2-Factor Authentication (2FA)

[leekingsnatch 5]

15 hours ago, ebr said:

Hi. Thanks but I'm trying to determine exactly what you perceive the vulnerability is with Emby assuming someone did discover a password. 

I suspect this nonchalant attitude about "perceived" vulnerabilities with Emby might be what's driving development decisions with Emby. If developers don't think it's a big deal for someone to brute force their way into Emby then I suspect (please correct if I am wrong), security doesn't seem to be on the forefront of decisions concerning Emby and THAT is a big deal. If MFA is not a concern or even on the radar, what other vulnerabilities exist with Emby? Is anyone even looking or care for that matter?

 

[metsuke 27]

27 minutes ago, rbjtech said:

Some interesting comments on this long running thread. (started 2018..)

As a network/security person - I see both sides of the debate - but fundamentally the 'layers' of security that emby has 'out the box' are imho very lacking in 2023.

No enforcing https, no password complexity checks, no user lockouts, admin account is exposed to the web etc - basic stuff that any internet facing application should have years ago ..

So once THAT is all sorted - then we can move to the next layers of Infosec - which include Authentication - but it is not the 'failsafe' that many think it is.    As expressed above, if a vulnerability is found - then it's all irrelevant.   

Anybody serious about Infosec will be running Emby behind a series of other security services - such as Reverse Proxies, IPS, multiple firewalls, Geo/IP blacklist-IP blocking, isolated dmz network etc etc all with full monitoring and alerting - but realistically, are we expecting emby to have this just so your Parents can watch a film - of course not.

 

I'm curious for your take on the Unix philosophy, mainly that programs should generally do one thing and do that thing well. I take it to heart and thus don't expect most of my programs to include such features as https enforcement, firewalling, or geo blocking. In fact, I kind of don't want those features as I've had some bad experiences with them being implemented poorly or overzealously and thus interfering with the programs I implemented that really should be taking responsibility for security (reverse proxy, router/firewall, cdn).

Perhaps if general security is what you think would serve the Emby community best, wouldn't promoting reverse proxies like Caddy (I use nginx but it doesn't grab certs automatically) be more productive in the long run? Then it's not just Emby that has https but every app behind the proxy.

The only reason why I expect and desire emby to have 2fa is because it provides authentication for users, which provides just another doorway into my network. A simple and helpful mitigation for user password issues is 2fa. It doesn't fix any other part of the stack, but it isn't supposed to!

[chef 3745]

2 hours ago, rbjtech said:

#1 on the list is to disable remote admin access to your emby server ... 

This is important. In fact after reading that, I realized that I had my admin account enabled for remote access. Even though it was hidden from the login.

Nice reminder.

[rbjtech 4266]

22 minutes ago, chef said:

This is important. In fact after reading that, I realized that I had my admin account enabled for remote access. Even though it was hidden from the login.

Nice reminder.

But it's just this sort of thing that are 'easy wins' for Emby.  If the admin account is the only user - then I guess there is not a lot emby can do here but suggest a high entropy password, but if there are multiple users, then when remote access is enabled, it should prompt to say do you wish to disable remote access (only) on the privileged account (recommended).  Any emby admin is then restricted to LAN side only.

Edited January 25, 2023 by rbjtech

[GWTPqZp6b 41]

6 hours ago, horstepipe said:

But it doesn’t show the users IP, does it?

Yes, it does. 
 

User authenticated/Failed authentication works correctly

emby_bot MrXXX Has Authenticated on emby
         Google Chrome macOS 192.168.30.165
emby_bot Failed Login Attempt from MrXXX on emby
         192.168.30.165

Edited January 25, 2023 by GWTPqZp6b

[anthonws 40]

18 hours ago, GWTPqZp6b said:

The notification plugin can already do this. I alert to my Matrix server. 

Can you tell me what plugin specifically? Is it possible to add any type of conditions (like after X events in a row)?

Thanks for the attention!

[GWTPqZp6b 41]

10 minutes ago, anthonws said:

Can you tell me what plugin specifically? Is it possible to add any type of conditions (like after X events in a row)?

