Jump to content

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General
    • Announcements
    • Emby Premiere Purchase/Subscription Support
    • Feature Requests
    • Tutorials and Guides
  • Emby Server
    • General/Windows
    • Android Server
    • Asustor
    • FreeBSD
    • Linux
    • NetGear ReadyNAS
    • MacOS
    • QNAP
    • Synology
    • TerraMaster NAS
    • Thecus
    • Western Digital
    • DLNA
    • Live TV
  • Emby Apps
    • Amazon Alexa
    • Android
    • Android TV / Fire TV
    • Windows & Xbox
    • Apple iOS / macOS
    • Apple TV
    • Kodi
    • LG Smart TV
    • Linux & Raspberry Pi
    • Roku
    • Samsung Smart TV
    • Sony PlayStation
    • Web App
    • Windows Media Center
    • Plugins
  • Language-specific support
    • Arabic
    • Dutch
    • French
    • German
    • Italian
    • Portuguese
    • Russian
    • Spanish
    • Swedish
  • Community Contributions
    • Ember for Emby
    • Fan Art & Videos
    • Tools and Utilities
    • Web App CSS
  • Testing Area
    • WMC UI (Beta)
  • Other
    • Non-Emby General Discussion
    • Developer API
    • Hardware
    • Media Clubs

Blogs

  • Emby Blog

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

  1. Cheesegeezer

    Security Cams Channel Plugin

    CONFIG UI How it works Click Add New Camera Button you set up an IP camera by giving it a friendly name, the URL to make it work (there is a link in the config UI that will take you to a website to help you) select the protocol and then decide if you want it to be saved to a m3u8 file. Click Save Repeat for number of cams you wish to add Run the Refresh Internet Channels Scheduled Task Advantages for saving to m3u8 file Now..... saving to m3u8 file has a massive advantage. you can now import this into the liveTV as a tuner and set up recording schedules for each of your cameras that are in the list. You will require to install the M3U TV Tuner Plugin in liveTV setup select m3u then just select the m3u8 file that the channel creates on the channel refresh and hit save After you hit save you'll see all your cameras Boom now you can create a recording or watch from you TV guide hehhehe PS it is a Channel so can be watched live and direct thru the channel created on your home page GOOD SOURCE TO FIND YOUR CAMERA AND MODEL TO GET THE PROTOCOL Connecting to IP Cameras (ispyconnect.com) RELEASE VERSION 1.0.0.0 - Initial Release to Catalogue TV Channel Logos Dark Light
  2. This was brought to my attention by a post on Reddit in r/selfhosted just a few hours ago. It seems images are available by the itemid even when unauthenticated. The OP claims to have attempted to contact the emby team regarding this and a few other issues with no response. I'm making this post to raise awareness as not everyone who frequents these forums will have seen the post on Reddit, and as it is posted publicly elsewhere it definitely deserves attention on the main forum. This is very troubling as it means that content that's available on the server can be determined without being logged in. Even more troubling if you're using emby for family pictures and videos as the pictures themselves can be viewed, and the thumbnail for videos can be viewed as well. I have tested this myself and can verify that it is a major problem. I could see cover art for movies, as well as pictures from my family photos library without being logged in. It seems that itemid's are incremental, so it's arbitrary to just guess a value until you get a valid hit. Leaking what movies and shows are on a server is definitely not great, but leaking actual personal content is just unacceptable in my opinion. Until something is done to address this I would not recommend using emby for personal/sensitive content if your server is publicly exposed. Steps to reproduce below. Replace <itemid> with the numerical value of a library item to test it while not logged in. https://<hostname:port>/emby/Items/<itemId>/Images/Primary
