Jump to content

Do I need a password on all of my Emby user accounts?


neptunepic

Recommended Posts

neptunepic

My Emby server was hacked today.

Someone got into the server from IP 98.122.185.132, created a user called RandomHacker and started watching some of my content.

How can I lock things down so this cannot ever happen again?

 

Currently I only have one user for myself. What am I doing wrong?

 

Please help!

Link to comment
Share on other sites

Jdiesel

Does Emby lock a user out after a number of failed login attempts?

Link to comment
Share on other sites

neptunepic

I've tried changing my password and I keep getting an error.

 

Login Failure
Invalid username or password. Please try again.
Link to comment
Share on other sites

What you can do is use the forgot password function to get back into the account.

 

If you can PM me your last few server logs then I can look at what exactly happened. Thanks.

Link to comment
Share on other sites

Jdiesel

Change your passwords. If you happened to be using the same password for different accounts and emails that is very well how the person gained access to your server. For example you use the same password for your email account, your Emby Connect account, and your Emby user.

Link to comment
Share on other sites

Tur0k

Here is my 2 cent overview.

 

First, recover from the hack.

1. Remove remote access to the Emby server from the Internet by disabling any pass through a you had on your firewall.

2. Run through the local password reset on your Emby server system.

3. Run an A/V scan on your server.

4. Depending on what was accessible, check your event logs and see if they were able to get to terminal/start and install software remotely.

5. Run anti malware scans on all systems that you or your other users have used to logon to your Emby server from. There is the potential that you have a Emby client device that has a key logger that captured your key clicks and thus acquired your credentials.

6. Make sure that your modem/firewall/router is not using default username and passwords.

 

Second, When you come back online and have everything put back together secure it:

 

1. So, I think many people leave their usernames listed in the logon screen. From a security standpoint this is poor practice as it negates half of the complexity of a user's credentials. Check the box next to "hide user from login screens" under /manage server/users/open each user account.

2. Sufficiently complex password should be enforced.

A. Using character sets that include all 4 types of characters

B. Using total characters in password to be greater than any multiple of 8, as brute force attacking tools are carried out with normal 8-64 bit processing.

3. Changing your externally facing passwords at regular interval.

4. Use a different username and password to administer the Emby server than you use to actually play videos from day to day.

5. Are you using HTTPS on all connections from the public Internet? If not when you enter your username and password it isn't encrypted during communication with your Emby environment. This means that your credentials could be captured in transit.

A. You could pickup a domain name and signed SSL certificate on the cheap and get it imported into your Emby server and have the https configuration working the intended way. There are a few posts about the method to do this.

6. Change the format to all usernames.

7. Change all passwords to all user accounts using the above rules.

Additionally, track and monitor source IP addresses for all logon attempts.

With a good firewall you could:

1. Add a basic IDS (intrusion detection systems) tool that would allow you to block specific public Internet IP addresses you know are trying to hack you.

2. Begin blocking communication to and from subnets by world region.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

neptunepic

Thanks, this is very useful info.

No unauthorized access to my computer, which is good. They only got access to Emby through my user.

Thanks again for the advice.

Link to comment
Share on other sites

Tur0k

The forum is pretty helpful. Let us know if you get stuck. Also, change all your username formats and passwords when you come back online.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

DGMayor

If you've got ANYTHING externally facing, it should be passworded.  Period.

Link to comment
Share on other sites

PrincessClevage

Does Emby lock a user out after a number of failed login attempts?

I have also asked this question and would add to security. There are many bots scanning I.p ranges for open ports and as soon as they find a "known" port they start brute force password attack (I have found evidence of this in my server logs several times after opening Emby port and/or default rdp port (usually getting attacked from Russian I.p). So a timeout period after 3 failed attempts would increase security by rendering brute force useless/inefficient. Edited by PrincessClevage
Link to comment
Share on other sites

pir8radio

My Emby server was hacked today.

Someone got into the server from IP 98.122.185.132, created a user called RandomHacker and started watching some of my content.

How can I lock things down so this cannot ever happen again?

 

Currently I only have one user for myself. What am I doing wrong?

 

Please help!

 

I can tell you this is not a "hacker" lol    They didn't cover their tracks AT ALL, which opens them up for a return attack.  By the looks of it this person is just a forum user, or someone you know, who probably got your server IP from logs you shared on the forum and guessed at your password.  I say that because they have an Linux emby server of their own called "sexymedia".

 

I bet the admins could look at the forum logs and see what forum user belongs to this IP and warn them with a PM to play nice, but its not their job to do that and they probably wont get involved.  But If I had to guess, this person is going to see this thread you started.  

 

Like everyone else said don't use easy passwords, you're lucky this skiddie just watched movies and didn't login as you, enable the ablitlity to delete files and then wipe out your media.   I am not condoning what they did, but they were not malicious. 

Edited by pir8radio
Link to comment
Share on other sites

Deathsquirrel

Second, When you come back online and have everything put back together secure it:

 

1. So, I think many people leave their usernames listed in the logon screen. From a security standpoint this is poor practice as it negates half of the complexity of a user's credentials. Check the box next to "hide user from login screens" under /manage server/users/open each user account.