The matrix plugin specifically is maintained by another emby (linked in that thread) user but can be retrieved from his GitHub page and installed easily enough. 

EDIT: For an action to be instigated after X specific times you could leverage fail2ban. 

Edited January 25, 2023 by GWTPqZp6b

[rbjtech 4266]

Can anybody confirm if the AuthFail notification (I use via scripter-X but also tested via Emby Notifications directly) works for invalid users and password ? (ie brute force)

Mine only appears to work for valid users but incorrect passwords ..

I pass this to fail2ban (via scripter-x) - but ideally I want to be notified of all failed attempts - not just those where the user is known ..

This is the error I get when an invalid user is used -

Error authenticating with provider Default
	*** Error Report ***
	Version: 4.8.0.21
	Command line: C:\Emby-Server\system\EmbyServer.dll -service
	Operating system: Microsoft Windows 10.0.22621
	Framework: .NET 6.0.10
	OS/Process: x64/x64
	Runtime: C:/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 20
	Data path: C:\Emby-Server\programdata
	Application path: C:\Emby-Server\system
	System.Exception: System.Exception: Invalid username or password.
	   at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
	Source: Emby.Server.Implementations
	TargetSite: System.Threading.Tasks.Task`1[MediaBrowser.Controller.Authentication.ProviderAuthenticationResult] Authenticate(System.String, System.String, MediaBrowser.Controller.Entities.User)

but no AuthFail message is sent.

Thanks - thought I'd post here while we are on a related topic .. 

[FlatScreen 15]

Five years and six days and still debating ...

[Cyberrob90 3]

Wow, bought emby premiere and hoped, some of these topics will get some priority if users bring money in, but as i can see: nothing?
Sad... Emby is such a cool platform, but 2FA is an absolutely MUST HAVE feature.
Pls bring it in!

[neoskateur 10]

Yeah 2FA would be awesome. I'm seeing further, but SSO implementation would be hugeeeee ! 

[mete777 0]

Dont Want to Implement 2FA??

 You fill you are Superior in security to others??

Fine. 

But the one thing I cant UNDERSTAND is. Why not use Login attempt limits and ban times by default with a simple notification for Win 10 Win 11 or Linux also. 

Like for Windows it is also off by default and thats a real bummer. Cause in you open an admin command promt on Win 10 and type:

"net accounts /lockoutthreshold:21" enter and type "net accounts /lockoutduration:60"

this will make your system more secure just for login attempts alone and its off by default. 

Why not have this Enabled by DEFAULT on Emby. It would not handle your existing users badly, it would not even visible for them. You could also set the attempt number higher cuse everything is better than INFINIT attempts set it to 100, I would realy see a user that not gets its password after 100 attempts he would more likely to give it up before reach 100. But for that Password trying Attacker scrit quessing it from only 100 is a real pain in the ... 

 

Simply have this option in the UI and users could decide by them self to choose a number lower than 100 (Default set)

 

Its not 2FA but its a Hell better than Infinite Tries without any major propt to the Owner

 

Side Note: If you want SSL Certs and VPN Access to your Server for free, a combo of Softether VPN Server, Caddy 2 Reverse Proxy and Emby can do the trik. You could RDP into your system over HTTPS and also have a login attempt limit failsafe

 

So why not Login attempt limits and ban times?? Easy to implement and no existing User hassel would be generated.

Simple as that.

 

 

[rbjtech 4266]

3 minutes ago, mete777 said:

Dont Want to Implement 2FA??

 You fill you are Superior in security to others??

Fine. 

But the one thing I cant UNDERSTAND is. Why not use Login attempt limits and ban times by default with a simple notification for Win 10 Win 11 or Linux also. 

Like for Windows it is also off by default and thats a real bummer. Cause in you open an admin command promt on Win 10 and type:

"net accounts /lockoutthreshold:21" enter and type "net accounts /lockoutduration:60"

this will make your system more secure just for login attempts alone and its off by default. 

Why not have this Enabled by DEFAULT on Emby. It would not handle your existing users badly, it would not even visible for them. You could also set the attempt number higher cuse everything is better than INFINIT attempts set it to 100, I would realy see a user that not gets its password after 100 attempts he would more likely to give it up before reach 100. But for that Password trying Attacker scrit quessing it from only 100 is a real pain in the ... 

