Carlo 4330 Posted October 8, 2018 Share Posted October 8, 2018 In looking at the server log today it was discovered IPs coming from China trying to discover vulnerability in emby. In this case it was trying to run PHP files but this doesn't really matter. In each case Emby logged a "HTTP Response 404" to the log. What I would request as a FEATURE is an AUTO BAN of IPs (blacklist) for a given period of time. So for example if x.x.x.x ip tried to access Emby and generated 5, 10 (insert #) of 404 errors it would get AUTO BANNED for Y amount of time which could be 15 minutes to an hour. With the right settings for number of 404 errors and ban time this would quickly shut down these "port scans" and protect our Emby servers. Carlo 9 Link to comment Share on other sites More sharing options...
Jdiesel 1114 Posted October 8, 2018 Share Posted October 8, 2018 Lots of folks are using Fail2Ban for this 1 Link to comment Share on other sites More sharing options...
jfgilliam 26 Posted October 8, 2018 Share Posted October 8, 2018 Would changing the port help? Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 8, 2018 Author Share Posted October 8, 2018 Lots of folks are using Fail2Ban for this There are several solutions that could be setup via some type of firewall. That is more of a power user type feature and not your typical user. So I was just thinking that since Luke has already added blacklisting to the server this would be an extension of that and it would surely help protect systems that aren't sitting behind an IP blocked firewall. Link to comment Share on other sites More sharing options...
CBers 6771 Posted October 8, 2018 Share Posted October 8, 2018 @@cayars Use a reverse proxy (nginx) and put Emby behind it, and set it up to check against a list of blacklisted IP addresses. You can also run a script to search the nginx logs fir failed attempts and auto-add them to the blacklisted IP address list. @@Swynol wrote a good guide for setting up nginx. @@PenkethBoy wrote a powershell script to extract and update the blacklisted IP address list. 1 Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 8, 2018 Author Share Posted October 8, 2018 I had started down that road previously but it's not an easy setup for a lay person to do. More of a power user setup. I was just thinking of the normal admin who installs Emby and how to help protect their systems. 1 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted October 9, 2018 Share Posted October 9, 2018 (edited) In looking at the server log today it was discovered IPs coming from China trying to discover vulnerability in emby. In this case it was trying to run PHP files but this doesn't really matter. In each case Emby logged a "HTTP Response 404" to the log. What I would request as a FEATURE is an AUTO BAN of IPs (blacklist) for a given period of time. So for example if x.x.x.x ip tried to access Emby and generated 5, 10 (insert #) of 404 errors it would get AUTO BANNED for Y amount of time which could be 15 minutes to an hour. With the right settings for number of 404 errors and ban time this would quickly shut down these "port scans" and protect our Emby servers. Carlo It's pretty common and harmless if your server is secure. They are not necessarily trying to find emby holes. They are looking for common misconfigured servers, and holes people leave in their setups. below are the top 13 or so from one of my servers, and the results look the same across all of my web servers. Most of them look for default php setups. And China is the main bad guy. Edited October 9, 2018 by pir8radio 3 Link to comment Share on other sites More sharing options...
Thuzad 42 Posted October 15, 2018 Share Posted October 15, 2018 @pir8radio What software are you using for get this ? Link to comment Share on other sites More sharing options...
K-O-K 7 Posted October 17, 2018 Share Posted October 17, 2018 @pir8radio What software are you using for get this ? Yes! it would be really good to know what software is providing those stats! @pir8radio Link to comment Share on other sites More sharing options...
Jdiesel 1114 Posted October 17, 2018 Share Posted October 17, 2018 It is a nginx log analysis tool. There are many options out there but @@pir8radio appears to be using Weblog Expert. 1 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted October 17, 2018 Share Posted October 17, 2018 (edited) Oh, yea, its for nginx, apache, and IIS logs.. .you need to be running a reverse proxy for this to work... But Jdiesel is correct they were all created using Weblog Expert. Here is a post that shows some other stats you can get: https://emby.media/community/index.php?/topic/35555-any-interest-in-a-tutorial-for-statsreverse-proxy/?p=335338 Edited October 17, 2018 by pir8radio 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now