Jump to content

Security 101: Secure Connections


regid

Recommended Posts

So when it comes to VPN there are a handful of ways to implement.

1. Private browsing to the Internet. These are your expressVPN, cyberghost, nordVPN, PIA, globus, etc). These provider’s offer secure Internet browsing from hostspot provider’s, ISPs and your destination service.

Note, if you access insecure websites using this method your traffic is insecure and accessible on the public Internet the minute your packets hit your provider’s WAN.

I have a separate network in my home that I use for this, but I only use it for browsing the public Internet.

 

2. Secure Client VPN to your site.

this allows devices on the public Internet to connect to your network securely across a VPN. Depending on configuration you can force some or all traffic across this tunnel.

I do this when I need remote access to my home network for admin purposes. This isn’t something I expect my family members to get comfortable doing.

 

3. Site to site VPN. This is a secure connection between two networks.

The traffic that you rule in between the two nextworks is secure.

I have done this in the past in order to support off-site backups and other integrations.

 

As always there are risks anytime you make allow a device access to the Internet. Common technologies that use IPSEC, L2TP, or even Openvpn type (open a port access) VPNs are only as secure as the keys, authentication credentials, authentication protocols/ciphers. Use best practices in setting them up.

Edited by Tur0k
Link to comment
Share on other sites

Hi cayars, thinking of using Cloudflare to connect to Emby like per this guide here

 

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

Is it a more secure solution than using the plex.ts middleman?

 

Sent from my SM-A520F using Tapatalk

 

Yes, see message #246

Question! For those who are suggesting VPN what you you doing for family members using firetvs.

 

Mom has her own emby server at her house but switches to mine ocassionally.

 

Right now all I'm doing is https with letsencrypt.

 

Really not sure how much I'm worried about being hacked though.

You're plenty protected right now if already running https with a cert..  You could add Cloudflare, nginx reverse proxy or both as SpaceBoy and others have done but your already encrypted and already as good as your Bank's website, Paypal, Amazon or other eCommerce websites. So keep things in perspective. :)

 

I don't do anything. Everything works. I have someone with a firetv stick in another country, and it works just fine. Nothing to do, just log in and play.

 

But again, a VPN isn't hackproofing. It just stops all you're private data reaching the internet. And if someone does get your IP, you just pick a new one. 

 

I don't see the point in encrypting your emby server. Don't think it can't be decrypted, because it can if they really wanted to. And you have to open a port through your firewall, anyway. So it's like "hey, I've got a big hole in my security, come on in. You can look at anything you like, but you can't watch my movies". Kinda pointless. 

 

I run my VPN on my router, and I've increased the firewall security, to help filter the big hole I put in it. If you really want decent security, you'll want a reverse proxy.

Of course you don't need to do anything on the client side because your server is wide open running Torguard. All your setup has done is obfuscate your IP address. If you aren't running your server over https then it's not encrypted.  Torguard only encrypts your data from your router to their public server.  From their server to the rest of the world it's wide open and as fully exposed as your setup on your Emby server.  So if your not running your Emby server over https then anyone on the internet can access it via regular old http.  They will just use the Torguard IP address vs your ISP given IP address.

 

Are you leaving VPN connected at all times on the fire stick?

Depends on what type of VPN you use. See @@Tur0k post above about different types of VPNs.

 

If you are going for a secure VPN from the client to your server then you can setup something like OpenVPN in your home LAN.  Then anyone you share with will need to run a client on their end.  This could be an app client that can run on a PC or on an Android device or could even be setup on some of the more advanced home routers.

 

If you go this route, be prepared to spend time helping others you share with get setup with VPN at their house.  Same with mobile phones if you are going to allow that as well.

 

It's a lot more work and may not work for you if you have friends with Rokus and ISP provided routers for example.

Edited by cayars
  • Like 1
Link to comment
Share on other sites

From my perspective the easiest solution is to have your own domain setup through CloudFlare.

 

Sent from my ONEPLUS A6003 using Tapatalk

 

Alright, going to dive into Swynol's guide on that.

 

 

I will address this via difficulty level and attack vector.

 

I. The minimum in my opinion is:

 

1. PROTECT YOUR ADMIN ACCOUNT

A. Don’t connect your Emby connect account to your local Emby system as the admin account.

B. Use strong passwords for your accounts.

C. I don’t recommend having user account names listed by default on the login screen in Emby.

 

2. SECURE AUTHENTICATION

A. Some people use SSL encryption by Pickup a public domain and provision secured (HTTPS) access to your web accessible content either locally or through a public proxy.