 

Simply have this option in the UI and users could decide by them self to choose a number lower than 100 (Default set)

 

Its not 2FA but its a Hell better than Infinite Tries without any major propt to the Owner

 

Side Note: If you want SSL Certs and VPN Access to your Server for free, a combo of Softether VPN Server, Caddy 2 Reverse Proxy and Emby can do the trik. You could RDP into your system over HTTPS and also have a login attempt limit failsafe

 

So why not Login attempt limits and ban times?? Easy to implement and no existing User hassel would be generated.

Simple as that.

 

 

This has been said many times thought-out this thread (appreciate you may not have read it all) - but agree 100% that even the 'basics' are missing from emby 'security' - lockout is just one of the items that should be implemented but unfortunately isn't.  

If you are conscious about security, then you should be using a reverse proxy, and add tools such as fail2ban to provide lockout for example...

[mete777 0]

So fair enough. Emby probably eill need a Fallout encounter to get serious about adding plus layers of security.

But Pley hacked and Last Pass hacked also we are probably not far away from that event. 
 

All we can do in the meantime is to back up iur systems to cold storagy every week or month. 
 

Oh and they hacked Last Pass throug a keylogger installed through Plex auto update. 
 

So fail2ban huh? The joke is that you need stuff like that and it is not in it out of the box.

Hope Europe regulators will one day regulate this by law. And the US will follow. Imagine if fail2ban and max try and ban would be defaults by a standard. Si basic yet so effective times would follow.

[ebr 14913]

45 minutes ago, mete777 said:

But Pley hacked

Yes, they were but a couple of points.

1) They had 2FA functionality at the time of this event

2) We work very differently than they do when it comes to logging into your server.  With them, ALL your users' login info is on THEIR servers.  We don't work that way.  Your user's login info is only on YOUR server - unless you wish to use Connect (optional) and then it is only limited and still under your control.

The basic network security measures mentioned in this thread are very good ideas.

[chef 3745]

I wrote a plugin for emby which banned ips in the Emby machine fire wall, when too many wrong login attempts happen. It also did a reverse lookup on the IP (which yes can be spoofed).

But then I realized, if the bad actor was using something like Kali and poking my network, they're looking at a lot more then my media server sub domain, or endpoint, and I needed a beefy network, not just one pc.

That being said, I did utilize some of what fail2ban had done in my blacklist plugin, which can be found on my GitHub chefbennyj1.

I've been researching a bunch of hacking techniques lately, and also read several books on the matter.

(The book about Stuxnet was amazing.) 

I am in no way an expert in security.

What we could do is add to the functionality of the blacklist plugin to not only ban the IP from the Emby machine, but also send out some kind of alert to another device when the IP is banned. 

I think you need a decent forward facing network. 

 If I were to do something nefarious, I would first reverse lookup an domain and get the IP. But, I would attempt to poke any endpoints (known open ports). 

movies and tv would be the last thing I would care about.

I'd be interested in personal information , how many machines are on the network. Names, and social media accounts.

lastly if I was nefarious, I would maybe encrypt files and ask for Bitcoin. 

Just make sure to use good passwords on your open ports.

if someone is going to hack you, it won't be because of Emby, it will be because known ports are open, and have weak passwords, or use passwords that are available in dumps online... At least from my understanding.

Again, I'm not a professional.

 

Edited March 5, 2023 by chef

[rbjtech 4266]

12 hours ago, chef said:

I wrote a plugin for emby which banned ips in the Emby machine fire wall, when too many wrong login attempts happen. It also did a reverse lookup on the IP (which yes can be spoofed).

But then I realized, if the bad actor was using something like Kali and poking my network, they're looking at a lot more then my media server sub domain, or endpoint, and I needed a beefy network, not just one pc.

That being said, I did utilize some of what fail2ban had done in my blacklist plugin, which can be found on my GitHub chefbennyj1.

I've been researching a bunch of hacking techniques lately, and also read several books on the matter.

(The book about Stuxnet was amazing.) 

I am in no way an expert in security.

