Ninko 63 Posted March 9, 2019 Share Posted March 9, 2019 It would be great if we could set a maximum number of failed login attempts within a certain time and then have that ip address blocked. 6 Link to comment Share on other sites More sharing options...
Sammy 735 Posted March 9, 2019 Share Posted March 9, 2019 Or a mandatory password reset with MFA. Sent from my SM-G960U1 using Tapatalk Link to comment Share on other sites More sharing options...
Happy2Play 8242 Posted March 9, 2019 Share Posted March 9, 2019 You could use IPBan or fail2ban depending on your OS. https://emby.media/community/index.php?/topic/69286-ipban-for-emby/ https://emby.media/community/index.php?/topic/31362-fail2ban-custom-emby-filter/ Link to comment Share on other sites More sharing options...
MikeB111 48 Posted January 14, 2020 Share Posted January 14, 2020 I'd like to add my vote for this. I looked into IPBan or fail2ban but they were a bit beyond my skill level. To my understanding, the real risk here is that Emby is susceptible to brute force password attacks. Someone just hitting my server over and over with password attempts until they guess the password correctly. Strong passwords makes this more difficult, but there is a balance between password strength and usability (and that line moves depending on the user). Banning by IP is a great idea. If Emby could implement something like this that'd be awesome! But I can also see how this could be challenging to manage. Perhaps I could propose an alternative... There would be a real security benefit to just adding a time delay after a number of failed login attempts. I'm not talking about tracking client IP addresses, just counting failed login attempts. For example, if a user has 3 failed login attempts within 5 minutes, then that user account is locked for 5 minutes. This essentially makes it impossible to brute-force attack a password because it would slow down the number of attempts that can be made. But it also automatically resets itself so there would be no issue managing IP blacklists or anything like that. Just wait 5 minutes and everything works again. If you block by user, than one user getting locked out would not stop any other user from successfully using the server, so you minimize the impact to others. And I would think it'd be pretty easy to implement. No need to keep track of IP addresses or anything like that, just count failed attempts and compare timestamps. Make it a single check-box on the Network tab, "Enable 5-minute timeout after 3 failed login attempts" so users could disable if they want, nothing to manage, no addition settings, easy! Anyways, something like this would GREATLY improve the security of servers exposed to the internet. Just a thought for your consideration... Thanks! 2 Link to comment Share on other sites More sharing options...
acnp77 60 Posted January 17, 2020 Share Posted January 17, 2020 Important topic and great idea! Link to comment Share on other sites More sharing options...
nayr 36 Posted January 22, 2020 Share Posted January 22, 2020 step by step for fail2ban: https://emby.media/community/index.php?/topic/80753-how-to-fail2ban-configuration-using-linux/ Link to comment Share on other sites More sharing options...
acnp77 60 Posted January 23, 2020 Share Posted January 23, 2020 (edited) Why post a link to a very questionable and complicated system like fail2ban instead of Emby getting simple and basic stuff like security right. I like the simple yet effective proposition of MikeB111. Edited January 23, 2020 by acnp77 Link to comment Share on other sites More sharing options...
nayr 36 Posted January 23, 2020 Share Posted January 23, 2020 Questionable? Fail2ban secures a large portion of the internet's infrastructure, its the de facto method for providing the same protection for linux services all around the world .. its more effective and secure to reject/drop abusers at the network level and shield that software, and any other software running on the same host from those interested in brute forcing into it.. when/if emby implements such a feature, I'll still be relying on Fail2Ban because its not let me down in the 16 years Ive been using it to keep production servers safe. Its not that complicated, its just flexible.. much like emby is.. but the link I posted takes all that away, just follow the instructions and in a few mins you got the protection you seek.. its not really any more complicated than running a big media server on linux.. Or don't, but IMHO if you don't care enough to figure it out then your emby servers security is not really all that important to you.. for those who want this protection today, check out the link I posted.. for those who just want to run internet exposed services securely without complications of depending on readily available and proven software, well good luck with that strategy.. Getting SSL going has be 'very questionable and complicated' given the same standards. I didnt post the link to take away from the OP's request, I posted it because its a more complete piece of documentation that can get you this functionality today.. but I guess you guys don't really want this functionality bad enough. 1 Link to comment Share on other sites More sharing options...
acnp77 60 Posted January 23, 2020 Share Posted January 23, 2020 Ok, thanks for your input. You address some good points. I guess I will have to look into this further as it is important to me and I am ready to learn... All I wanted to say is that I think Emby should have some simple security features implemented. Thanks Link to comment Share on other sites More sharing options...
MikeB111 48 Posted January 24, 2020 Share Posted January 24, 2020 Thanks for the info on fail2ban. Unfortunately, I'm running my server on a Windows computer and I understand that fail2ban is linux only... Looks like IPBan works with Windows, sounds like I should spend some time figuring it out... But I did read through your how-to post and it got me thinking. Instead of blocking a user from logging in after a number of failed attempts you are right that it would be much better to block an IP. That way they still get blocked if they try logging in with a invalid user name. So something like, after 3 unsuccessful login attempts (or maybe 5 unsuccessful attempts, not sure what would be best) that IP is blocked for 5 minutes. This is probably what the author of the first post in this thread meant also. In my mind when I read his post I was thinking that the IP address would get added to some blacklist that would have to be managed and this seems like it could cause problems for the less computer savvy users and would be harder to implement. But just banning the IP address for 5 minutes would be almost as effective, certainly it would make it impractical for anyone to brute-force through the login. And there would be no blacklists to manage. If a legitimate user gets blocked, they just wait 5 minutes and everything is working again. I still think it'd be good to be able to enable or disable this feature in settings but a simple checkbox does the trick and it should be enabled by default. Anyways, good conversation, thanks everyone! Hopefully something like this can make its way into Emby in the near future. Link to comment Share on other sites More sharing options...
Solution rbjtech 4222 Posted March 2 Solution Share Posted March 2 (edited) This was implemented last year following the security incident - Emby already blocks failed login IP's after I believe 10 attempts for a peroid of time - thus preventing/slowing any possible brute force attempts. This is now in the 4.8 Release. see - https://emby.media/community/index.php?/topic/122020-48048-user-auth-brute-force-password-lockout-feedback/#comment-1286522 btw - updating this as @ebrsent somebody here for a new FR. Edited March 2 by rbjtech 1 Link to comment Share on other sites More sharing options...
Recommended Posts