Server - Restrict remote login

[kingy444 108]

I would like to be able to have a checkbox to allow/deny remote access based on a user account. Three reasons for this

 

1. I have multiple accounts. Some with weak passwords that i would never trust externally anyway

2. i would like to minimize access points to my home network

3. I would prefer not allow a full system admin remote assess as they could essentially access and delete my entire content library

[Cerothen 89]

You could always make use of the local pin option?

 

Just make the password for the remote login something obscene (Something like: ~8~T.~3w7_;gq=74h^09^m44!;~.9.5+u4G9j-%w) then make a pin code. Emby knows when a device is making the request from the local network and allows you to use the pin instead. That would effectively make logins from the internet impossible (since you will never remember the password and its unlikely to be guessed) while still making it so you can use those account's locally.

[kingy444 108]

With the ability to detect whether you are internal or external to the network wouldnt it be simple enough to allow/block a user connection based on a true/false on each account

 

Much safer than 'that password is too hard to guess so it must be safe' approach

[Cerothen 89]

You could also go to the user account and disable that account from being able to log in using any devices that reside outside your local network.

 

In terms of blocking the internal vs external login disabling. If you already have accounts that WILL be able to be accessed from the internet then why would just making a ridiculously complex password. Chances are if someone wanted in they would do it through your other account anyways... One because they would hit the password much sooner and two because if they were watching your traffic or even saw the username over your shoulder then you wouldn't be using the account that you didn't want to be accessible externally anyways..

 

I would say as long as the user's password is more secure than the next account you would be using externally that would be sufficient.

[kingy444 108]

Devices such as laptops and mobiles dont really work in this setup though as sometimes they are internal others external. Hell i take my xbox one on holidays and use it remotely sometimes.

 

Restricting accounts that can be accessed remotely should be a relativly simple task in my opinion. I work in IT and would be highly suprised if you could find a security adviser who would agree that 'security via obscurity' is the right approach

 

We have SSL connections in the works, already test connections via device as you said and the ability to check if your accessing internal or externally. Checking if an account is permitted to perform an action is always safer than obscurity.

 

An obscure password should be your final layer of security. Not your only one

[kingy444 108]

Any devs have an opinion on this?

[kingy444 108]

@@Luke ?

I wouldnt think this type of check would be hard and wpuld be beneficial to strengthen security?

[MSattler 387]

@@Luke ?

I wouldnt think this type of check would be hard and wpuld be beneficial to strengthen security?

 

I pressed for this previously but there really was no response and not much interest from the community.  I've gone the obscure password route myself.  Honestly, I have all my logs hitting Splunk, and I can tell you that the Emby install does not see a ton of traffic other than my users.   I think we would get further here by implementing a lock out option, based upon password failures.

[Luke 37057]

It's not a bad idea and maybe we will but in the meantime you do have options to achieve a similar result.

[ebr 14910]

I think we would get further here by implementing a lock out option, based upon password failures.

 

We had that at one point and it was more trouble than help.  It was too easy for an app to unwittingly lock you out of your account.

[Deathsquirrel 741]

In light of a user's recent post about his system being remotely accessed, this seems worth bumping for further consideration.

 

@@Luke, you're correct that you can use the internal PIN to achieve a sort-of similar effect but under the current system it's not nearly as good.  The main reason is the account name shows up to remote access.  i don't want that.  I want a group of internal accounts with user names that show up for logins internal to the network.  The client apps are a LOT easier to use if configured this way.  These accounts shouldn't be used for external access though.  For external access I want you to have to guess both the username and pw.

 

Alternatively you could make the current 'Hide this user from login screens' option one that has an internal/external component.  That, combined with the existing internal PIN system, would be just about as good as allowing an internal/external flag on whole users.

[Luke 37057]

Yes its' a good idea.

[otispresley 81]

[first post liked]: I agree with this. There are 2 accounts I use on my internal network that I leave visible for ease of use, but I would like to be able to hide these accounts when accessing the server from remote networks.

[computerprep 142]

Similar conversation going on over here... 

[MSattler 387]

Similar conversation going on over here... 

 

Plex has had this ability for quite some time...... sigh

[Luke 37057]

Beginning with the next release of Emby Server, you'll be able to restrict incoming traffic by IP address:

 

 

Enjoy.

[Carlo 4330]

Plex has had this ability for quite some time...... sigh

 

No it doesn't.  Plex has no ability to do much of any of this.

In Plex with a Plex Pass you can set up a "Home" and then create local users who are only tied to your admin account and it's servers.  They however can log in from anywhere.

 

You can't for example create a "Baby Sitter" or "Guest" account that is only usable in your own LAN and not accessible from outside your network.  In Plex if you create a guest account it's usable from anywhere.  In Plex there is no concept of a local only account if your server has it's ports open to the internet.

 

Emby is already better than Plex's implementation before this is even added.  With this feature request it's just that much better.

 

Carlo

[computerprep 142]

@@Luke, I don't see you confirm anywhere... Will this be a per-user setting?

Edited March 3, 2018 by computerprep

[Luke 37057]

You will be able to set a global ip address filter, and then there will be a per-user toggle to enable or disable remote access altogether.

[computerprep 142]

Awesome. So we'll be able to blacklist based on suspicious behavior, and whitelist restricted users.

[NearWinter 1]

I'm excited to hear about this, I have an administrator account that I'd prefer not be accessed remotely for security reasons. Nice work! So glad I've made the switch from Plex to Emby with all these amazing features.