jon_ 22 Posted January 17, 2019 Share Posted January 17, 2019 Hi I've been trying to lock down remote access as much as possible - currently I don't have emby directly connected to the outside world, so if I want to do a remote play/sync I connect via OpenVPN. It works, but it's not ideal as it requires manual steps for sync when out and about, and things like a Fire Stick have to have an external VPN device like a router to be able to connect. I've been looking at running an apache reverse proxy to do SSL termination - this is up and working. I can remove remote admin access via blacklisting the remote admin pages with statements like: ProxyPass /emby/web/index.html#!/dashboard.html ! ProxyPass /emby/web/dashboard.html ! .... etc I've gone through all of the links that I can see and added statements for this - now if I use the reverse proxy I can't get to any admin pages - great. I know I could just disable admin for that particular user but I'd rather lock it down do even if someone logs in as an admin user, they can't do anything. Then I was thinking that actually I could disable remote web access entirely - as the apps appear to connect to /emby/ not /emby/web/ - would there be any bad effects if I removed access to /web entirely? Ideally I'd also like to disable remote admin from the mobile apps as well - adding these manually is a bit harder than from the web app as I have to trawl logs for access rather than copying and pasting from a browser. Is there a list of blacklistable URLS for the mobile / TV clients? Basically the only functions that I want a remote client to be able to do are: Stream files (transcoded or otherwise) Sync media Thanks Jon (I'm not paranoid, honest!) Link to comment Share on other sites More sharing options...
Luke 37064 Posted January 17, 2019 Share Posted January 17, 2019 @@pir8radio may have some reverse proxy tips. Thanks ! Link to comment Share on other sites More sharing options...
vaise 304 Posted January 17, 2019 Share Posted January 17, 2019 Im also interested in this - I have remote Iphones, Ipads, XBox1's, Roku, Chromecast, AndroidTV and ATV4 users, but also two family members use a laptop connected to their TV with a normal web browser. Maybe I can convert them to use emby theater ? Will that also mean I can block all web access ? does emby theater use that ? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted January 17, 2019 Share Posted January 17, 2019 (edited) Hi I've been trying to lock down remote access as much as possible - currently I don't have emby directly connected to the outside world, so if I want to do a remote play/sync I connect via OpenVPN. It works, but it's not ideal as it requires manual steps for sync when out and about, and things like a Fire Stick have to have an external VPN device like a router to be able to connect. I've been looking at running an apache reverse proxy to do SSL termination - this is up and working. I can remove remote admin access via blacklisting the remote admin pages with statements like: ProxyPass /emby/web/index.html#!/dashboard.html ! ProxyPass /emby/web/dashboard.html ! .... etc I've gone through all of the links that I can see and added statements for this - now if I use the reverse proxy I can't get to any admin pages - great. I know I could just disable admin for that particular user but I'd rather lock it down do even if someone logs in as an admin user, they can't do anything. Then I was thinking that actually I could disable remote web access entirely - as the apps appear to connect to /emby/ not /emby/web/ - would there be any bad effects if I removed access to /web entirely? Ideally I'd also like to disable remote admin from the mobile apps as well - adding these manually is a bit harder than from the web app as I have to trawl logs for access rather than copying and pasting from a browser. Is there a list of blacklistable URLS for the mobile / TV clients? Basically the only functions that I want a remote client to be able to do are: Stream files (transcoded or otherwise) Sync media Thanks Jon (I'm not paranoid, honest!) lol, I'm pretty sure you ARE paranoid.... My server has been on the net for years, I've owned the same domain name since the 90's, you can find it via google, you can find it on this site, you can find my guest login info... What is your fear? even if you "block all web access" http://app.emby.media will still work if I enter your ip there..... You can just block the login pages with nginx.... but there are still admin functions in the apps... If you are worried about media getting deleted, you can setup your drive so that the regular windows user (emby) cant delete or overwrite anything... then if someone some how does get your admin password, worst case they screw up your already backed up emby settings... restore and plug the hole. Edited January 17, 2019 by pir8radio Link to comment Share on other sites More sharing options...
jon_ 22 Posted January 17, 2019 Author Share Posted January 17, 2019 lol, I'm pretty sure you ARE paranoid.... I've worked in Network & Cloud security for the last 20 odd years, where a healthy dose of paranoia goes a long way I know that with a decent password, SSL reverse proxy running on an unusual port and some basic precautions like fail2ban the chances of anything bad happening are pretty minimal - but I like tinkering with stuff, learning new things (like the intricacies of apache2 reverse proxy), figuring out how the emby communications work, and following security basic best practice - eg. by default if you connect to the emby port at the root, it redirects you to the UI login page, helpfully. Anyone poking round immediately knows that they now have an emby server to try and break into, and a nice password submission page. If you block that initial redirect, all they know is there's something there, or maybe just a web server configured with no root enabled. They have to guess that it's an emby server, add /emby/ to the URL then they can start attacking you. Chances of that are pretty minimal. *If* someone finds a vulnerability in emby, then that simple step could be the difference between someone getting access to your server or not... Link to comment Share on other sites More sharing options...
Happy2Play 8282 Posted January 17, 2019 Share Posted January 17, 2019 So in the end one should block the admin from having "Allow remote connections to this Emby Server." and use a user account for normal usage, correct? Link to comment Share on other sites More sharing options...
jon_ 22 Posted January 17, 2019 Author Share Posted January 17, 2019 even if you "block all web access" http://app.emby.media will still work if I enter your ip there..... You can just block the login pages with nginx.... but there are still admin functions in the apps... Actually, app.emby.media appears to just redirect your connection to the server address, connecting to / and relying on the redirect to bounce you to /emby/ and the login page, it doesn't do anything more fancy than that... Link to comment Share on other sites More sharing options...
vaise 304 Posted January 17, 2019 Share Posted January 17, 2019 So in the end one should block the admin from having "Allow remote connections to this Emby Server." and use a user account for normal usage, correct? I do this. Still open to more security however, more can never hurt. I like the idea of no web access at all - just app access. Link to comment Share on other sites More sharing options...
jon_ 22 Posted January 17, 2019 Author Share Posted January 17, 2019 So in the end one should block the admin from having "Allow remote connections to this Emby Server." and use a user account for normal usage, correct? That'd probably be best practice, yep.. There's a term in IT security called 'minimising attack surface' - you expose as few things to the internet as possible that could be attacked. That other orange media server has had a couple of rather large security holes exposed in the past so any additional security that can be added can only help matters.... Link to comment Share on other sites More sharing options...
sluggo45 47 Posted January 17, 2019 Share Posted January 17, 2019 So in the end one should block the admin from having "Allow remote connections to this Emby Server." and use a user account for normal usage, correct? That sounds like a good solution. I can always VPN in if I need to do admin stuff remotely, so it'd be nice to other otherwise restrict remote access to user-level (playback, etc.). Could be as simple (I know it's not that simple to do I mean for the end user) as two options where there is now one; "Allow remote access (all) to this server" and "Allow remote access (non-admin) to this server" under advanced options. Between this and the fact that Emby Connect is already a more security-friendly solution than the Other Guys.....I fully agree that minimizing attack footprints is never a bad thing. At least as an option for users that know what they are doing. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now