2-Factor Authentication (2FA)

[Przemek 54]

2 minutes ago, horstepipe said:

Just a question to understand that correct;

these apps put mfa in front of web apps, so you can secure emby‘s webUI with them.

But you can‘t secure the emby apps themself with it is that correct?

Yes, You're right I think.

[FlatScreen 15]

... and the great discussion continues!

[sydlexius 241]

That is precisely correct.  Trying to stick a HTTP basic auth prompt on a URL that a non web-app uses is an invitation to break things.  Additionally, if authentication for that goes over port 80, then it's just a false sense of security (MFA or no).

[Przemek 54]

Meybe 2FA on Emby Connect account will be better?

[anthonws 40]

Has anybody used Authentik + Emby? I've setup Authentik and have it working for some apps already, but wanted to know your experiences while using it with Emby.
Should we use the LDAP plugin? AFAIU, the LDAP protocol introduces a lot of limitations, and therefore I won't be able to us the full capabilities of Authentik. Is that correct?

BTW, if folks haven't seen this yet....
https://github.com/9p4/jellyfin-plugin-sso

[horstepipe 356]

On 12/22/2022 at 5:10 PM, anthonws said:

Has anybody used Authentik + Emby? I've setup Authentik and have it working for some apps already, but wanted to know your experiences while using it with Emby.
Should we use the LDAP plugin? AFAIU, the LDAP protocol introduces a lot of limitations, and therefore I won't be able to us the full capabilities of Authentik. Is that correct?

BTW, if folks haven't seen this yet....
https://github.com/9p4/jellyfin-plugin-sso

anybody knows whether Authentik or Authelia (or any other software) are able to put and process an 2fa code at the end of a password to bypass the lack of implementation in apps like Emby? I think I somewhere saw this kind of feature some years ago...

[horstepipe 356]

On 12/24/2022 at 7:57 PM, horstepipe said:

anybody knows whether Authentik or Authelia (or any other software) are able to put and process an 2fa code at the end of a password to bypass the lack of implementation in apps like Emby? I think I somewhere saw this kind of feature some years ago...

Found something promising:

https://www.token2.com/site/page/token2-totpradius-virtual-appliance

I will play around with it.

 

 

[leekingsnatch 5]

If you only plan on accessing Emby stricly using the web browser, then Authelia will certainly work to secure Emby behind a MFA prompt. However, this will result into double authentication first with Authelia and then again with Emby because as far as I can tell Emby doesn't support Oath2 or OpenID for Autheliak. If you plan on using any of the Emby apps, then none of these implementation will work.

 

[anthonws 40]

54 minutes ago, leekingsnatch said:

If you only plan on accessing Emby stricly using the web browser, then Authelia will certainly work to secure Emby behind a MFA prompt. However, this will result into double authentication first with Authelia and then again with Emby because as far as I can tell Emby doesn't support Oath2 or OpenID for Autheliak. If you plan on using any of the Emby apps, then none of these implementation will work.

 

Yeah, this is exactly the problem I realized while going through the mental plan of doing it. To be honest, I am doing tests with Jellyfin and the SSO plugin right now, and will move over when native client supports it (https://github.com/9p4/jellyfin-plugin-sso/issues/61). Because I can't find an easy solution of adding an extra layer of assurance/security, given the risk that it presents to have Emby service opened for the Interweb for my family members. And no Cloudflare solution is seamless enough for the kind of folks that access my server (my Mom would simply shot me if the friction would go through the roof).

[ebr 14910]

22 minutes ago, anthonws said:

given the risk that it presents to have Emby service opened for the Interweb

Hi.  Just for our education, exactly what do you perceive those risks to be?

[anthonws 40]

57 minutes ago, ebr said:

Hi.  Just for our education, exactly what do you perceive those risks to be?

