Security of Emby Server and accounts

[KOD 2]

Hi guys, new here and new to Emby. After very frustrating use of Plex on my NAS, I am glad that I do use Emby now.

Only a couple of things worry me and I hope that there is a way to implement these features in Emby myself or in upcoming versions.

 

1) The first user you create is an admin user of the Emby Server, there is no way to block rights for managing this server from WAN

Managing a server is nice from WAN, but not safe. How to disable this, without blocking myself out within my LAN :-)

 

2) Guest users do have by default to many rights. Of course you can adjust this, but it is not logical at all to give delete rights by default etc.

 

3) There is no way to set minimal password requirements!!! and every user can set/reset his own password

 

4) All accounts will be published by default, which is unsafe because of the next point:

 

5) Accounts can't be locked out after X attempts for X time, so because of 1,2 and 3 it is very very easy to brute force accounts.

 

Of cource you can block internet access on your FW, but then you lose of lot of flexibility of media streaming on-the-go and sure stronger passwords do work, but because of point 3, other user accounts (friends) can do whatevery they like.

 

[Abobader 2942]

 but it is not logical at all to give delete rights by default etc.

 

 

 

+1

[Luke 37060]

 

1) The first user you create is an admin user of the Emby Server, there is no way to block rights for managing this server from WAN

Managing a server is nice from WAN, but not safe. How to disable this, without blocking myself out within my LAN :-)

 

 

The next release of Emby Sever will have a setting to disable remote access.

[Luke 37060]

 

 

Guest users do have by default to many rights. Of course you can adjust this, but it is not logical at all to give delete rights by default etc.

 

Which permission in particular are you referring to? thanks.

[Luke 37060]

 

 

4) All accounts will be published by default, which is unsafe because of the next point:

 

You can hide users from login screens in user settings.

[KOD 2]

You can hide users from login screens in user settings.

Yes, I know. But it is strange that by default this setting is on when you take in account the other "issues" then this is very unsafe at this moment.

Because of this I have manual restricted the embysvr user in my NAS

[KOD 2]

The next release of Emby Sever will have a setting to disable remote access.

 

That is great!

[KOD 2]

Which permission in particular are you referring to? thanks.

It is better when you create an account, that you have to think about what you want so the following selections should better be disabled by default:

 

- Enable access to all libraries

- Enable access to all channels

- Allow Media Deletion From: All libraries !!

- Allow remote control of shared devices

- Allow social media sharing

- Hide this user from login screens (should be enabled by default)

 

Another more professional implementation would be to be able as the administrator of the emby server to make User Groups with rights and access. Then you don't have to make each setting for every user who you would like to grant access.

 

Then password settings should have the following options:

 

- minimal passwd length

- minimal passwd requirements (capitals, numbers, etc)

- number of passwd tries and account lock out time

- change passwd at first logon

Edited January 12, 2018 by KOD

[Luke 37060]

@@KOD how did you create this guest?

[KOD 2]

@@KOD how did you create this guest?

I just create them as a user. So I don't use the create guest option, because I didn't link my Emby account to the server.

But perhaps (part) of my commands can be implemented in the future :-)

[Luke 37060]

Yes some of those are possible for the future, thanks.

[SeanM 32]

I would love to see the option to block IP addresses from other countries in order to cut down on rogue users attempting to gain access.

[Luke 37060]

That's not easy to do. It would be much easier to instead whitelist the ip addresses that you consider to be friendly.

[KOD 2]

Hi Luke, just noticed a Server Update (great job), can't find the "disable remote access" in the Advanced menu (or any other menu).

I only noticed "Allow remote connections to this Emby Server". but disabling this, blocks all access from outside the local network :-)

 

If this is not the implementation I expeteced, perhaps the admin/dahsboard should run on another port.

Edited January 20, 2018 by KOD

[KOD 2]

I would love to see the option to block IP addresses from other countries in order to cut down on rogue users attempting to gain access.

 

It is not logical to create these kind of access rules on your server. Better (and safer) to do this on your router.