Suggestion for protecting my ip

[SalluMe10 0]

I was trying to check my web security on https://securityheaders.com and found out that my ip address is being exposed

can someone suggest what I can do to to protect and not expose my ip?

 

[Gilgamesh_48 944]

It is actually quite simple:
1. Get a good VPN.
2. Do not share your library outside your local network.

However that IP does not appear to be one that would ID your local network at all.

[SalluMe10 0]

I already tried running the vpn but once the vpn is connected the remote url doesn't work, like it keeps loading for a while and says "This site can't be reached".

That ip is not actually my correct ip, I just changed it on frontend so that I can share it on here

Edited May 31, 2022 by SalluMe10

[GrimReaper 3314]

1 hour ago, SalluMe10 said:

I already tried running the vpn but once the vpn is connected the remote url doesn't work, like it keeps loading for a while and says "This site can't be reached".

You need VPN that supports port forwarding, not all VPNs do. 

[SalluMe10 0]

I think the VPN I am using does support port forwarding, but can you suggest any other vpn that you have used with emby?

[GrimReaper 3314]

47 minutes ago, SalluMe10 said:

I think the VPN I am using does support port forwarding, but can you suggest any other vpn that you have used with emby?

Personally only used AirVPN, I know @cayars likes PIA. And he will surely have a suggestion or two to bypass solutions involving commercial VPN service providers. 

[SalluMe10 0]

can you send me a screenshot of how you configured it in AirVPN, I'll give air VPN a try for now

[GrimReaper 3314]

29 minutes ago, SalluMe10 said:

can you send me a screenshot of how you configured it in AirVPN, I'll give air VPN a try for now

I said "used", not "using", but AFAIR in AirVPN WebUI Client area there's a Port Forwarding section where you can pick any of the available free ports to forward - and that same port you will enter in Emby's Network settings, as http (or https, if you're setting secure connection) port. No ports need to be open in your router. 

[Carlo 4330]

@SalluMe10 Have you tried what GrimReaper mentioned yet?

[SalluMe10 0]

not yet , I am still trying to get it to work with the vpn I have, and I think it's working but the thing is that I am also using nginx for reverse proxy and I am using server port 443

but I keep seeing this screen even though I have everything setup

and this only works for port 443, like I am able to use my phone to navigate to my domain and see the exact same page, but if I use any other port for remote connection for example: 36245 or something, than I am only able to use my domain locally.

this is some confusing and tough stuff to setup, I have been trying to set it all up for last few days but not luck yet.

Edited June 1, 2022 by SalluMe10

[Luke 37131]

How far have you gotten?

[SalluMe10 0]

I am able to connect to VPN and access the remote url locally but not outside my local network

I am using pureVPN for portforwarding port 443

 

and I am using the same 443 port for my local and remote https port. I have my domain dns pointed to my ip.

Edited June 1, 2022 by SalluMe10

[softworkz 3341]

What's the point of using a VPN for this?

Are you concerned about security of about being able to get identified by authorities? 

 

[SalluMe10 0]

it's just that I want to use vpn with emby, that's all

[softworkz 3341]

Don't get me wrong. Both of what I mentioned would be valid reasons - I just wanted to point out that a VPN doesn't add much to security as long your router is configured properly and some routers also provide some basic protection which you don't have with a VPN that terminates directly on one of your machines.

One general advice (no matter which way you go): Don't use the Emby ports (8096 etc), use either custom or default http(s) ports.

 

[SalluMe10 0]

yep got it, thanks for the advice. I am new at this so just trying to learn how to secure an emby server. Is it safe to use port 80, 443? or would you suggest to just use specific ports for http and https.

and adding reverse proxy be better than using a VPN?

Like I said just trying to learn the best practice for securing the server

[softworkz 3341]

A VPN doesn't provide any protection. The only thing it can do is to hide your IP address, but why would you want to do this?

One reason would be the one I mentioned, but when you have a DNS entry already, you could be identified by that as well (as long as it's not from a TLD with a registry that doesn't respond to requests from authorities). So - that doesn't give you much in that direction as long as you're not diving deeply into the subject and do everything "right" to hide yourself. Anyway, that usually not necessary and should not be a concern for a normal Emby user.

