Compromised login -- investigate odd IPs!

[Tur0k 143]

It works, but it chokes my bandwidth. I bought a new TV instead of building another gateway

 

I want to build one that gives me strength and easy manageability. Pfsense seems to be the way forward.

I love my PFSense firewall. VPN support is cake on it. You don't need high end hardware either, though I would recommend Intel expansion card NICs. That is the only complaint about mine that I have.

 

I run mine on a 5th gen Intel i5 mini pc with 8 GB of ram and a 74 GB SSD, with dual NICs and it is overkill for my 240 Mbps/12 Mbps WAN.

 

 

Sent from my iPhone using Tapatalk

Edited December 21, 2017 by Tur0k

[Tur0k 143]

Lol. Throw netdata into the mix and watch the fail2ban chart.

 

Re the script, just search the forums for the fail2ban regex, it's what I use and it works fine.

 

Sent from my SM-G950U using Tapatalk

Netdata looks sweet!!

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

I love my PFSense firewall. VPN support is cake on it. You don't need high end hardware either, though I would recommend Intel expansion card NICs. That is the only complaint about mine that I have.

 

I run mine on a 5th gen Intel i5 mini pc with 8 GB of ram and a 74 GB SSD, with dual NICs and it is overkill for my 240 Mbps/12 Mbps WAN.

 

 

Sent from my iPhone using Tapatalk

That's pretty much the same as what I'm thinking of building. I have a spare i5 6500 and micro atx motherboard. I can throw it an a 2u and load it up.

[mastrmind11 717]

Netdata looks sweet!!

 

 

Sent from my iPhone using Tapatalk

yeah, it's awesome.  One of the members here recommended it to me, can't remember who.

[Jdiesel 1114]

yeah, it's awesome.  One of the members here recommended it to me, can't remember who.

 

Me lol

 

https://emby.media/community/index.php?/topic/50013-anyone-have-a-grafana-setup-theyd-like-to-share/?p=477798

[mastrmind11 717]

Fail2Ban is setup and banning SSH connection attempts already

 

Does anyone have a jail configuration for parsing Emby logs directly?

FYI, here's what I use for f2b emby.conf, can't remember if it's the one I found on these forums or on the interwebs:

# Fail2Ban filter for emby
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = emby-server

failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None

ignoreregex =

# DEV Notes:
#
#       Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords
#       Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames
#                     
# Author: everydayevil@[member="everydayevil"].com

[pir8radio 1292]

good catch.

 

its pretty scary when you look at firewalls logs.This is mine from this morning. 40,000 attempts blocked in 24hrs. mostly port scans, people trying to access ftp, ssh etc.

 

 

What are you using to analyze your logs?

 

EDIT: nvrmind just noticed the logo in the upper right.

Edited December 22, 2017 by pir8radio

[bdreams 4]

I got compromised this morning too I had a open user profile. Can’t seem to get rid of device from my device list no matter how many times l delete it. Delete the profile and change password and ports any suggestions.

[Swynol 375]

What are you using to analyze your logs?

 

EDIT: nvrmind just noticed the logo in the upper right.

 

Ye its Sumologic.

 

I'm using a syslog from my unifi firewall which Kiwi picks up and sends to sumologic for the pretty charts. 

 

i have my unifi router on the edge of my network which blocks the majority of stuff. i then have a Sophos UTM firewall which does on the fly virus/malware scanning. Havent got fail2ban but i do use country blocking.

[chef 3746]

I'm using a windows based server. Will I be able to run fail2ban?

 

Many thanks

[mastrmind11 717]

I'm using a windows based server. Will I be able to run fail2ban?

 

Many thanks

I believe the Windows version is wail2ban.  

[CBers 6771]

I've had someone, apparently via a VPN, accessing my Emby server, even though it is behind a nginx reverse proxy!!

 

I noticed an strange IP address in the list of connections in the server dashboard.

 

Looking in the server log, it appears they ran the public system info API to get my IP and port:

 

https://emby.sub-domain/emby/system/info/public

 

Not sure how they identified my sub-domain, but once they had that, they connected.

 

I changed the port and password, but the IP address they were using was still authenticated on my server. Is it possible to login without knowing the password?

 

Why does that Emby API call return the WAN address and port? Surely it shouldn't be available publicly?

 

I have since turned off my nginx RP and now only allow local access.

 

Will look into the wail2ban option.

[Luke 37090]

@@CBers, if they've already sent that request to your server then that means that already know your address right?

 

You may want to double check the IP addresses your smart phones are getting over remote connections because those will often change and you may not recognize them at first.

[CBers 6771]

@@CBers, if they've already sent that request to your server then that means that already know your address right?

 

You may want to double check the IP addresses your smart phones are getting over remote connections because those will often change and you may not recognize them at first.

Yes, they may have got the IP address by pure luck and then scanned open ports, but they were running Emby, as it said the version number they were using in the dashboard.

 

It wasn't a mobile connection, as I had @@Swynol have a look and he said it was an IP address from a VPN company.

 

Why does a PUBLIC Emby API call return the WAN address, port and server ID? Surely that's insecure.

[CBers 6771]

The IP in question was: 213.152.161.138.

