Ban for emby # # [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user or password entered ignoreregex = EDIT: New failregex proposed (below) by @@nayr to catch 401 errors and attempts to find valid user names [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user HTTP Response 401 to <HOST>. The failregex tells what the log line will have in it that designates a fail and "<HOST>" designated the actual ip address. That error looked like this: 2019-12-24 11:12:00.326 Warn HttpServer: AUTH-ERROR: - Invalid user or password entered. So I assumed that AUTH-ERROR will be unique to login errors which is why I started the filter with that. Next you have to create the jail in cpeng@g5500:/etc/fail2ban$ sudo nano jail.d/emby.local /etc/fail2ban/jail.d/emby.local [emby] enabled = true filter = emby logpath = /var/lib/emby/logs/embyserver.txt port = 80,443 I use a reverse proxy that uses ports 80,443, but if you aren't doing that then you want to block the default ports 8096,8920 The logpath may vary from distribution, you can find yours in your dashboard under paths. There are other options that you can add, my default ban time was 10 minutes and max number of retries was 5 which is default which seemed fine to me. The last thing you need to do is reload fail2ban so it re reads the files. sudo systemctl reload fail2ban Then test by entering the wrong password into emby and confirm that it blocks you. Check out the fail2ban.log at /var/log/fail2ban.log tail /var/log/fail2ban.log For testing this command might also come in handy: sudo fail2ban-client unban --all Hope this is helpful. P.S. I recently switched from plex to emby for the dvr service and so far I have been very impressed and happy with how it works. I got tired of all the bugs with plex, that would never get fixed, instead we got new "features" and new interfaces. The icing on the cake is how responsiveness the developers are on these forums.
  10. I have an Emby server ( running on macOS Catalina. I have several users defined in the server. The server is accessible within my home network (via HTTP) and over the Internet (via HTTPS). Most ion my users have passwords defined but I have one, which is the 'family' user which is intended only for use within our home and so has no password defined. For this user I have unticked the box that says 'Allow remote connection to this server' but when I access the server remotely a ) The user still shows on the login screen b ) Clicking the user logs it in. This seems like quite a big security hole? Am I misunderstanding what the 'Allow remote connections to this server' option is supposed to do? How can I have a user that shows up on the login screen when accessed locally but does not show up and cannot log in when accessed remotely? Thanks, Chris
  11. mathiasaulo

    Error of Security

    Hi, I have a problem with regard to security, if the staff bookmarks a page that she has already had access to, that page even though she doesn't have access anymore, she can access normally. This problem go to plugin IPTV. Sorry if you don't have the right problem area or suggestions
  12. Hi everyone. I have found a (Issue and this needs enhanced) because i have a friend who have downloaded a whole TV show to my mobile because both of us have the same Phone name and looks like than emby allow to see everyone devices as connected to emby through the list of downloads to device option let me explain in other words How I supposed to know wish iPhone is mine and the other 2 is my friend, as you can see there are 3 iPhone in the list because the devs don't have isolated it. I'm my moms tv with her accounts same thing (all device is listed) As you can see in above picture, I can allow to download my movies to any device from other users, it should have a isolated device list per users Like my computer and my smartphone and etc (My own devices only) .. But not showing me the device from others like my mom devices, it should be isolated between accounts (My user can download to my own device) (My moms can download to her device) I really don't understand why the devs don't have isolated the list by user. Like I have described above. Hopefully this will be fixed soon because is a security issue user may not be able to view devices from other users. Resume to do. Isolation between device account to don't allow users to download by mistake to a device from other users, so by this way the device is isolated by accounts and the retrieved(return or resulted) list was only the device from that user and not from the other. Kind Regards Enjoy? VOTE WITH LIKE NOT WITH +1 COMMENT Sent from my VOG-L29 using Tapatalk
  13. Non-admin-user can visit the admin dashboard by typing in the url. They can see paths, active device and sent messages to other users.
  14. When I reset my emby password, I get my new password emailed to me in plaintext. This isn't even a temporary password either, you are encouraged to change it but it is not mandatory at login This suggests emby is storing passwords in an unhashed form (otherwise they would not know the password itself and wouldn't be able to email it) Given the recent hack at Plex, security should be top of our minds, that's the only reason I'm asking Also, is the password for Emby forums and the emby web client the same?
  15. Morning, I have three users setup on my Emby server (Debian). Two are humans who need to log in or they cannot gain access. The third is a ghost account to allow DLNA access on my LAN. My problem is that although I've setup the DLNA user with a password, if I use a mobile connection to my server web interface to simulate WAN access, I can enter only the username and login without a password. This is potentially a major security hole. I've checked the settings against the human users and they are identical, plus I've restarted the server just in case something didn't take. To troubleshoot, I created a fourth user identical to one of the humans, but without a password. As expected, a remote connection can login with just the username. I then set a password and you can still login without a password. It's as if the password is ignored. Any ideas? Thanks
  16. not sure if this is a Synology only Problem: but the Standard User should't able to login from extern without a password
  17. A fundamental question about security, especially because of the current problems caused by the so-called Emotet Trojan: I use the emby server under Windows10 on the same PC where my Kodi Client is installed. The data is stored on a Synology NAS. Under Windows direct, I did not set up network drives directly on this PC, but use the UNC paths for the libraries, e.g. \\IP\Share\folder\... Since emby does not allow you to specify credentials, the logged in Windows user must have access to this shares on the NAS. In case of a Trojan infestation of the PC, especially Emotet should have no problems with encrypting the complete data on the NAS with these read/write rights, even if the network drives have not been assigned directly under Windows. It would be much safer if the access is not done with the logged in Windows user, but with another user whose credentials have to be transferred in emby. According to my understanding, a Trojan infestation of the PC should then no longer be able to access the data directly from the operating system and possibly compromise them. So is it possible to transfer access data to network drives as well? Thanks a lot.
  18. frei

