Jump to content

Remote security, I just don't get it.


mrphuzz

Recommended Posts

Emby security, I just don't get it.

 

My server is completely open to the public at MY_IP_ADDRESS:8096.  That is bad.  How do I prevent this?  If I remove port mapping from my router, remote access fails entirely.  Can't access via the web, can't access via android app, etc.

 

I want to be able to allow remote access, via username/password, AND close my server to the public in general.

 

Preferably without Emby Connect (because I don't want to have to force my friend to set up an account with some other company just to watch stuff on my server).  So I create a local user.  Now what?  Where does a login system for my newly created user "bob" ever come into play?

 

Or does "add local user" even apply to my friend bob who lives on the other side of the country?  If not, does bob HAVE to create an Emby Connect account to access my media via secure means?  If not, how does bob log in?

 

Summary: how can I allow my buddy across the country to login with a username and password, while preventing the general public from accessing MY_IP_ADDRESS:8096?

 

I'm a little frustrated, so if my wording seems a little tense, please forgive.

 

Thanks.

 

  • Like 1
Link to comment
Share on other sites

Deathsquirrel

I'm not sure what this really has to do with Emby as this is really a basic internet security/remote connectivity issue.  If you open ports on your firewall, they're open to the world.  There are a variety of ways to secure your network access to one extent or another.  I'd suggest starting with checking what your router supports for remote access as if you just want to share access to your server with one remote user, a VPN is probably the easiest option.

Link to comment
Share on other sites

BAlGaInTl

Emby security, I just don't get it.

 

My server is completely open to the public at MY_IP_ADDRESS:8096.  That is bad.  How do I prevent this?  If I remove port mapping from my router, remote access fails entirely.  Can't access via the web, can't access via android app, etc.

You can force secure connections in the settings. There's a few ways you can handle the security to the server, but there is a general guide in the wiki:

 

https://github.com/MediaBrowser/Wiki/wiki/Secure-Your-Server

 

I want to be able to allow remote access, via username/password, AND close my server to the public in general.

It just doesn't work like that. Something has to be open to the public.

 

Preferably without Emby Connect (because I don't want to have to force my friend to set up an account with some other company just to watch stuff on my server).  So I create a local user.  Now what?  Where does a login system for my newly created user "bob" ever come into play?

 

Or does "add local user" even apply to my friend bob who lives on the other side of the country?  If not, does bob HAVE to create an Emby Connect account to access my media via secure means?  If not, how does bob log in?

 

Summary: how can I allow my buddy across the country to login with a username and password, while preventing the general public from accessing MY_IP_ADDRESS:8096?

 

I'm a little frustrated, so if my wording seems a little tense, please forgive.

 

Thanks.

Yes, Bob's local account is also the account used to remotely log in. You don't have to use Emby Connect. Make sure Bob's account is set up with a strong password. I also suggest turning off his profile from being visible at the login screen. So Bob would need both his username and his password to connect.

 

There are several threads on securing Emby, and it does take a little time, just as with any server.

Link to comment
Share on other sites

pir8radio

I think he means if you go to his IP you get right in without a password.     You need to make sure every user has a password setup in the user settings...  You can go to the bottom of the user settings and hide each user from the login screen.  With all users hidden you will then see a "login" screen instead of a screen with user icons you can click.       You dont need to use the pin or anything, or emby connect, just make sure you set a password for every user. 

  • Like 1
Link to comment
Share on other sites

 

My server is completely open to the public at MY_IP_ADDRESS:8096.  That is bad.  How do I prevent this?  If I remove port mapping from my router, remote access fails entirely.  Can't access via the web, can't access via android app, etc.

 

I want to be able to allow remote access, via username/password, AND close my server to the public in general.

 

Sounds like you just need to assign a password to your Emby user.

Link to comment
Share on other sites

I setup emby to only accept connections from my LAN and my VPN lan.

 

Then i setup a openvpn server on my edgerouter accepting connections from devices that hold the secret key + passphrase.

 

I have openvpn on my mobile devices, i simply connect to my network, then i open emby and voila, full access..

 

I would personally never host anything on public internet, even with password protection exploiters could find a way in, i also do not recommend running emby or any other program like it with write/delete/modify access to the source files as you could get hacked and damage to your archive could be done if you let emby modify the data.

 

 

  • Like 1
Link to comment
Share on other sites

BAlGaInTl

I think he means if you go to his IP you get right in without a password.     You need to make sure every user has a password setup in the user settings...  You can go to the bottom of the user settings and hide each user from the login screen.  With all users hidden you will then see a "login" screen instead of a screen with user icons you can click.       You dont need to use the pin or anything, or emby connect, just make sure you set a password for every user.

Yeah, I think your're right. I mentioned that as well.

 

I recently hid users on my server as well which made me think of a couple of security enhancements.

 

1. There should be a global setting for hidding profile pictures

2. There should be an admin setting to require passwords. Because can't Bob in theory just delete his password and not use one anymore?

Link to comment
Share on other sites

pir8radio

I setup emby to only accept connections from my LAN and my VPN lan.

