Compromised login -- investigate odd IPs!

[dcrdev 251]

Yea,   my domain is , most attempts to find out my real server IP won't go well for you. I mean, there are ways, but when I moved my server to my new data center I've been using cloudflare so it would be very difficult for most.  cloudflare.com its a CDN, sort of, its actually an nginx reverse proxy that they have built especially for their network, it puts your server behind their RP which means all requests go through them.   So an nslookup, won't give you my wan address, it will give you the wan address of the cloudflare server closest to your location.  Which are here:  https://www.cloudflare.com/network/    Also the reason all of these settings work for me, is because I have no "local" access. EVERY client accessing my server is via the WAN because my server is not at my house. 

 

Without going into too much detail, what are the ways you envision people being able to determine your real ip address?

 

I'm also using CloudFlare and bar simply guessing, I can't imagine a scenario where someone would be able to do so. I mean provided you don't have any dns entries that point outside of cf, shouldn't be possible - right?

[pir8radio 1292]

Without going into too much detail, what are the ways you envision people being able to determine your real ip address?

 

I'm also using CloudFlare and bar simply guessing, I can't imagine a scenario where someone would be able to do so. I mean provided you don't have any dns entries that point outside of cf, shouldn't be possible - right?

 

You can PM me your emby address and I can tell you your real IP, most likely.     I have sealed up the majority of methods on my own server...   Outside of the methods I have control over, if your server was ever not running through cloudflare you can get a history of dns entries for your domain name.  Yours is dynamic but it can still reveal the owners location, ISP, etc...      Like if you look my domain up on DNSTRAILS.com you will see ALL of my old home IP's (back to 2008) when I used to host my server at home, but because my server has been behind cloudflare ever since i moved, at the same time i moved my server to a datacenter, you don't see that datacenter ip in the list, you only see cloudflare.  If I ever disable cloudflare when these dns cache sites happen to scan my site, it would log my real ip. 

Edited December 31, 2017 by pir8radio

[dcrdev 251]

You can PM me your emby address and I can tell you your real IP, most likely.     I have sealed up the majority of methods on my own server...   Outside of the methods I have control over, if your server was ever not running through cloudflare you can get a history of dns entries for your domain name.  Yours is dynamic but it can still reveal the owners location, ISP, etc...      Like if you look my domain up on DNSTRAILS.com you will see ALL of my old home IP's (back to 2008) when I used to host my server at home, but because my server has been behind cloudflare ever since i moved, at the same time i moved my server to a datacenter, you don't see that datacenter ip in the list, you only see cloudflare.  If I ever disable cloudflare when these dns cache sites happen to scan my site, it would log my real ip. 

 

Ah right I see - yes that would be a way.

 

Not so much for me as I don't have the same ip address that I had pre-cf.

[pir8radio 1292]

Ah right I see - yes that would be a way.

 

Not so much for me as I don't have the same ip address that I had pre-cf.

 

There are a few others, but you have control of them.   MX records (if you host your own email server), cloudflare dns entries that are not "orange clouded" google sometimes finds them or DNS AXFR issues could expose them but thats rare that someone misconfigured DNS that badly as well as guessing as you said,  emby could possibly give it away....   PHP Info or similar server management tools if you use them, If your server sends emails of any kind, to name a few.  It's fun to find and plug holes..     

[dcrdev 251]

There are a few others, but you have control of them.   MX records (if you host your own email server), cloudflare dns entries that are not "orange clouded" google sometimes finds them or DNS AXFR issues could expose them but thats rare that someone misconfigured DNS that badly as well as guessing as you said,  emby could possibly give it away....   PHP Info or similar server management tools if you use them, If your server sends emails of any kind, to name a few.  It's fun to find and plug holes..     

 

I'll have to look into what php gives away - good tip!

 

But mail is handled by Google Apps - mx entries point to Google's servers and mail coming directly from my server has Google configured as an smtp relay within postfix.

[pir8radio 1292]

I'll have to look into what php gives away - good tip!

 

But mail is handled by Google Apps - mx entries point to Google's servers and mail coming directly from my server has Google configured as an smtp relay within postfix.

 

lol the list literally goes on..    https://pentest-tools.com/information-gathering/find-subdomains-of-domain  is a good tool for finding subdomains that may have leaked to search engines,   Like ones not protected by cloudflare.      Good luck sir!

[Guest asrequested]

You guys scare me 

 

I'm just gonna make it that I don't care if I'm hacked.

 

Come at me......bro? 

[xyz 3]

lol the list literally goes on..    https://pentest-tools.com/information-gathering/find-subdomains-of-domain  is a good tool for finding subdomains that may have leaked to search engines,   Like ones not protected by cloudflare.      Good luck sir!

 

So many things can give you away, including using a subject for the ssl cert on your backend that matches one of your front-end dns names. If the IP gets scanned and that cert gets indexed, now you can associate the cloudflare protected dns records with a backend server.

Edited December 31, 2017 by xyz

[Guest asrequested]

What do you guys use to remove your IP from logs?

[mastrmind11 717]

What do you guys use to remove your IP from logs?

Notepad++ and "replace all"

or the sed command if I'm on a linux box.

[Guest asrequested]

Groovy. I'll check it out. Thanks

[CBers 6771]

What do you guys use to remove your IP from logs?

Notepad++ and "replace all"

 

Same here.

 

I remove all IP addresses, email address (used by the Notifications plugin) and anything else that might identify me or my server.

[Abobader 2947]

Good day,

 

No need for that anymore, only admin, mod, dev can now look to your logs.

 

My best

[mastrmind11 717]

Good day,

 

No need for that anymore, only admin, mod, dev can now look to your logs.

 

My best

-1 for this idea.