B. Others choose external encryption using a vpn tunnel between

I. two trusted networks (yours and someone else’s),

II. Your network a remote user on the public Internet.

 

Either way:

* Use best practices in encryption and protocol cipher suite support.

** ensure that you have some type of encryption from your Emby server to the remote client and back.

*** if you are not running an RDGATEWAY in front of your RDP host I would look into hosting an ssh tunnel in front of your RDP host server.

 

II. Easy-ish improvements beyond that:

1. DDOS PROTECTION,

I agree with Lorac, set up your domain with Cloudflare. Cloudflare will obscure your home WAN public IP from attacks.

 

III. More complex improvements.

1. BRUTE FORCE ATTACKS.

Look into software that you can integrate and develop a process to capture bad password attempts from the public Internet and block them from further access to your Emby front end and RDP. Look into wail2ban (there are limitations to it, and I am not sure how well supported it is.

2. Limit public Internet access logon hours or source regions.

3. MFA integration

A. Client certificate authentication.

B. Integrate with third party MFA providers like duo or google auth.

 

 

 

Sent from my iPhone using Tapatalk

 

Got I - 1A and 1B covered. 1C isn't going to work with the little kids here, they don't remember passwords.

*** I've removed the port forward for RDP. I realized I don't use it that much, so that's another open door gone. I'll use VNC server and client with encryption if I need to access my Home server remotely. Undoubtedly VNC also has its security flaws, but perhaps it's better than the previous situation where RDP connections were open and unencrypted.

II - 1. Going to try Cloudflare

III - I don't think I'll be able to do this with my ISP router. I have a Ubiquiti Edgerouter X lying around though, so will consider using it again and looking into these points.

  • Like 1
Link to comment
Share on other sites

Fratopolis

Yes, see message #246

You're plenty protected right now if already running https with a cert.. You could add Cloudflare, nginx reverse proxy or both as SpaceBoy and others have done but your already encrypted and already as good as your Bank's website, Paypal, Amazon or other eCommerce websites. So keep things in perspective. :)

I figured what I have is enough. I think the more advanced options need to be left out of this Security 101 forum. With all the crazy options people were implementing I was starting to think there was some sort of bug in emby that I would need even more security.

 

I have OpenVPN on my immediate families phone's but only for when they connect to public WiFi or any WiFi while out of the country.

Edited by Fratopolis
  • Like 2
Link to comment
Share on other sites

Guest asrequested

I just don't want some people thinking that opening a port and only encrypting the Emby server is protecting the open port and the rest of that machine. The IP of the Emby server is the machines IP (the local IP, I mean). So even if you encrypt emby, the rest of the machine and network is wide open. And a bunch of these encryption algorithms aren't all that strong, anyway. Encrypting the Emby server is almost no security at all. You should focus on network security, not just emby.

Edited by Doofus
Link to comment
Share on other sites

Jdiesel

For those who are using VPNs, are you setting up route in your config to prevent all traffic running through your VPN? I'd hate to have my users Netflix and Amazon Prime viewing eating up my server bandwidth.

Link to comment
Share on other sites

Alright, going to dive into Swynol's guide on that.

 

 

 

Got I - 1A and 1B covered. 1C isn't going to work with the little kids here, they don't remember passwords.

*** I've removed the port forward for RDP. I realized I don't use it that much, so that's another open door gone. I'll use VNC server and client with encryption if I need to access my Home server remotely. Undoubtedly VNC also has its security flaws, but perhaps it's better than the previous situation where RDP connections were open and unencrypted.

II - 1. Going to try Cloudflare

III - I don't think I'll be able to do this with my ISP router. I have a Ubiquiti Edgerouter X lying around though, so will consider using it again and looking into these points.

Risk appetite is a spectrum. We deal with risk in three ways:

1. Patch, block, fix the risk.

2. If you cannot absolutely patch/block/fix a risk, then you select a method to adequately reduce your risk to an acceptable level.

3. if you cannot mitigate, and you can not block the activity then you accept the risk.

 

1.C

If you can not fix 1C, I would recommend limiting delete/modify/disable DVR management access/admin permissions to the account. Alternately, can you assign a pin to that account? I adjusted the account that my kids use such that the username is short, password is long, but added a for digit pin for them to use internally.