What we could do is add to the functionality of the blacklist plugin to not only ban the IP from the Emby machine, but also send out some kind of alert to another device when the IP is banned. 

I think you need a decent forward facing network. 

 If I were to do something nefarious, I would first reverse lookup an domain and get the IP. But, I would attempt to poke any endpoints (known open ports). 

movies and tv would be the last thing I would care about.

I'd be interested in personal information , how many machines are on the network. Names, and social media accounts.

lastly if I was nefarious, I would maybe encrypt files and ask for Bitcoin. 

Just make sure to use good passwords on your open ports.

if someone is going to hack you, it won't be because of Emby, it will be because known ports are open, and have weak passwords, or use passwords that are available in dumps online... At least from my understanding.

Again, I'm not a professional.

 

Some valid points there @chef - but fundamentally, security is all about 'layers' (I sound like 'Shrek' lol for all those that have watched this movie.. ).

Have these security layers within Emby itself is a little late - as the threat actor is already 'inside' your network.

You also never counter probe an attacker from the same IP - as this confirms your existence.  

And yes, would agree 100%, an attacker would not be after your media files - they are after making money or extorsion - so use Emby as an entry point to do further damage.

Guideline layered security for an internet facing service is as follows -

1. Internet

2. DMZ Network A / DMZ Firewall A

3. IPS A + High level Geo / Black List etc Blocking

4. Inner Network B / Inner Firewall B

5. IPS B + Web/App Firewall

6. App Web Server (only) + Canaries

7. Data Network C / Data Firewall C

8. Data Server + Canaries

 

All layers are probed by a monitoring device sitting in the Data Layer or monitoring/management network.

Data 'flow' direction is also important.

 

Is emby going to implement something like the above ?  Of course not, not only is is a poor idea to have 'one product' do all the above - but each 'layer' is a specialist area.  If they haven't implemented basic password complexity checks and lockout, I really would not want this product sitting in my DMZ ...

Another question - is it up to emby to provide security for their product ?   This is a tough one - part of me says yes, they have a duty of care to the installer and should provide 'basic' security, but another part of says it's up to the user to ensure they protect themselves and their home network.   

Currently for emby, a reverse proxy siting on an isolated dmz network,ips,firewalls and then emby sitting on it's own firewalled 'media' network (off any 'user/home/personal network) is about the best we are going to be able to do, as the web and data interfaces in emby are combined. 

Security is obviously a huge topic - and it's been said a few times now that there should probably be a 'security' section in this forum for those taking this to the next level.  Personally, I think that would a good thing to do.

 

[mete777 0]

Overkill or not.

Pasword try limit and lockout to a user for x minutes is trivial to implement and would deter bots and other actors.

 

Still if Emby the company is getting hacked and the auto update installs keyloggers, rats, crypto miners, ramsonware, we all will be f-ed up.

Just another Idea: Delayed AutoUpdates.

you could choose how much after an update is available would your Emby Server update to that instance. - Benefits: If things getting out and people are getting Ramsonware or Vrypto miners. You could still be in the safe side. If you disable Auto update till they have it sorted out. As of now I disabled Auto Update. And will do them manually monthly or so. 
 

Or a Master password for server changes or any other layer that can be done. 
 

Plex was hacked because High Value targets were using it. 
 

Emby will be as big as Plex at some point and day by day will be High Value targets using it. 
 

It is futile to think Emby HQ would not be a target they will and probabry already are.

[rbjtech 4266]

9 minutes ago, mete777 said:

Just another Idea: Delayed AutoUpdates.

you could choose how much after an update is available would your Emby Server update to that instance. - Benefits: If things getting out and people are getting Ramsonware or Vrypto miners. You could still be in the safe side. If you disable Auto update till they have it sorted out. As of now I disabled Auto Update. And will do them manually monthly or so. 

Yep - again standard 'best practice'.  You should also be running emby as a 'Service' with it's own service account.  Not only will Emby not auto-update if using a service, if it gets compromised, then it's not your main 'account'.  

[chef 3745]

2 hours ago, mete777 said:

 

Pasword try limit and lockout to a user for x minutes is trivial to implement and would deter bots and other actors

.