  3. CURRENT STATUS: SSO: Not yet planned LDAP: Development COMPLETED - BETA AVAILABLE >180 direct endorsements >30 MONTHS (>2.5 years) >12,000 views PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP This would greatly expand Emby's usage, and possibly more enterprise level adoption, user templating, user groups, SSO, etc. There are also users who have completely abandoned Emby and ended subscriptions due to the lack of this necessary basic functionality. Note: SAML2 is also part of this request. (header auth is also acceptable, at a minimum.) Context: I am trying to use something like openfire as a Instant Messaging solution which already supports LDAP and SAML2. So this would allow the current user of emby to seamlessly use web-based instant messenger with the same username and password as Emby without the need to enter them into a form. This would also allow universal login to be shared with my home PC's, Spiceworks, Ombii, Organizr, etc. The multitude of possible flexible functionality this could add is truly incredible. THIS NEEDS TO BE DONE, myself and others cannot manage a userbase with proprietary passwords for a single service (with no self-service password reset/recovery), when things that have only months of development implement it within days, easily. Status: LDAP - Development Completed - BETA AVAILABLE! Common LDAP solutions to test against:​Open LDAP​ (Open Source) [use this] ApacheDS OpenDJ 389 Directory Server Microsoft Active Directory SSL is NOT actually needed, but Emby team insisted on it anyways: Simply offering a toggle option for auth to send plaintext or encrypted passwords would work just fine. It is ironic to claim the need to be overly security conscious of user passwords, while lagging behind on basic SSL. If SAML is implemented, a SAML request/response can just be signed by an x509 and it is just as secure as TLS using SSL. SSL does not need to be natively supported, as it is perfectly possible to run it through an SSL reverse proxy tunnel and have the same effect. SSL Feature Request: https://emby.media/community/index.php?/topic/33983-ssl-integrationsupport/&do=findComment&comment=322526As of now username and password is encrypted client-side as security as SSL is not natively implemented. Emby team has said this impedes the adoption of both SSO and LDAP. Please see our SSL request topic; like, comment, and endorse it to show how many people would enjoy/gain from this basic security. Ways to satisfy this FR: Direct LDAP connector SAML2 connector General SSO functionality (SSO Header, etc) Allowing user header auth NGINX auth support RADIUS Authentication Other features that are inherently possible if this is implemented: Self service passwords Ability for users to invite users/guests Expiring Accounts (after duration/trigger) Unified credentials for many services Corporate level authentication security User groups Mass User management Update 1: I encourage others to work on this but I am currently seeing what I can do to develop a solution to this myself. If you have experience in this LDAP/SSO/SAML2/SSL/.NET contact myself, @@Luke, @@ebr or the Emby team to let them know, any help is greatly appreciated! By everyone! Update 2: I know there is always the question of "well how many users actually want/will use this", so I compiled a list of some of the other threads/sites where people request this (to apparently no effectiveness in motivating the team). Update 3 (18 MONTH UPDATE): This request has now hit 18 months in age, NO progress made thus far whatsoever. ( ) Update 4: This FR is now the 4th most liked post ON THE ENTIRE FORUM and the 3rd most liked FR ON THE ENTIRE FORUM (ever), the 1st most liked active FR ON THE ENTIRE FORUM and over 4000 views. Counting endorsements besides those on this thread show over 115 direct requests/endorsements for this basic functionality. Lets get this moving guys, this is getting to be a bit much. Almost 2 years waiting on this now. Source Update 5 (9/20/2017): This feature request is now the MOST DESIRED REQUEST EVER MADE TO EMBY, sadly, that has not merited any progress at all. The staff has been working on things they believe Emby users want or may want, but it is clear what people want. We can only hope now our wishes are respected instead of being told what we want and having our requests dismissed. Source Update 6 [2 year update] (10/17/2017): Two years and not a single bit of progress has been made. TWO YEARS!!! To say this is disappointing is an understatement. The entire reason I went from Plex to Emby was because of local user management. THIS IS THE ONLY REASON, so naturally I wanted to have complete control over my users, but after TWO YEARS, still nothing. Update 