Knowing the average Joe, password complexity or uniqueness isn't a forté. I have concerns related to unwanted service access via password brute force or dictionary attack (password dumps are easy to access nowadays). But even if password complexity would be available (either natively or when using my own IdP), password alone is simply insufficient from a security posture perspective. There are many angles of possible phishing attempts that could lure a user into leaking their credentials. A phishing resistant MFA layer would be a welcome addition.
Now, I can do that with Authentik, for example, for which I am already doing for other applications (that support SSO), but with Emby it becomes a bit more challenging, particularly for the native apps. And even though LDAP is a viable next step, it doesn't provide features, AFAIK, like Webauthn, which would drastically reduce user friction, but greatly increase overall security.

Hopefully it makes sense. Anyways, I am not requesting or demanding anything. I am just looking for guidance on what others have accomplished with Emby and I am sharing what I have researched. With all due respect to the Emby team (for which I have been a long term supporter), as a user, I have to find the best alternatives for my use cases and objectives.

Edited January 24, 2023 by anthonws

[ebr 14910]

Hi. Thanks but I'm trying to determine exactly what you perceive the vulnerability is with Emby assuming someone did discover a password. 

[anthonws 40]

3 minutes ago, ebr said:

Hi. Thanks but I'm trying to determine exactly what you perceive the vulnerability is with Emby assuming someone did discover a password. 

Not sure whom mentioned "vulnerability". I wrote "given the risk of having Emby exposed to the Interweb". Two very distinct concepts IMHO.

In essence I want to reduce risk and therefore I am researching possible solutions to accomplish that, like reducing risk of unwanted access to a service that I have published to the internet. Nothing else, nothing more.

[raudraido 43]

2 hours ago, anthonws said:

Not sure whom mentioned "vulnerability". I wrote "given the risk of having Emby exposed to the Interweb". Two very distinct concepts IMHO.

In essence I want to reduce risk and therefore I am researching possible solutions to accomplish that, like reducing risk of unwanted access to a service that I have published to the internet. Nothing else, nothing more.

you are over the top dramatic. I have emby exposed to the internet with FQDN for at least 5 years now and I have never noticed any bots scanning that service. Also I do not see any real danger if somehow emby will be compromised, since it has only read only permissions. At the same time, open port 22 and you’ll see hundreds on login attempts in a minute

[chef 3745]

I just monitor my one and only account that has the ability to delete files from my server.

It is an admin account, and it is hidden on login.

I was thinking about writting something that would alert me if the account was accessed (and maybe only when accessed remotely).

 

[GWTPqZp6b 41]

38 minutes ago, chef said:

I was thinking about writting something that would alert me if the account was accessed (and maybe only when accessed remotely).

The notification plugin can already do this. I alert to my Matrix server. 

[metsuke 27]

It is not dramatic to understand that there are entities looking for entry points into any network be they cameras, Exchange servers, IoT devices, routers, or Emby. It is truly insane that there still exist tech-oriented individuals that don't acknowledge that this is a real issue and that it is industry standard to mitigate via 2fa. It isn't for no reason that major government entities, medium-large companies, and every company I've ever worked for regardless of size require 2fa on any entry point into our network. Aside, believing that a compromised app doesn't pose a risk to the rest of your network is also a bit strange. Vulnerabilities are often unknown until after they've been exploited, and maybe not even then. It's not so terrible to not have something that should exist, but it is concerning that it isn't acknowledged as important or a priority.

[raudraido 43]

3 hours ago, metsuke said:

It is not dramatic to understand that there are entities looking for entry points into any network be they cameras, Exchange servers, IoT devices, routers, or Emby. It is truly insane that there still exist tech-oriented individuals that don't acknowledge that this is a real issue and that it is industry standard to mitigate via 2fa. It isn't for no reason that major government entities, medium-large companies, and every company I've ever worked for regardless of size require 2fa on any entry point into our network. Aside, believing that a compromised app doesn't pose a risk to the rest of your network is also a bit strange. Vulnerabilities are often unknown until after they've been exploited, and maybe not even then. It's not so terrible to not have something that should exist, but it is concerning that it isn't acknowledged as important or a priority.