Oh, that's what the blacklist plugin does. 

It blocks the IP for a certain amount of time.

 

@rbjtech you saw that blacklist plugin.

Was it worth looking into further?

You're a security guy. I only read a couple books, and learned some basic Linux and windows code bases for firewalls. 

[rbjtech 4266]

10 minutes ago, chef said:

@rbjtech you saw that blacklist plugin.

Was it worth looking into further?

Definitely @chef - It was a good plugin and did what it said on the tin !

This one right ?

https://github.com/chefbennyj1/Emby.Blacklist

Happy to help and put though it's paces if you'd like ?

Edited March 5, 2023 by rbjtech

[chef 3745]

43 minutes ago, rbjtech said:

Definitely @chef - It was a good plugin and did what it said on the tin !

This one right ?

https://github.com/chefbennyj1/Emby.Blacklist

Happy to help and put though it's paces if you'd like ?

It isn't 2fa, and everyone seems to want that. But it might be worth looking into ironing out the kinks.

I know the reverse lookup might not give exact location data because of proxies, and vpns, but perhaps knowing where those service are located is good enough.

I would definitely slow down brute force attacks.

 

[mete777 0]

This is not 2FA and probably they dont want to implement that because existing users would be impacted. 
 

The Login try limit and ban time would help to more easily use scenarios like reverse proxies with ssl cert autorenewal functions like Caddy

 

I have a Domain name Caddy handles the SSL certificate for that name and also handles the reverse proxy.

 

If somebody knows the name of the domain it will be presented with the Loginscreen for Emby.

 

And there would be the Login attemt limit helpfull.

 

This setup is very handy cause you just can give your domain name to a friend or family member. Make an accont for them on your server. And if they connect they will be redirected to https connection with certificate handled by Caddy. Emby only sees LAN connections and the streams are tls protected from ISP eyes. (Otho there could be some noise added to the streams cause novadays they have analytic tools that can detect films from the tls encryption chaos. They can identify films just at looking at the encrypted stream it self crazy huhh.) 

 

So yeah a fail2ban or a more simple you have tried your password 21 times now sit down for 5 minites would be helpfull.

 

Windows 10 notifications about Failed attempts would be also a cake

 

But hey a Man can Dream On

[mete777 0]

Also what I never seen anywhere is Two step Logins Not 2FA just two login screens after another.

Now you would ask why would that be any good? 
 

Imagine it like a Fence around your house. You have the key you can walk up to the house, but the House it self is also locked, so you still need another key to enter.

 

And here comes the Cake. You could have differrent rules for the screens

1st Login Screen: Unlimited Attempts (why? To have bots and scripts be in pain with it without locking out the legit user You)

2nd Login Screen: Limited Attempts (to close out bots and scripts which miracoulusly guessed the first credentials from dictionaries and so, but now they only can have like 21 guesses and then they would be banned)

 

Also if somebody is already poking your second Screen you can be sure that you can ban it. Cause the one that can go throug the first screen should know your second screen pass. Be that be an Emby user TV setup or an Human entering it manually.

 

All I’m saing is that Imagination is the only limit to security. Or as Arnold said it once: “Only the mind is the limit”

 

If this sound silly who knows maybe it is, because nobody has that as far as I’m aware.

Maybe its not silly just nobody tought about it that way. 
 

[rbjtech 4266]

1 hour ago, chef said:

It isn't 2fa, and everyone seems to want that. But it might be worth looking into ironing out the kinks.

I know the reverse lookup might not give exact location data because of proxies, and vpns, but perhaps knowing where those service are located is good enough.

I would definitely slow down brute force attacks.

 

They want 2FA because it's a buzz word - but anybody implementing 2FA has built it on existing security fundamentals - and without them 2FA is frankly worthless and probably impossible anyway (2FA over http anyone ?)..

The 'detail' behind the attacks/attempts for the majority is going to be irrelevant - the fact that a bot is blocked after 5 attempts at using password 'monkey123' on user 'Admin' is only a good thing - it will simply move onto the next WAN IP in the scan ..

I just compiled the binary actually and it still built ok - it hasn't been updated in 3 years though according to Git - so probably needs a quick going over !