7 (3/6/2018): DEVELOPMENT HAS STARTED!!! Check Luke's recent comments, if you want to test it out, download the latest beta and install/configure the LDAP plugin to test and give feedback!!! Update 8 (4/6/2018): Development on the LDAP connector has completed from what I gather, not sure if this is only a beta or a primary release; SSO is still a plan for the future but has not been touched. Progress made by other users (looks to be nearly, if not fully complete): https://github.com/MediaBrowser/Emby/pull/1885 https://github.com/MediaBrowser/Emby/pull/2139 Exploits shown by other users against Emby (emphasizing the need for a centralized authentication solution): https://emby.media/community/index.php?/topic/12335-unauthenticated-access-over-the-internet-to-logs-folder/ https://emby.media/community/index.php?/topic/20376-all-folders-visible-to-all-users-after-upgrade/ Related FR that could be helpful: https://emby.media/community/index.php?/topic/46635-support-for-logging-users-in-though-url-scheme/?hl=user Any of these could be interesting to have compatibility with: http://lemonldap-ng.org/welcome/ https://github.com/Jasig/cas http://passportjs.org/ https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/ LDAP/SSO/SAML Requests (~180 endorsements) [>12,000 views] > 95 endorsements on this post ~ 30 endorsementshttps://github.com/MediaBrowser/Emby/issues/1146 > 35 endorsementshttps://www.bountysource.com/issues/24943821-authenticate-users-using-ldap > 14 endorsements​https://feathub.com/tidusjar/Ombi/+122 > 4 endorsementshttps://www.reddit.com/r/emby/comments/5o44wd/creating_deleting_updating_users_with_the_api/ Interview, in article comments user said lack of LDAP STOPPED him from using Emby (Emby is actually losing customers due to the lack of this NECESSARY basic functionality):https://www.linux.com/news/software/multimedia/856128-exclusive-interview-emby-founder-luke-pulverenti Duplicate, user had no progress on first 2 posts (no one from Emby actually tracked this or even replied to him):http://emby.media/community/index.php?/topic/861-mb3-and-active-directory/ http://emby.media/community/index.php?/topic/867-mb3-and-active-directory/ Auth announcement, user 'Drashna' in comments requested LDAP/ADhttp://emby.media/community/index.php?/blog/1/entry-177-manage-your-home-with-emby-users/ Various similar requestshttps://github.com/MediaBrowser/Emby/issues/2494 https://github.com/MediaBrowser/Emby/issues/2493 https://forum.yunohost.org/t/integration-emby/912 http://emby.media/community/index.php?/topic/13081-active-directory-integration/ http://emby.media/community/index.php?/topic/11200-media-browser-3-server-ldap-active-directory/ External SQL auth request:http://emby.media/community/index.php?/topic/27986-emby-and-shared-mysql-database/ http://emby.media/community/index.php?/topic/23509-authenticate-users-via-external-mysql-database/ http://emby.media/community/index.php?/topic/12001-external-login-to-mysql/ #ADFS #SSO #LDAP #ActiveDirectory #MSAD #SAML #SAML2.0 #SAML1.1 #PingFederate #OKTA #LemonLDAP #JASIG #authentication #auth #TLS #SSL #Usergroup #usertemplate #header #authheader #headerauth #security #hardening #authhardening #authenticationheader #externalauth #centralauth #centralizedauth #centralizeddb #exploit #authexploit #security #loginhardening #authenticationhardening #accesscontrol #.NET #SelfService #RADIUS
  4. Today I found on my Dashboard of my QNAP server version Version 4.8.8.0 four failed login attempts from three different IP addresses which iplocation.net placed into Singapore and listed the ISP as "Amazon Data Services Singapore" this is what one of the entries looks like. Failed Login Attempt from admin'-- on QNAP-NAS 54.151.223.193 8/5/2024, 1:09:25 PM Since I don't have a user called admin, it looks to me like that this was an attempt to get into my Emby Server. Since there are no entries in the log of the QNAP NAS listing these IP addresses, it looks like that this was just an attempt on the Emby server. There are a few questions that I have. Have I drawn the right conclusion that this was just an attempt on the Emby server since there is nothing in the QNAP security logs? Furthermore is there anything that I can or need to do to protect myself from these attempts to gain entry into my Emby server? I have 5 Users that I have allowed access to the Emby server but 4 have not logged in for several months. Only one user has successfully authenticated on 8/5/2024 about 20 minutes before and again 2 minutes after the failed login attempts. Thanks for any suggestions on how to handle these failed login attempts.