[Luke 37090]

Well again, if they've gotten far enough to actually making that request in the first place, then that means they already know your IP and port.

[CBers 6771]

I understand that.

 

The strange thing was, I changed the port number, but they still managed to be authenticated.

 

Is there a way with the API to access a server without knowing a user's password?

[Luke 37090]

Is there a way with the API to access a server without knowing a user's password?

 

Well you can make calls to publicly exposed api methods, but there are only a small handful of those, such as authenticate for example. I wouldn't judge their connectivity based on the server dashboard because in some cases that will stay there until a certain amount of idle time has passed.

[bdreams 4]

I had to delete emby and start over because even when I change port number the active device would not go away even though it was not connected it still showed up has active device. I have since hide my user info and change all password

[pir8radio 1292]

@@CBers, if they've already sent that request to your server then that means that already know your address right?

 

You may want to double check the IP addresses your smart phones are getting over remote connections because those will often change and you may not recognize them at first.

 

Not entirely true...   My server sits behind cloudflare which I use to HIDE my real server WAN IP...   I would never want my local server wan IP to be exposed, only my domain name, which points to cloudflare, which I don't care if people have their public IP's.     

 

@@CBers However If you set your wan address in emby to your domain name, it hides the WAN IP from the public call,  You can hide your "local" ip on the public call by binding emby to 127.0.0.1       The server ID is still somewhat of an issue, you can copy paste that ID into emby connect to reach the front door of someone's server if you wanted...  Like using peoples logs on this site, without knowing their IP.   I don't think blocking the server ID on the public call gets you anything though, they already know your domain name, or IP, you should mask it when posting logs though... 

Edited December 30, 2017 by pir8radio

[CBers 6771]

@@Spaceboy, @@Swynol and myself have been trying to change the REMOTE port to 443 in Emby, but nothing seems to work.

 

Although my WAN IP may be visible, no ports, other than for nginx, are port forwarded.

 

I always sanitise my logs when I post here.

 

--

 

Setting "Bind to local network address" field to 127.0.0.1 does indeed remove the local IP address from the Dashboard and means I can only connect via my domain.

 

Setting my domain in the "External domain" field shows the same in the Dashboard, but it also gives my port I use.

 

Testing with that API call removes the WAN and LOCAL IP address, which is good, but any nslookup against the domain will reveal the WAN IP address,

 

Thanks for your feedback @@pir8radio.

 

PS. CLOUDFLARE ??

[MSattler 387]

@@Spaceboy, @@Swynol and myself have been trying to change the REMOTE port to 443 in Emby, but nothing seems to work.

 

Although my WAN IP may be visible, no ports, other than for nginx, are port forwarded.

 

I always sanitise my logs when I post here.

 

--

 

Setting "Bind to local network address" field to 127.0.0.1 does indeed remove the local IP address from the Dashboard and means I can only connect via my domain.

 

Setting my domain in the "External domain" field shows the same in the Dashboard, but it also gives my port I use.

 

Testing with that API call removes the WAN and LOCAL IP address, which is good, but any nslookup against the domain will reveal the WAN IP address,

 

Thanks for your feedback @@pir8radio.

 

PS. CLOUDFLARE ??

 

Last time I tried this, SSL required a certificate before it would work?   It's been a long time though.

[CBers 6771]

Last time I tried this, SSL required a certificate before it would work? It's been a long time though.

I'm sure we tried that, with a dummy cert, a real cert and with and without a password, but it never showed as port 443 in the Dashboard.

[CBers 6771]

Setting "Bind to local network address" field to 127.0.0.1 does indeed remove the local IP address from the Dashboard and means I can only connect via my domain.

 

 

Having it set to 127.0.0.1 doesn't allow for local clients to connect to the server, which would force connection via Emby Connect, which I don't want to do, so I have removed it for the time being.

[pir8radio 1292]

@@Spaceboy, @@Swynol and myself have been trying to change the REMOTE port to 443 in Emby, but nothing seems to work.

 

Although my WAN IP may be visible, no ports, other than for nginx, are port forwarded.

 

I always sanitise my logs when I post here.

 

--

 

Setting "Bind to local network address" field to 127.0.0.1 does indeed remove the local IP address from the Dashboard and means I can only connect via my domain.

 

Setting my domain in the "External domain" field shows the same in the Dashboard, but it also gives my port I use.

 

Testing with that API call removes the WAN and LOCAL IP address, which is good, but any nslookup against the domain will reveal the WAN IP address,

 

Thanks for your feedback @@pir8radio.

 

PS. CLOUDFLARE ??

 

Yea,   my domain is , most attempts to find out my real server IP won't go well for you. I mean, there are ways, but when I moved my server to my new data center I've been using cloudflare so it would be very difficult for most.  cloudflare.com its a CDN, sort of, its actually an nginx reverse proxy that they have built especially for their network, it puts your server behind their RP which means all requests go through them.   So an nslookup, won't give you my wan address, it will give you the wan address of the cloudflare server closest to your location.  Which are here:  https://www.cloudflare.com/network/    Also the reason all of these settings work for me, is because I have no "local" access. EVERY client accessing my server is via the WAN because my server is not at my house. 

Edited December 30, 2017 by pir8radio