    HTTPS Login

    Click "SIGN IN" on https://emby.media , take me to http://app.emby.media/#!/startup/welcome.html This should be https as a basic requirement for all the modern apps/websites.
  19. Hello, all Coming from the Plex world Secure Connections was easy to turn on (actually on by default). I am trying to determine if Emby has that on by default or what steps I might have to perform or if it's a non-issue. I am really hoping whatever is involved is pretty straight forward. When I (or a friend) is accessing my Emby server remotely I'd like to be reasonably secure. I liked that "no brainier" aspect to Plex. When I looked in the "Hosting" area of Emby server I saw a check box for requiring HTTPS (the equivalent of secure connects... maybe?) but it then asked me about Certs and stuff and I got lost. I'd rather not go to Plex for external access. I really think Emby is a superior product in many ways. Also, if there is a particular section of Emby (Guide/Site or etc) that really breaks down most of the security related data I'd appreciate. I'd like to be more knowledgeabe. What I've found in the forums is not really clear to me and seems to be spread all over the place. Thank You
  20. So I found a pretty big issue today while signing into Emby. I changed my Emby password yesterday, but when I went to sign on today I accidentally used my old password and my old password STILL WORKED! I am able to sign in with both my old AND new password. I feel like this is a pretty big security flaw. While writing this, I'm starting to question whether or not this is a bug. My old Emby user password was the same as my connect password, so are you able to sign into your Emby user account on the web dashboard (this one, specifically: https://memester.cf/u/rrqj90.png) usingyour connect password?
  21. A bit like this topic https://emby.media/community/index.php?/topic/73224-emby-shows-unknown-users/ and this topic https://emby.media/community/index.php?/topic/71982-server-security-compromised/ I have also found my emby setup to have been compromised. In my case like some of these users I found a user called "computerguyiptv" on my system (showing as a cloud user). Having just spent the better part of a couple of hours digging in to this I am pretty happy to say that while you guys are clearly working on the security, it sounds like long standing defaults are making a right mess of this. In my case I did not have an admin password set and remote access was turned on. As far as I can tell those two were both defaults when I installed Emby as a package on my Synology NAS a couple of years ago. I actually wasn't aware Emby was using uPnP to add a port forward and it turns out my router kindly does not show uPnP added entries alongside user added ones, so from my point of view there was no remote acces, hence my lack of caring about an admin password. It sounds like you guys have changed some defaults now and also changed it to not allow remote access without a password. That sounds great, but can I check that these are retrospective changes applying to running systems, not just newly installed ones? My guess is not as I was up to date and I still got caught. Having since pulled my activity log from the database I actually feel a little sick going through finding events that were not me. I can see remote users accessing my content and have been for the last month. People even connecting their smart TV's to it. This has left me feeling really uneasy about my emby install, which at this point I am considering deleting to be certain they have not placed a malicious file in the system for a later date. That said I am not seeing a sane/easy way to backup current settings, so that may be slightly more annoying. What scares me the most about all of this is I work in the IT industry, I am a developer by trade and I had not noticed this nor prevented it. That tells me your average user is really going to struggle with this. I had not gone hunting through all the advanced settings looking for defaults like remote access. Feeling really unimpressed, especially since I pay for the premium service. Would appreciate your thoughts and some reassurance that this is being taken seriously as an issue. Thanks Craig
  22. I have created multiple libraries targeted for different set of users. I have granted access to one or more libraries for a given user, and no access to other libraries. The libraries where the user has no access, are not available from his dashboard, however, a direct link to the library or a movie within the library, will allow the user access. Is this somehow possible to prevent? Regards Johannes
  23. lawprior


    I'm trying to connect to the hosted web app through HTTPS, because Chromecast now needs it to work properly. I'm told to select my server, and it won't connect to it. I can connect to it just fine on HTTP. So, does anyone know what's wrong and how I fix it?
  24. herdofem


    I just installed Emby on my Window 7 desktop with default settings. I'm using it to share my 23GB of music. I have 1 250 GB SSD (operating sysstem) and one 1 TB non-ssd hard drive (with the music), which I don't have a backup plan for right now. I've given a few of my friend the dynamic ip address (which doesn't seem to change) to use with their phone apps. I don't plan on using the server for much else. I'm worried Iv'e exposed mysyef to the internet. Would Emby connect be safer. It requires them to make an Emby account correct? How about a static IP address, different DNS, or NAS? Are 2 NAS disks in a NAS sufficient for periodic back up and serving?
  25. I like Emby enough that I bought a premiere license a while back but after discovering what I believe is a major security hole I'm rethinking using the server. Media streams do not require authentication. Steps to reproduce (using version Note: this example is using a video but the problem persists for all content types. Log into Emby from your browser (in this example, Chrome). Open the developer tools -> Network tab. Filter the traffic by "stream.mov". Play any video and you should see a GET request show up. Copy the entire "stream.mov" URL. Fully clear your browser. Paste in the copied URL. Bam, video downloads without any type of authentication. Users can copy & paste this link, allowing unauthenticated sharing. Since it's a GET request anyone can sniff the requested URL, regardless of HTTP/S, and grab whatever you're watching. After NomadCF's reply & more research I found the rest of the URL is not accessible over HTTPS. So this concern is void.I can't be the first to notice this. Suggestions welcome; No I can't force all users through a VPN.
  • Create New...