  5. I wanted to share my fail2ban configuration for people that want to protect against a brute force attack. Fail2ban is a piece of software that will monitor log files for a authentication failures then ban the source ip address after so many attempts to protect against a brute force attack. I searched around for an tutorial or how to on how to implement this for emby and came up short, so I decided to give it a try and got it to work without much trouble at all. I wouldn't consider myself an expert and this is my first how to I have every written so if I made a mistake or I'm wrong let me know, and use my instructions at your own risk. USE AT YOUR OWN RISK THIS PROBABLY WILL NOT WORK IF YOU ARE USING EMBY CONNECT I'm not using emby connect because I think it has some security problems listed here https://emby.media/community/index.php?/topic/80497-log-out-security-hole/ You need to install fail2ban For my setup with ubuntu 18.10 I used, (should be the same for debian but I haven't tested) sudo apt install fail2ban To get fail2ban working with emby there are two parts, filter and jail, they both have their directories (jail.d) (filter.d) in /etc/fail2ban/ cpeng@g5500:~$ cd /etc/fail2ban/ cpeng@g5500:/etc/fail2ban$ ls action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.conf The jail controls what happens with an authentication error and the filter tells how to read the log to find the error. Create a filter: cpeng@g5500:/etc/fail2ban$ sudo nano filter.d/emby.conf /etc/fail2ban/filter.d/emby.conf # Fail2Ban for emby # # [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user or password entered ignoreregex = EDIT: New failregex proposed (below) by @@nayr to catch 401 errors and attempts to find valid user names [Definition] failregex = AUTH-ERROR: <HOST> - Invalid user HTTP Response 401 to <HOST>. The failregex tells what the log line will have in it that designates a fail and "<HOST>" designated the actual ip address. That error looked like this: 2019-12-24 11:12:00.326 Warn HttpServer: AUTH-ERROR: 10.9.162.31 - Invalid user or password entered. So I assumed that AUTH-ERROR will be unique to login errors which is why I started the filter with that. Next you have to create the jail in cpeng@g5500:/etc/fail2ban$ sudo nano jail.d/emby.local /etc/fail2ban/jail.d/emby.local [emby] enabled = true filter = emby logpath = /var/lib/emby/logs/embyserver.txt port = 80,443 I use a reverse proxy that uses ports 80,443, but if you aren't doing that then you want to block the default ports 8096,8920 The logpath may vary from distribution, you can find yours in your dashboard under paths. There are other options that you can add, my default ban time was 10 minutes and max number of retries was 5 which is default which seemed fine to me. The last thing you need to do is reload fail2ban so it re reads the files. sudo systemctl reload fail2ban Then test by entering the wrong password into emby and confirm that it blocks you. Check out the fail2ban.log at /var/log/fail2ban.log tail /var/log/fail2ban.log For testing this command might also come in handy: sudo fail2ban-client unban --all Hope this is helpful. P.S. I recently switched from plex to emby for the dvr service and so far I have been very impressed and happy with how it works. I got tired of all the bugs with plex, that would never get fixed, instead we got new "features" and new interfaces. The icing on the cake is how responsiveness the developers are on these forums.
