How to secure the server and privacy

[jim_lee]

Hello

I have been searching for several hours on how to disable the remote access and possibly make it more secure so no one else outside my network can see my files 

I read this topic "Disable Remote Access?" and many other topics - being newbie I have no idea how to disable it

when I go to My_IP_ADDRESS:8096 from other internet networks, it brings up a page that has my profile, 

 

can someone please make a step by step instruction on how to disable the remote so no one outside the network can access / know about me running this server?

thank you

[ebr]

Two steps:

 

1) In the server dashboard Advanced->Hosting page un-check "Enable automatic port mapping".

2) Delete any port forwarding rules relating to your Emby server from your router (how to do this depends on the router)

[jim_lee]

Two steps:

 

1) In the server dashboard Advanced->Hosting page un-check "Enable automatic port mapping".

2) Delete any port forwarding rules relating to your Emby server from your router (how to do this depends on the router)

thanks for the quick reply 

for step 2, does Emby server adds those rules automatically? because I didnt set up any rules

[ebr]

thanks for the quick reply 

for step 2, does Emby server adds those rules automatically? because I didnt set up any rules

 

See step number one .

[jim_lee]

See step number one .

Yes, I went there and unchecked the option 

but when I go to this site : http://www.yougetsignal.com/tools/open-ports/

and enter my ip address and 8096, it says it is open (Running on http port 8096, and https port 8920.)

Edited April 23, 2015 by jim_lee

[ebr]

Well, that is a process that runs at server start up.  Once it happens, the rules will be there in your router.  So, you'll need to go to the router setup and remove/disable them.

[ebr]

My "see step 1" comment was simply an answer to your question - yes, we do automatically create the rules, if that option is enabled.

[3l3phant]

I fail to understand why this option is turned on by default. It should be opt-in not opt-out. There are a large number of posts about the topic and the consensus seems to be that people want to make the decision themselves not have it pre-decided for them.

[ebr]

This may have changed but I believe the start-up wizard asks you.

[3l3phant]

If it did, I don't believe I saw it. And if it did it should probably be highlighter, maybe on its own screen of the wizard.

[Happy2Play]

I fail to understand why this option is turned on by default. It should be opt-in not opt-out. There are a large number of posts about the topic and the consensus seems to be that people want to make the decision themselves not have it pre-decided for them.

This only happened if "uPnP" is enabled on your router.  If it is off on your router then the request can never be made.  So it really doesn't matter what the server wants to do if you have your router set up the way you want.

[3l3phant]

When a generic user gets their router they almost never, ever login to make a single change. I never changed any uPnP setting in my router, which means it was a default setting. I installed emby and it decides to open ports. Sorry, but that's not particularly user friendly.

[Deathsquirrel]

It should probably be off by default...and people that are going to pitch a fit about any security setting probably shouldn't be running the default settings on their router when said router supports UPNP reconfiguration

[3l3phant]

Well, you had me at the first part. In terms of the rest of the sentence, not-so-much. People who are going to "pitch a fit" are either doing so because (a) "default on" is a terrible design when it comes to something that should be opt-in or ( because they clicked on the link for the external IP and realized their videos were available to the world. In terms of the router supporting UPNP by default, I'll just add it to the list of reasons why Verizon's equipment sucks 

[ebr]

 Sorry, but that's not particularly user friendly.

 

Actually, it is extremely user friendly but not very security conscious. 

 

However, note that the API is secure - assuming you give your users passwords.

[3l3phant]

lol - Valid point

[Vidman]

Well, you had me at the first part. In terms of the rest of the sentence, not-so-much. People who are going to "pitch a fit" are either doing so because (a) "default on" is a terrible design when it comes to something that should be opt-in or ( because they clicked on the link for the external IP and realized their videos were available to the world. In terms of the router supporting UPNP by default, I'll just add it to the list of reasons why Verizon's equipment sucks

So did you also complain to Verizon that there default configuration is insecure and should be opt in rather than opt out too

[Maleficarum]

When a generic user gets their router they almost never, ever login to make a single change. I never changed any uPnP setting in my router, which means it was a default setting. I installed emby and it decides to open ports. Sorry, but that's not particularly user friendly.

 

Most router manufacturers worth a damn will tell you in the user guides to make changes as soon as you install an item of theirs, including, but not limited to user passwords and port settings. If a user doesn't make those changes then that's on them. If people could actually be bothered to look at the settings a device offers and configure them properly and not run stock the multiple lists of default router passwords available on the internet would not be such a problem.

[3l3phant]

So did you also complain to Verizon that there default configuration is insecure and should be opt in rather than opt out too

It's possible. I've complained to them about so many things it might have gotten lost in the pile

[3l3phant]

Most router manufacturers worth a damn will tell you in the user guides to make changes as soon as you install an item of theirs, including, but not limited to user passwords and port settings. If a user doesn't make those changes then that's on them. If people could actually be bothered to look at the settings a device offers and configure them properly and not run stock the multiple lists of default router passwords available on the internet would not be such a problem.

Because most cable customers are well-aware of the fact that they need to read the user guide for their cable modem? I'd politely suggest that someone qualified to be an alpha tester probably associates with people who are more technologically savvy than the average user who has read on cnet or some other site that "cutting the cable" is the newest thing to do and a smart move and what all the cool kids are doing and, and, and ... People look to emby (and Plex and the other HTPC-related software) to help them easily watch movies that they've ripped after paying $50 for some software recommended by the aforementioned cnet article. They're not looking for lessons in how to make sure their router is (or isn't) configured. My point (and based on a search through the forum archives, the point of a multitude of others) is that it should be opt-in and not opt-out. If you want to be able to watch your videos when you're not at home, then click here. Otherwise, don't worry about it.

[3l3phant]

As an FYI - Just did a complete delete/reinstall. I'm running the server on OS X. There is no startup wizard.

[Luke]

There is, it just may not launch by default on all systems. So once you visit the web interface, you'll be redirected to the startup wizard. If that's not happening then your complete delete was probably not as complete as you thought.