 

Then i setup a openvpn server on my edgerouter accepting connections from devices that hold the secret key + passphrase.

 

I have openvpn on my mobile devices, i simply connect to my network, then i open emby and voila, full access..

 

I would personally never host anything on public internet, even with password protection exploiters could find a way in, i also do not recommend running emby or any other program like it with write/delete/modify access to the source files as you could get hacked and damage to your archive could be done if you let emby modify the data.

That’s a bit on the paranoid side no? It’s like saying: I’m worried a burglar will break in my house so I built my house on 50 foot stilts and the only way in my house is via helicopter. There should be a balance between paranoid and normal use. If you are a true target I would just drive up to your house and crack your WiFi.

 

I have yet to hear a case where emby security has been cracked other than people using weak passwords. @@cd01 is correct about making sure the server user can’t delete files, you should setup a super user on the os that you have to login as to delete. My server has been public accessible since the 90’s.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

jad3675

Setup Cloudflare in front of your emby instance.

 

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

Lock down your firewall to only accept tcp/443 connections from the Cloudflare ip ranges. Use the fail2ban cloudflare integration with monitoring of the emby logs to ban anyone who tries to brute force a login. Of course, hide accounts from the login screen.

 

John

Link to comment
Share on other sites

BAlGaInTl

Setup Cloudflare in front of your emby instance.

 

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

Lock down your firewall to only accept tcp/443 connections from the Cloudflare ip ranges. Use the fail2ban cloudflare integration with monitoring of the emby logs to ban anyone who tries to brute force a login. Of course, hide accounts from the login screen.

 

John

Cloudflare is going to be my next step I think. I'm currently working on fail2ban. is that going to be different when I direct through cloudflare?

Link to comment
Share on other sites

Deathsquirrel

That’s a bit on the paranoid side no? It’s like saying: I’m worried a burglar will break in my house so I built my house on 50 foot stilts and the only way in my house is via helicopter. There should be a balance between paranoid and normal use. If you are a true target I would just drive up to your house and crack your WiFi.

 

Depends on your needs.  Most people don't need a public server and also aren't remotely qualified to run one.  CD01's suggestion is probably the easiest by far for most users to safely maintain.

Link to comment
Share on other sites

Guest asrequested

Meh, who cares if someone gets access to my emby server. The IP will pop up, then I'll add it to the black list. I'm more concerned with protecting the big hole we make when portforwarding. You're rarely (if ever) going to get someone logging in that you don't want. Spend your time protecting your network. Punching a hole in your firewall is a much bigger concern.

Edited by Doofus
Link to comment
Share on other sites

rbjtech

Exactly ... proper internet security consists of network 'layers' with each layer being a set of acknowledged compromises - your inner most layer being data that you guard the most (and has the most security) and the outermost layer (commonly known as the DMZ) being the layer which - if hacked, you couldn't really care less and almost 'expect' it to be hacked.

 

If you put Emby server in the 'DMZ' but the data/media as read only in lower layers, then you get the best of both worlds - ie an exploit is found in the Emby core web code - annoying, but not destructive as your 'data' is protected by many other methods and thus, is not compromised.  

 

The Emby Dev's have a tough job of balancing these compromises - as 'we' want it easy to install and just 'work' but imho, it's currently a little too soft for me - and defaults should no 'WAN' access without explicitly enforcing DECENT passwords on all the accounts and a clear 'tick box' agreeing the Administrator understands the risks associated with what they are doing - ie hosting their IP address open (non-SSL) to the entire world.

Link to comment
Share on other sites

BAlGaInTl

What does an SSL actually do, in practical terms?

SSL = Secure Sockets Layer

 

It basically creates an encrypted link between a server and a client so that the data that is passed can't be easily intercepted somewhere in the middle. It keeps things like usernames, passwords, and even traffic (to some extent) secure.

Link to comment
Share on other sites

rbjtech

What does an SSL actually do, in practical terms?

 

It encrypts the data connection between the client and the server - for Emby the most important part of which is the Authentication - ie the logon stage where your password is passed to the server.  Without an SSL connection, this will be in plain text and available to anyone snooping the network.  It will also allow manipulation of the HTTP - with possible nasty consequences.   Snooping the media stream, is really of no importance tbh. (imo)

 

On a more positive note - A properly configured SSL connection to Emby is of equal strength to your banking website (!) but while the encryption algorithm is currently unbreakable - its the software (Emby or whatever Webserver is used) which is the current weak point in the entire chain.

Link to comment
Share on other sites

crusher11

So how does one go about setting that up? I tried following the guide in the Wiki but when I tried to do the manual validation it didn't work. And then freenom sent me an email to say I had to use the domain for a website or they'd delete it.

Link to comment
Share on other sites

BAlGaInTl

So how does one go about setting that up? I tried following the guide in the Wiki but when I tried to do the manual validation it didn't work. And then freenom sent me an email to say I had to use the domain for a website or they'd delete it.

What guidance are you following exactly? Link?

 

What specifically is going wrong?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...