  6. I searched but couldn't find a similar request. If one exists with or without all of the options below then please lock this one and point me in that direction. Now that all users are required to login with username and password at least once on each app/device it would be nice to have the option to use a one time password (OTP) for the initial login on any device but mainly TV apps and streaming devices where it's difficult to enter long strings. It doesn't need to be limited to initial login but should at least allow that. 1. Allow any user who is already logged in to an app or browser to generate a one time 4-6 character OTP for themselves to enter on a new app/device in order to login on said app. This would only log them into their account using the single OTP. 2. Allow an admin account to generate an OTP for any specified user to login. This would be useful for Emby admins to help remote users, particularly those who have difficulty with apps and on screen keyboard-remote combinations. Or to help household users while away from home... 3. The generated OTP would be associated with the corresponding user, either self or assigned by admin. No need to enter or select name on the app login screen, the OTP would suffice. 4. The OTP should be created with a short time to live, either fixed or configurable. I don't know enough about Emby Connect to suggest how it should/could work for those users. EDIT: Evidently Jellyfin has a similar feature called Quick Connect but I don't know if it also has the ability for admins to generate codes.
  7. Hello, all Coming from the Plex world Secure Connections was easy to turn on (actually on by default). I am trying to determine if Emby has that on by default or what steps I might have to perform or if it's a non-issue. I am really hoping whatever is involved is pretty straight forward. When I (or a friend) is accessing my Emby server remotely I'd like to be reasonably secure. I liked that "no brainier" aspect to Plex. When I looked in the "Hosting" area of Emby server I saw a check box for requiring HTTPS (the equivalent of secure connects... maybe?) but it then asked me about Certs and stuff and I got lost. I'd rather not go to Plex for external access. I really think Emby is a superior product in many ways. Also, if there is a particular section of Emby (Guide/Site or etc) that really breaks down most of the security related data I'd appreciate. I'd like to be more knowledgeabe. What I've found in the forums is not really clear to me and seems to be spread all over the place. Thank You
  8. As subject say’s because I’d like to disable TLSv1.2 in my reverse proxy for security reasons. I remember reading a post quite while back the there were some clients that don’t but I can’t find that post at the moment. If not is there a list of clients that don’t yet support 1.3 ? As all main browsers have done so for a while now.. TLS1.3 caniuse.com
  9. https://www.bleepingcomputer.com/news/security/qnap-takes-down-server-behind-widespread-brute-force-attacks/ FYI - Not directly related to emby, but useful info for QNAP owners.
  10. FYI, there's a flaw in the specification for HTTP/2 that is actively being exploited (specifically, DoS attacks). MS has released updates that mitigates implementations such as .NET (Kestrel), though note that I believe the current mitigation disables HTTP/2. The long-term fix will be some sort of rate-limiter: https://www.cve.org/CVERecord?id=CVE-2023-44487 Details of the fix and the two new AppContext properties can be found here: https://github.com/dotnet/announcements/issues/277
  11. Salve mi piacerebbe sapere se è possibile con emby essere visti sulle smart v. Ho provato ma oltre a vedersi il server quando voglio vedere le tv in diretta vedo solo uno schermo nero. Grazie
  12. Advisory: https://emby.media/support/articles/advisory-23-05.html A Full Report on the Incident is Available Now:
  13. Hi, Please can Emby stop resetting the EnableAutoUpdate flag in system.xml to True every time an update is applied. I know you want people to test new releases but it is a security concern to automatically apply updates. <EnableAutoUpdate>false</EnableAutoUpdate> I use a Windows service, so this does not directly apply - but for updates I need to stop the service and run the App as a standard task, but then it will automatically install the new update without any confirmation, once run, I then have to remember to then edit the sytem.xml file back to false again each time. Thanks.
  14. Server: 4.7.11.0 OS: WIN I mentioned this about a year ago, but normal Users are still able to modify playlists or delete whole playlists, and yes the playlist gets deleted in the file system, this is not just in the menu and clicking will result in an permission error, it is working. Also, they can see the exact storage location in the deletion dialog. Could this please get fixed in a very near update? thanks
  15. Guest