 

I looked at Cloudflare. I already have a reverse proxy up and running at home. For me the only significant benefit over what I already have is the DDOS protection and obscuring my WAN from public DNS records.

 

III. Three is a tall order. Here, I upgraded my home router with a a low power consumption SFFPC (i5 Mobile processor (15-25Watts TDP), 8GB RAM, 64GB SSD, and 2 onboard NICs (I made the mistake of getting one with Realtek nics though)) and loaded it with PFSense. Only complaint I have had is that I should have bought bone with Intel NICs.

Part of the reason I moved my Emby server to Linux is so that I can implement a better bad password offender policy and integrate fail2ban directly.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

For those who are using VPNs, are you setting up route in your config to prevent all traffic running through your VPN? I'd hate to have my users Netflix and Amazon Prime viewing eating up my server bandwidth.

So, I setup the client vpn to my home network to only direct

1. DNS (this allows the vpn guest user to resolve my internal DNS names.

2. traffic that is meant for my internal network to my internal network.

This would be via ip rules and would include port numbers. Currently, the services I make available are linked to management interfaces (https, ssh) to my key services, file transfer (NFS, SMB, SFTP).

 

Then if I need privacy during web browsing while away from home I have my private VPN browser provider setup on my mobile devices.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

Question! For those who are suggesting VPN what you you doing for family members using firetvs.

Mom has her own emby server at her house but switches to mine ocassionally.

Right now all I'm doing is https with letsencrypt.

Really not sure how much I'm worried about being hacked though.

If you setup zerotier you get vpn protection but only traffic for emby is routed to emby. It’s exactly what you want without all the hassle, also you get a nice web GUI to manage users, you can send them your I’d to connect to , and them just go in and approve it.

  • Like 1
Link to comment
Share on other sites

If you setup zerotier you get vpn protection but only traffic for emby is routed to emby. It’s exactly what you want without all the hassle, also you get a nice web GUI to manage users, you can send them your I’d to connect to , and them just go in and approve it.

This is pretty sweet. Server to guest VPN as a service and GPL open!!!

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

Guest asrequested

If you setup zerotier you get vpn protection but only traffic for emby is routed to emby. It’s exactly what you want without all the hassle, also you get a nice web GUI to manage users, you can send them your I’d to connect to , and them just go in and approve it.

So would this negate the need to open a port, and use a tunnel, instead?

Link to comment
Share on other sites

Fratopolis

We use VPN to hide our public WiFi traffic. But I guess I could do OpenVPN and ipsec. One for local only and one for all.

 

Or maybe I'll just do plain old ptpp LMAO

Link to comment
Share on other sites

Spaceboy

I have my vpn client set up on my pfsense router so I can pick and choose exactly what goes through the vpn and what doesn’t

  • Like 1
Link to comment
Share on other sites

  • 3 weeks later...
AmericanCrisis

That was alot to read through! Still so many questions...

 

1. From what I understand, purchasing a domain, resolving that domain to the Emby Server box and opening up http port (8090) will in essense open up the entire box to serious vulnerability?

 

**we'll call the "box" in this case a Win10 Pro machine... that's what I'm using at the moment.

 

2. Even if an SSL cert is installed/configured to Emby Server (close http port and open https port), the server box is still exposed due to DyDNS but the Emby Server is relatively safe because behind SSL?

 

3. In my #2 question, would the public IP address be visible if the https port (for Emby) is the only open port?

 

After reading through this thread I am more weary about not only the box being a security vulnerability but the entire network.

 

I like the idea of a reverse proxy. I'm going take a closer look at implementing one.

 

Would an upgraded router help as well? Any recommendations? I've been looking at a USG.

Link to comment
Share on other sites

KMBanana

@@AmericanCrisis

1:  The domain is irrelevant here, opening the http port exposes the server to the internet regardless of if there is a domain that resolves to your IP.  Opening the http port is an extreme risk because it means account credentials are sent in plaintext over the internet.

2: Yes, even with https the server is exposed to the internet and at risk for any potential undiscovered vulnerabilities in Emby itself.  The only real way to mitigate this and still be able to access the client over the web is to use a reverse proxy and separately auth with that, but this will break any external apps.  You could also instead of making the server reachable over the internet create a VPN, have users connect to it and make the server only accessible within the VPN.  

3: Yes, https does nothing to mask your public IP address.  If you wanted to you could look into Cloudflare's free DNS service to proxy your traffic, but I think it's unlikely that such basic masking of your IP is going to have any practical benefit.  