One other benefit (you probably do not need) with a VPN would be when you need to have multiple ports open on your router and you don't trust your Emby users and you would be afraid that they could specifically attack you through the other open ports.

But for every other attacker (not one of your Emby users) - there's no change to the situation - they can find your open port, no matter whether it's through VPN or not.

So, why am I saying you shouldn't use 8096 and 8196?

That's because when a vulnerability in Emby server would be discovered (and there are surely some, like in most other products as well), an attacker could easily find all public Emby Servers which are using those ports. Scanning the whole IPv4 address space (almost 4 Billion addresses) for a specific open ports takes about one or two days only. That's a simple TCP/IP operation, and after those two days you can have all the Emby servers serving at these ports (plus all other servers or devices which have that port open - probably not that many, though). At the end, the attacker can be pretty sure that most of the results are Emby Servers.

But when you use 80/443, that port scan would return many Millions of open ports - means all public web servers. When the attacker would want to find out which of those are Emby Servers, that would require a huge amount of time, because making http requests and receiving/reading/parsing/evaluating the responses is a completely different story than a port scan and takes much longer time. It actually takes so long that it doesn't make any sense to do that in order to find public Emby Servers.

Custom ports (e.g. 46124) are safe for the same reason: as long as there is no known service using it, it's not attractive to scan those (could be anything behind).

[softworkz 3341]

Regarding the use of a Reverse Proxy

It's surely a good measure to have one in place. But it doesn't give that much benefit like in other cases_

• Attack Surface Reduction
  The typical simple variant for this is that you can configure precise filters for the URLs that you want to be handled and forwarded, and all others will be discarded.
  The problem here is, that nobody (no average user) exactly knows about all the URL patterns that are being used in communication with Emby server, and therefore, no user is able to configure this properly, which means, that you'll end up configuring the reverse proxy to forward ALL http requests to your Emby server
  => no not really a benefit
• Prevention and filtering of known attacks
  There are many known vulnerabilities which allow attacking http services. These are specific URL patterns which some reverse proxies can detect and filter. There's just a little problem: those patterns are all targeting specific web service applications - for example: "WordPress" or "Drupal" or "Outlook Web Access", etc. but none of those attack patterns will allow to compromise Emby Server, so there's no point in filtering those.
  => again, little benefit
• Filtering Web Server Vulnerabilities
  When you want to attack a server via http, there doesn't exist something like a "universal exploit". There are exploits for web servers like Apache or IIS (rare) or specific applications running on those servers, e.g. WordPress, with the latter kind being the typical ones.
  Emby is special in a way that it doesn't use a regular web server and it's also not a common web application. All-in-all, Emby is probably way more insecure than other services running on Apache (for example), but its use is too rare as that it would be of much interest for finding those holes. And even when an attacker would have found such hole, it wouldn't be worth scanning the internet for web servers through http requests (too much time for scanning). Except scanning by port like explained above.

But there are still some basic protection mechanisms that a remote proxy can help with, like

• Rejecting requests with typical attack patterns
  • like many requests with http error response from a certain source
  • unusual requests which are attempting to achieve buffer overrruns by having extremely large values in requests
  • etc.
• Also reverse proxies are great when you want to publish multiple services (not just Emby) and depending on the URL path, the proxy can redirect the traffic to another internal server service in your LAN

[softworkz 3341]

My best advice to you is: Focus on your router!

It is the door to your network and compromised/insecure routers are much more dangerous than not having a reverse proxy on a service which is used by just a small number of people you trust.

Read everything about your router. Make sure the configuration is right. Google for vulnerabilities, update the firmware, and when it turns out that there are known issues or no regular security updates being provided, then replace it with a better one.

[SalluMe10 0]

ok, thanks so much for sharing you knowledge. I appreciate it!

[justinrh 175]

That IP address is just being reported by the website for your reference, I believe.  The address is not in the header, if that is what you are thinking.  Even if it was in the header it wouldn't be a security issue because the viewer (of your headers) already has the IP address, right?  Anyone connected to your site/service already has your IP address