    New password needed?

    Today I got an email from admin@emby.media saying I need to change my password for security reasons. My email app tells me this message might be a scam. Anyone knows this is genuine or not? Neither on the Emby website, nor in the forum, I could find information on this issue.
  16. Hi, I believe I have found something allowing users with a restricted account to a server to see all content on a server. I don't want to post how to recreate it publicly as then people might take advantage of it so preferably I would want to take this privately. But if not then I am more than happy to post about it here. Since the exploit is still working on the newest version available I am going to assume it has not been discovered before.
  17. FlatScreen

    Emby security hardening

    Is there any good Emby security hardening guide somewhere? Please share URL if any. What are the IoC (indicator of compromise) in case a box is vulnerable or compromised? @cayars
  18. I'm running AndroidTV 2.0.77g. From the login screen, if you hold the back button, it will take you to the home screen of the last logged in user bypassing any required login credentials. You can reproduce this doing the following: 1. Log in to any user on the login screen or using manual login. 2. Navigate to the user menu at the top and choose log off which will also exit the app. 3. Launch the app which will take you back to the login screen. 4. Hold the back button on the remote until it gives you the message that it is taking you home. 5. You will now be on the home screen of the last logged in user.
  19. FoxBlackeagle

    EMBY über HTTPS

    Hallo zusammen Ich habe folgendes Problem. Mein Emby Server soll mittels HTTPS (über Port 443) und einem Zertifikat das von Certify the Web erstellt worden ist erreicht werden. Das Zertifikat habe ich aus dem IIS Exportiert und in den Emby Einstellungen Hinterlegt (auch mit dem Korrekten Passwort). Ich habe es auch mit dem Standard Port versucht und diesen auf meinem Router Freigegeben allerdings ohne erfolg. Leider kann ich mit der Error Meldung im Log File (Im Anhang) nichts anfangen. Ich danke bereits viel mal im Voraus für eure Hilfe Grüsse Fabian embyserver.txt
  20. I have an Emby server (4.4.2.0) running on macOS Catalina. I have several users defined in the server. The server is accessible within my home network (via HTTP) and over the Internet (via HTTPS). Most ion my users have passwords defined but I have one, which is the 'family' user which is intended only for use within our home and so has no password defined. For this user I have unticked the box that says 'Allow remote connection to this server' but when I access the server remotely a ) The user still shows on the login screen b ) Clicking the user logs it in. This seems like quite a big security hole? Am I misunderstanding what the 'Allow remote connections to this server' option is supposed to do? How can I have a user that shows up on the login screen when accessed locally but does not show up and cannot log in when accessed remotely? Thanks, Chris
  21. mathiasaulo

    Error of Security

    Hi, I have a problem with regard to security, if the staff bookmarks a page that she has already had access to, that page even though she doesn't have access anymore, she can access normally. This problem go to plugin IPTV. Sorry if you don't have the right problem area or suggestions
  22. Hi everyone. I have found a (Issue and this needs enhanced) because i have a friend who have downloaded a whole TV show to my mobile because both of us have the same Phone name and looks like than emby allow to see everyone devices as connected to emby through the list of downloads to device option let me explain in other words How I supposed to know wish iPhone is mine and the other 2 is my friend, as you can see there are 3 iPhone in the list because the devs don't have isolated it. I'm my moms tv with her accounts same thing (all device is listed) As you can see in above picture, I can allow to download my movies to any device from other users, it should have a isolated device list per users Like my computer and my smartphone and etc (My own devices only) .. But not showing me the device from others like my mom devices, it should be isolated between accounts (My user can download to my own device) (My moms can download to her device) I really don't understand why the devs don't have isolated the list by user. Like I have described above. Hopefully this will be fixed soon because is a security issue user may not be able to view devices from other users. Resume to do. Isolation between device account to don't allow users to download by mistake to a device from other users, so by this way the device is isolated by accounts and the retrieved(return or resulted) list was only the device from that user and not from the other. Kind Regards Enjoy? VOTE WITH LIKE NOT WITH +1 COMMENT Sent from my VOG-L29 using Tapatalk
  23. Non-admin-user can visit the admin dashboard by typing in the url. They can see paths, active device and sent messages to other users.
  24. When I reset my emby password, I get my new password emailed to me in plaintext. This isn't even a temporary password either, you are encouraged to change it but it is not mandatory at login This suggests emby is storing passwords in an unhashed form (otherwise they would not know the password itself and wouldn't be able to email it) Given the recent hack at Plex, security should be top of our minds, that's the only reason I'm asking Also, is the password for Emby forums and the emby web client the same?
  25. Morning, I have three users setup on my Emby server (Debian). Two are humans who need to log in or they cannot gain access. The third is a ghost account to allow DLNA access on my LAN. My problem is that although I've setup the DLNA user with a password, if I use a mobile connection to my server web interface to simulate WAN access, I can enter only the username and login without a password. This is potentially a major security hole. I've checked the settings against the human users and they are identical, plus I've restarted the server just in case something didn't take. To troubleshoot, I created a fourth user identical to one of the humans, but without a password. As expected, a remote connection can login with just the username. I then set a password and you can still login without a password. It's as if the password is ignored. Any ideas? Thanks
×
×
  • Create New...