[Vicpa 559]

Good day,

 

No need for that anymore, only admin, mod, dev can now look to your logs.

 

My best

 

Hi Abo !!

 

This is a really good idea! and a great short term "fix". I think the real problem is that the logs by default contain way to much personal/sensitive information. There is little or no granularity to what is logged as "info".... @@Luke  I have requested before. a lot of the things logged as info should really be "trace" not even debug. 

 

A revisit to what is logged and at what default level would go a long way and be a worthwhile use of resources.

 

My two cents as always..

 

Thanks again Abo!!

 

-vicpa

[Abobader 2947]

Hi Abo !!

 

This is a really good idea! and a great short term "fix". I think the real problem is that the logs by default contain way to much personal/sensitive information. There is little or no granularity to what is logged as "info".... @@Luke  I have requested before. a lot of the things logged as info should really be "trace" not even debug. 

 

A revisit to what is logged and at what default level would go a long way and be a worthwhile use of resources.

 

My two cents as always..

 

Thanks again Abo!!

 

-vicpa

 

Many thanks buddy, well done.

 

 

-1 for this idea.

 

 

-1 for this idea.

 

 

Why not? This will help many user.

 

Whom do not mind everyone read his log, simply they do not add it as attachment, simply post as "code".

[Jdiesel 1114]

I have to agree, this will pretty much eliminate all community support from other Emby users. Log files are much to large to post in the thread body.

 

If a user doesn't want to post their log publicly they can send it to Luke and EBR in a PM.

[Abobader 2947]

I have to agree, this will pretty much eliminate all community support from other Emby users. Log files are much to large to post in the thread body.

 

If a user doesn't want to post their log publicly they can send it to Luke and EBR in a PM.

 

Good day,

 

We doing this now till Luke & Ebr find a way for the log file regarding user info that not need it to be within the info for public posting.

 

Also other dev's requested this action until thing sorted the right way.

 

So til then, no more viewing of the attachment other that the admin/dev.

 

Thanks for your understanding.

 

My best

[Tur0k 143]

I won't lie, I am always leery of of ever posting my logs to a forum. Personally, I would be more comfortable PMing them.

 

Currently, I use notepad++. I have a macro I use to scrub my domain names, email addresses, and usernames. Then I scrub WAN IP addresses separately as I am on a DHCP WAN IP address and this could change.

 

It might be useful to add a scrubbing functionality into Emby. A button that says "de-identify", that would scrub the above data types automatically and provide the log for downloading from the web interface. This would allow users to prep a log to post to the forum when they need help, alleviate some of the administrative tasks on forum admins, and keep novice users safer.

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

Here's a question. Does having all of that information in the logs have any benefit to troubleshooting? Is there a reason that they are in the logs in the first place, or is it just a by product?

[Angelblue05 4130]

Look, you can hate it or love it. Not everyone is being careful when posting logs on the forums. Not everyone replaces information in their logs.

 

What Abo did is flexible enough to still have other users help. You can copy relevant parts of the log as code in the post. And nothing is set in stone, of course. I think for the moment it is the best approach without restricting community help too much.

 

And you guys realize how many apps there is right? It's going to take a little bit to fix logs, it's not necessarily that devs are dumb for logging the info in the first place, that info is intertwined with other regular data sometimes. Just a quick example, if you use http playback with Emby for Kodi, it appends the apikey at the end of your local/remote address. The Kodi player prints the url to log, it is outside the add-on's control, I can't mask that and if the user forgets, is it my problem to delete his logs?

 

 

Sent from my iPhone using Tapatalk

Edited January 2, 2018 by Angelblue05

[dcrdev 251]

My concern with providing my logs, is not so much them containing my domain name, but the fact that I have personal media/photos described by filename in them - that I don't necessarily want to share (with anyone) . It's always a massive pain in the backside posting logs, because I like the rest of you have to do a series of find/replace in a text editor.

 

I've been thinking recently how great it would be if I could build a shell script with sed and feed it a list of typical regex patterns to strip the log on the fly. The prospect of writing the script though seems quite tedious and haven't gotten around to it.

 

Look, you can hate it or love it. Not everyone is being careful when posting logs. Not everyone replaces information in their logs.

 

What Abo did is flexible enough to still have other users help. You can copy relevant parts of the log as code in the post. And nothing is set in stone, of course. I think for the moment it is the best approach without restricting community help too much.

 

And you guys realize how many apps there is right? It's going to take a little bit to fix logs, it's not necessarily that devs are dumb for logging the info in the first place, that info is intertwined with other regular data sometimes. Just a quick example, if you use http playback with Emby for Kodi, it appends the apikey at the end of your local/remote address. The Kodi player prints the url to log, it is outside the add-on's control, I can't mask that and if the user forgets, is it my problem to delete his logs?

 

 

Sent from my iPhone using Tapatalk

 

Well you can't just post part of the log because Luke always says "can you post the full log" :sigh:

Edited January 2, 2018 by dcrdev

[Angelblue05 4130]

@@dcrdev

 

Well I was saying that mostly for community help devs always usually request the full log, hence logs can only be downloaded by devs, admins, mods.

 

 

Sent from my iPhone using Tapatalk

[dcrdev 251]

@@dcrdev

 

Well I was saying that mostly for community help devs always usually request the full log, hence logs can only be downloaded by devs, admins, mods.

 

 

Sent from my iPhone using Tapatalk

 

 

Oh I see - sorry I misread the above post; I thought he was saying that logs could only be downloaded from Emby by an admin.

 

Now I see you mean on the forums themselves - in which case I approve; that's a great idea!

[Angelblue05 4130]

Now I see you mean on the forums themselves - in which case I approve; that's a great idea!

Yes, this is correct. Thank you

 

 

Sent from my iPhone using Tapatalk