Emby Server Security - Server unauthorized accessed

[gjviii 48]

Can someone point me in the right direction on where to turn to set up my server to be more secure?  I would like to

a) lock down my users accounts with a password when accessed from out side my home wifi network, but allow them to log in with out a password while on my home wifi

make as many other possible changes to lock it down (router, firewall...) as much as possible.  

c) get email alerts when someone logs onto my server from outside my home wifi

 

 

Today i had someone who was unauthorized log onto my server from out of country. IP 95.96.11.87

 

Thanks for any direction given

[Happy2Play 8361]

Set a user password, then check easy pin.

 

[gjviii 48]

thanks Happy.  Any recommendations of settings for routers, firewalls?   I did change the default port of 8096, but i'm guessing that doesn't do much

[MSattler 387]

thanks Happy.  Any recommendations of settings for routers, firewalls?   I did change the default port of 8096, but i'm guessing that doesn't do much

 

As long as users are going to remotely access your Emby server there is not a ton you can do on the firewall/router.  Even with moving the port, all I would do is port scan you to see what ports you are listening on.  Set a password with easy pin and that should protect the user accounts.  I would also make any admin accounts not visible at the login page, and not name the account admin or administrator.  That will keep from someone brute forcing the admin accounts.

[gstuartj 39]

With services like this I think the key is to segment your network and data to limit the amount of damage that can be done. I do have my Emby server exposed to the world, but I've taken the following steps to protect myself:

• My server is in a DMZ VLAN and is isolated from my private network, except for limited access to Chromecasts, etc. This can be done on many consumer routers with third-party firmware. If Emby is compromised they have access only to that machine. (Hopefully)
• I use an Nginx reverse proxy in front of Emby both for my SSL cert and the configurability. Using a reverse proxy allows easy access to rule-based routing/rate limiting, more configurable logging, IP banning, etc. A good Nginx/iptables config combo can go a long way for DDoS/brute-force protection. There are also things like mod_security if you use Apache.
• My Emby server has no write access to my media collection. In the event of a compromise this should help protect my collection from deletion.
• I backup my configuration directory so if I need to restore, it just involves a quick reimage and firing up the Docker container.

I don't have reason to doubt Emby's security, but every public service has potential for compromise. Build enough walls around them and you can limit the scope by a lot.

Edited October 30, 2015 by gstuartj

[gstuartj 39]

Alerts are a good idea. It's not built-in, but you can use a third-party tool like LogWatch or something to configure alerts for yourself.