2. Sufficiently complex password should be enforced.

A. Using character sets that include all 4 types of characters

B. Using total characters in password to be greater than any multiple of 8, as brute force attacking tools are carried out with normal 8-64 bit processing.

3. Changing your externally facing passwords at regular interval.

4. Use a different username and password to administer the Emby server than you use to actually play videos from day to day.

5. Are you using HTTPS on all connections from the public Internet? If not when you enter your username and password it isn't encrypted during communication with your Emby environment. This means that your credentials could be captured in transit.

A. You could pickup a domain name and signed SSL certificate on the cheap and get it imported into your Emby server and have the https configuration working the intended way. There are a few posts about the method to do this.

6. Change the format to all usernames.

7. Change all passwords to all user accounts using the above rules.

Additionally, track and monitor source IP addresses for all logon attempts.

 

While this excellent general security advice, it will make using Emby an absolute pain in the ass for many setups.

 

I continue to say the best security question Emby admins should ask themselves is 'is it really a good idea to have this accessible outside my network at all?'  Help your friends build their own media servers instead of letting them use yours.

Link to comment
Share on other sites

Jdiesel

Whitelist IPs on your firewall. Use a dynamic DNS for clients with dynamic IPs. Should improve unauthorized access significantly.

Link to comment
Share on other sites

tdiguy

Personally my 2 cents, don't open anything to be externally accessible unless you truly need it to be. I would say this even applies to emby servers or similar. If you want to watch when not on your home network use a VPN. If you have emby running on nearly any Linux based distribution you can either set up a VPN or use ssh as a low grade VPN with port mapping.

 

Sent from my SM-G900P using Tapatalk

Link to comment
Share on other sites

tdiguy

If you have not already done so ensure your emby server is no longer reachable from outside your network until you are able to find out and correct the breach don't want the hacker to decide to start deleting things.

 

Sent from my SM-G900P using Tapatalk

Link to comment
Share on other sites

Tur0k

While this excellent general security advice, it will make using Emby an absolute pain in the ass for many setups.

 

I continue to say the best security question Emby admins should ask themselves is 'is it really a good idea to have this accessible outside my network at all?'  Help your friends build their own media servers instead of letting them use yours.

Agreed, the first question should always be, is it necessary to make this available on the public Internet.  If the answer to the first question is yes, then you need to look at security and risk mitigation. 

 

There is a new easy pin creation for Emby users in Emby Server.  I have not had time to set this up and play with it yet, but the potential is that users would have a short pin when connected to emby from the local network and would have to use a longer password when connected from outside the local LAN.

 

Here, I have been using Emby as much outside the house as I do inside the house. I love using it when at work on lunch.  Until very recently all remote access was done via PCs where ever I was.  I have been using dyndns ddns account.  I had port 8920 forwarded through my firewall, and was using a self signed cert for a while, mainly because I was lazy.  My wife asked to get the kids smart devices setup to access our libraries when remote.  I don't allow non-secure connections through my firewall.  Almost immediately, I noticed trouble with the self-signed certificate on my children's IOS devices when attempting to access remotely.  I found google domains was selling domains on the cheap and providing add-on services like public DNS management, and the ability to create custom DNS records (Txt, DDNS, etc.)  I was able to use my existing Pfsense dynamic DNS package to keep my google domains DDNS up to date.  in total switching to google domains, I was able to cut my domain costs by 75% switching to google domains from a third level dyndns domain. this was half of my fight with getting the IOS devices working remotely with emby.  

 

Also, I have been moving toward limiting the total number of ports I have had to open on my firewall in an attempt to further reduce the vulnerable attack surface area of my network.  My goal is to get down to just my VPN and my reverse proxy ports.  I stood up a reverse proxy on my PFSENSE firewall, and am in the process of making all web based resources I would need outside of the VPN accessible through it.  It is a pretty cool system and has a few really cool features.  

1. I can block access by IP in it.  

2. I can enforce client certificate authentication.  this essentially is mutual authentication between the reverse proxy and and end point clients on the other side of the Internet.  only clients on the other side of the Internet with the right client certificate would be allowed access.  I am going to give this a try once i have everything else working the way I want.  

 

The only other component I needed to finish making the smart devices work while remote was getting an existing system in place to handle my SSL certificate.  I opted with Let's encrypt as my solution.  I have a working process to get and maintain let's encrypt SSL certs using an Acme client on Pfsense. I was able to leverage my domain's public DNS to get this piece working and automated.

 

my family and I took a 10 day vacation to visit family in another state and I have to say everything worked phenomenally with my current system.  

 

The other component I like having on my firewall is PFblocker which allows me to block communication entirely by world region.  for example if I know i do not want to have any communication pass between my home and any IP subnets in Europe, Russia, or China I can do that.

 

I am still working out a handful of bugs:

1.  reverse proxy to non SSL encrypted web services.

2.  See if client certificate authentication is a viable solution for me.  

3.  Determine if it is possible to get shows to download to IOS devices for when we are in the air or in a car and do not have Internet access.

 

Currently, I am working on creating an activity log in my firewall for all VPN and reverse proxy connections that enumerates client end point connections by time, source IP address, and state/world region.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...