Windows Emby Server - Block User and IP (DDOS, Firewall)

[mrjurek 0]

English:

 

Hello

 

I suggest expanding the security:

- user blocking function, 5 items (to be determined by the administrator) of consecutive incorrect logins

- blocking the IP address (DDOS, Firewall), if for a period of 15 minutes (to be determined by the administrator) there will be an incorrect authorization (amount to be determined by the administrator) for 1 hour (to be determined by the administrator). IP addresses should be visible in the menu, it should be easy to clean the individual or all addresses, there should be a schedule for cleaning these addresses set by the administrator (for example: always Monday 1:00).

 

Firewall in Windows (command block in php):

shell_exec("netsh advfirewall firewall add rule name=EmbyServ_".$time."_".$ipp." profile=any dir=in action=block enable=yes remoteip=$ipp");

command no block in php:

shell_exec("netsh advfirewall firewall delete rule name=..................);

 

 

 

 

Polish:

Witam

 

Proponuję rozudowę security:

Proponuję rozbudowę security:

- funkcja blokowania użytkownika po 5 szt. (do ustalenia przez administratora) kolejnych nieprawidłowych logowań.

- blokowanie adresu IP (DDOS, Firewall), jeśli przez okres 15 min (do ustalenia przez administratora) nastąpią nieprawidłowe logowania (ilość do ustalenia przez administratora) na okres 1 godziny (do ustalenia przez administratora). Adresy IP powinny być widoczne w menu, powinno być łatwe menu czyszczenia pojedynczych lub wszystkich adresów, powinien być harmonogram czyszczenia tych adresów ustalany przez administratora (always Monday 1:00).

 

Firewall in Windows (command block in php):

shell_exec("netsh advfirewall firewall add rule name=EmbyServ_".$time."_".$ipp." profile=any dir=in action=block enable=yes remoteip=$ipp");

command no block in php:

shell_exec("netsh advfirewall firewall delete rule name=..................);

 

[Luke 36997]

Hi, the next release of the server will have expanded IP filtering settings.

[mrjurek 0]

ok, I saw (3.3.1.19-beta).

 

However, Black List and White List are not a solution for a dynamic IP address (ISP address in my mobile phone).

Edited April 19, 2018 by mrjurek

[Swynol 375]

Ye this would be a good addition. 

 

I do something similar with NGINX reverse proxy. if your using NGINX i can help setup a black list.

[Luke 36997]

I think anything more sophisticated you will probably want to handle at the router or reverse proxy level.

[horstepipe 356]

Ye this would be a good addition. 

 

I do something similar with NGINX reverse proxy. if your using NGINX i can help setup a black list.

Hey

I‘d really appreciate if you could tell us more about what you setup in nginx for security purposes.

[Swynol 375]

i have the normal NGINX security stuff

 

ssl_session_timeout 30m;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

 

proxy_hide_header X-Powered-By;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;

add_header x-xss-protection 1;

 

 

I also use cloudflare to hide my WAN IP plus add a bit of DDOS protection and security. I also use country blocking on my router to block some of the more dodgy places.

 

And finally i use a black list. I got my initial black list from a security website which keeps a huge list of flagged dodgy IPs. Then i keep an eye on my NGINX access logs for anything suspicious. If something is flagged I add it to my blacklist. Only issue is i have to manually add the IP, and its usually after an attack. In NGINX you include the below line in the nginx.conf file

 

include blacklistips.conf;

 

You can download my blacklist here

 

https://drive.google.com/open?id=1NP99QRgynozorwEjxK5WVRYTNhtec9iE

 

and place it in NGINX/Conf folder

 

And finally I use an IPS/IDS (intrusion Prevention Service / Intrusion Detection Service) on my router, any abnormalities are either blocked or flagged to me.

 

{touch wood} i havent had a successful attack. Usually my router reports around 10000 blocked threats every 24 hours.

 

[mrjurek 0]

NGINX is a great idea. I have to try.

 

Personally, I have a server on Apache PHP and in it through my script blocks IP addresses in the Firewall (I use the Emby log).

 

 

Sorry for my English.

Edited April 20, 2018 by mrjurek