I’m not against 2FA, but it is not a magic tool. It’s explained in this topic as well. If you are worried about other services which are together with emby, move emby to different isolated subnet. Docker is great for such things, adding another security layer.

It’s like when you’ll set up mail server with web access which have 2FA. Also your server has imap and pop3 access. So, 2FA will be almost irrelevant defending your server.

 

[metsuke 27]

Nobody said 2fa was magical, just expected, helpful, and standard for internet facing applications.

It is also not helpful to your point of security to bring up docker. Linux containerization is insecure to the point that no provider in the world offers a raw docker service. Any container service you utilize in the cloud has to be segmented via VM. The only container technologies that can be secure in their native state are FreeBSD jails and Solaris zones, which Joyent was offering natively until they were purchased by Samsung.

[raudraido 43]

2 hours ago, metsuke said:

Linux containerization is insecure to the point that no provider in the world offers a raw docker service.

GCP Google Cloud Run

[horstepipe 356]

9 hours ago, GWTPqZp6b said:

The notification plugin can already do this. I alert to my Matrix server. 

But it doesn’t show the users IP, does it?

[rbjtech 4254]

Some interesting comments on this long running thread. (started 2018..)

As a network/security person - I see both sides of the debate - but fundamentally the 'layers' of security that emby has 'out the box' are imho very lacking in 2023.

No enforcing https, no password complexity checks, no user lockouts, admin account is exposed to the web etc - basic stuff that any internet facing application should have years ago ..

So once THAT is all sorted - then we can move to the next layers of Infosec - which include Authentication - but it is not the 'failsafe' that many think it is.    As expressed above, if a vulnerability is found - then it's all irrelevant.   

Anybody serious about Infosec will be running Emby behind a series of other security services - such as Reverse Proxies, IPS, multiple firewalls, Geo/IP blacklist-IP blocking, isolated dmz network etc etc all with full monitoring and alerting - but realistically, are we expecting emby to have this just so your Parents can watch a film - of course not.

Maybe this topic should be about emby 'security' in general, but I would love to see the basic stuff done first - not because I personally need it, but because I see the need to better protect those that are EXPECTING a level of basic security to be provided when they tick the 'Remote Access' box in emby.

[rbjtech 4254]

11 hours ago, GWTPqZp6b said:

The notification plugin can already do this. I alert to my Matrix server. 

#1 on the list is to disable remote admin access to your emby server ...

If you do need remote admin access, then use a VPN (which will likely have 2FA anyway lol..)

[metsuke 27]

1 hour ago, raudraido said:

GCP Google Cloud Run

Cloud Run is containers encapsulated in VMs, like all other Linux based container services.

[rbjtech 4254]

12 hours ago, raudraido said:

you are over the top dramatic. I have emby exposed to the internet with FQDN for at least 5 years now and I have never noticed any bots scanning that service. Also I do not see any real danger if somehow emby will be compromised, since it has only read only permissions. At the same time, open port 22 and you’ll see hundreds on login attempts in a minute

It's not being 'dramatic' - the simply logic is this - why scan emby known ports when there is no CURRENT vulnerability ?  As soon as there is a vulnerability - you will see the ports scanned I guarantee that ... 

It may have been a couple of years ago - but emby even allowed remote admin access without a password !   That has been tightened up now (to a degree, it still allows 'any' password) but there was a host of 'attacks' compromising emby systems because of this simple omission..

On the 'compromised' part - it has nothing to do with how emby works - the 'platform' may then be used to execute remote code - so all devices on the network that emby sits on are now discoverable ... hackers really don't give a monkeys about your emby collection. 

This isn't intended to 'scare' people - but suggesting there are minimal risks putting emby directly on the internet is imo naïve.