  • Like 2
Link to comment
Share on other sites

jad3675

A good practice when using cloudflare in front of your emby instance is to restrict tcp/443 access to only the cloudflare external ips. Couple that with fail2ban integration with cloudflare and you have some decent security. Not perfect, but decent enough that it wouldn't keep me up at night.

 

John

  • Like 1
Link to comment
Share on other sites

PrincessClevage

A good practice when using cloudflare in front of your emby instance is to restrict tcp/443 access to only the cloudflare external ips. Couple that with fail2ban integration with cloudflare and you have some decent security. Not perfect, but decent enough that it wouldn't keep me up at night.

 

John

It a pity the Windows variant of fail2ban (wail2ban) doesn’t natively support emby and I don’t believe is being developed further...
Link to comment
Share on other sites

AmericanCrisis

@@AmericanCrisis

1:  The domain is irrelevant here, opening the http port exposes the server to the internet regardless of if there is a domain that resolves to your IP.  Opening the http port is an extreme risk because it means account credentials are sent in plaintext over the internet.

2: Yes, even with https the server is exposed to the internet and at risk for any potential undiscovered vulnerabilities in Emby itself.  The only real way to mitigate this and still be able to access the client over the web is to use a reverse proxy and separately auth with that, but this will break any external apps.  You could also instead of making the server reachable over the internet create a VPN, have users connect to it and make the server only accessible within the VPN.  

3: Yes, https does nothing to mask your public IP address.  If you wanted to you could look into Cloudflare's free DNS service to proxy your traffic, but I think it's unlikely that such basic masking of your IP is going to have any practical benefit.  

 

Ok got it thanks. Reverse proxy it is! 

Link to comment
Share on other sites

I just don't want some people thinking that opening a port and only encrypting the Emby server is protecting the open port and the rest of that machine. The IP of the Emby server is the machines IP (the local IP, I mean). So even if you encrypt emby, the rest of the machine and network is wide open. And a bunch of these encryption algorithms aren't all that strong, anyway. Encrypting the Emby server is almost no security at all. You should focus on network security, not just emby.

Not sure I'd agree with you unless someone is putting their Emby server in a DMZ zone.  If we are talking about opening a port and only that port is open through the firewall and it's encrypted then the machine is safe.

Link to comment
Share on other sites

Guest asrequested

Not sure I'd agree with you unless someone is putting their Emby server in a DMZ zone. If we are talking about opening a port and only that port is open through the firewall and it's encrypted then the machine is safe.

So you're saying that applying encryption to the Emby server stops any other traffic coming through the open port? In essence closing the port to everything except Emby?

Edited by Doofus
Link to comment
Share on other sites

KMBanana

So you're saying that applying encryption to the Emby server stops any other traffic coming through the open port? In essence closing the port to everything except Emby?

Encryption doesn't have anything to do with data coming in, data can come into the port regardless of its encrypted or not.  I think he's saying having a single port open that Emby is listening on isn't a very large vulnerability in itself.  Unless they can exploit Emby through some currently unknown vulnerability to modify files or run arbitrary code they shouldn't be able to do anything beyond continually guess your password. 

 

The encryption is to prevent the authentication from being intercepted in transit by a third party because a malicious authenticated user could do some damage.  

 

-Edited for clarity

Edited by KMBanana
  • Like 2
Link to comment
Share on other sites

Guest asrequested

Encryption doesn't have anything to do with data coming in, data can come into the port regardless of its encrypted or not. I think he's saying having a single port open that Emby is listening on isn't a very large vulnerability in itself. Unless they can exploit Emby through some currently unknown vulnerability to modify files or run arbitrary code they shouldn't be able to do anything beyond continually guess your password.

 

The encryption is to prevent the authentication from being intercepted in transit by a third party because a malicious authenticated user could do some damage.

 

-Edited for clarity

I know all of that. My questions were rhetorical. I was trying to make a point that emby encryption has nothing to do with securing an open port on your firewall. And that open port is a vulnerability for the entire network.

Link to comment
Share on other sites

rbjtech

I know Emby now has black/white listing of IP's (all but useless tbh unless your clients are using static IP's/ddns..) but I would have thought that a password lockout policy would be pretty easy for Emby to implement - does anybody know why this hasn't yet been done as for me, this is high on the 'security' list .. ?  3 attempts, then lockout the IP for 15 minutes, then 30, then 60, then 120 etc etc 

Edited by rbjtech
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...