Senna 368 Posted April 2, 2019 Share Posted April 2, 2019 You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby. Censys scans this: Link to comment Share on other sites More sharing options...
rbjtech 4289 Posted April 2, 2019 Share Posted April 2, 2019 my password is not weak by any means. it wasn't brute forced, the logs doesn't show any authentication fail attempts. he is exploiting the server or has a backdoor or something. I have letsencrypt and ngnix doing the reverse proxy Is your password for Emby unique - have you used it before elsewhere ? If yes, then it's highly likely in a breech database somewhere. If not, then this is worrying... 1 Link to comment Share on other sites More sharing options...
m326697 0 Posted April 2, 2019 Share Posted April 2, 2019 Team, I am a newbie at this. although I am pretty knowledgeable with computers but security is not my thing. Is it possible to come up with a tutorial for setting up a secure server. I do not use Emby outside my house. Some step by step scenarios for people who use Emby strictly at home and for remote users. I think this would help a lot and calm every one's fears. Thank you Luke for the coming changes. Regards MT Link to comment Share on other sites More sharing options...
vaise 307 Posted April 2, 2019 Share Posted April 2, 2019 I only use subdomains on nginx. Nginx default is sending back a 403. Should anything scan. Home Firewall blocks shodan stuff just in case along with lots more. Cloudflare firewall blocks all countries except mine (australia) for access (just add the ones you want) Cloudflare only allows their IP's, anything else gets a 403 No cost for any of this stuff - just the free account. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 2, 2019 Share Posted April 2, 2019 That's interesting, So that request from censys is hitting emby's endpoint when searching for upnp, but how is it figuring out it is Emby? Is it grabbing page titles? Like the login page title? Or is it recognizing the returned upnp request data as belonging to Emby? If it is looking at page titles for the login, then make the login page titles customizable for the admin users. Maybe emby needs to create a login attempt system that locks down the users login after failed attempts. I know fail2ban is an option, but maybe emby needs to incorporate a similar system. Then the admin could enable login attempts after being alerted to numerous failed attempts. I've been hacked before and it's not fun. You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby. Scanning domains does happen but not to the same degree, you might get some tiny benefit avoiding putting emby on the root of your domain or using emby.domain.com. there is no way for the emby team to stop this.. Censys can search for ANY source on a landing page.. Like a particular script, or a logo, or the copyright line, there will always be something unique to the any login screen or landing page and that will allow censys to run a search. Look, i think the emby team setting up remote access blocks for admin users that don't have passwords set is a good out of the box start. That's how the majority of these are happening... No admin password, they think because they set a PIN or emby connect login that the account has a password set.. Link to comment Share on other sites More sharing options...
vaise 307 Posted April 2, 2019 Share Posted April 2, 2019 Team, I am a newbie at this. although I am pretty knowledgeable with computers but security is not my thing. Is it possible to come up with a tutorial for setting up a secure server. I do not use Emby outside my house. Some step by step scenarios for people who use Emby strictly at home and for remote users. I think this would help a lot and calm every one's fears. Thank you Luke for the coming changes. Regards MT You should be pretty safe if not using emby outside your house. There wont be any port forwarding to your emby server from the internet and the router should do a good job of not allowing WAN connections that did not get requested from your LAN. You should make sure upnp is OFF in your router, keep it's firmware up to date in case of new exploits and make sure no WAN administration is allowed (don't be tempted to tick that stuff - asking for trouble). That's the basics for any home router though imho. It is when people allow to connect remote users that the issues occur. Just opening a port to emby on your router can work to get remote access for your friends and family - but that alone is just asking for trouble. Many posts on that here with many people stating a basic minimum if you allow remote. Link to comment Share on other sites More sharing options...
chef 3746 Posted April 2, 2019 Share Posted April 2, 2019 my password is not weak by any means. it wasn't brute forced, the logs doesn't show any authentication fail attempts. he is exploiting the server or has a backdoor or something. I have letsencrypt and ngnix doing the reverse proxy That's wierd. No failed login attempts, unless they cleaned up after themselves before logging out. Any missing time in the logs? I wouldn't use the web browser to hack and emby account. I'd build a console app that attempted logins through the API. Over and over until I received an access token. Then I'd save the access token and login through a web browser. There's no finesse there. Is there anything like that happen somewhere in you logs? Link to comment Share on other sites More sharing options...
laxus 0 Posted April 3, 2019 Share Posted April 3, 2019 Also been compromised Just went to login to my account and user accounts replaced with one called "Darkrider" Link to comment Share on other sites More sharing options...
Guest asrequested Posted April 3, 2019 Share Posted April 3, 2019 It would appear that I'm hidden. At least I can't find my server on shodan. The VPN seems to be doing what it's supposed to. Link to comment Share on other sites More sharing options...
chef 3746 Posted April 3, 2019 Share Posted April 3, 2019 Also been compromised Just went to login to my account and user accounts replaced with one called "Darkrider" What was your setup like? Any reverse proxies? Where your admin accounts password protect? Link to comment Share on other sites More sharing options...
laxus 0 Posted April 3, 2019 Share Posted April 3, 2019 What was your setup like? Any reverse proxies? Where your admin accounts password protect? Nope no reverse proxies and yeah accounts were password protected, I can see the login attempts in the logs. Have completely uninstalled, deleted appdata, reinstalled and disabled remote connections for now, I am the only one who uses the server anyways in my home Link to comment Share on other sites More sharing options...
runtimesandbox 153 Posted April 3, 2019 Share Posted April 3, 2019 Nope no reverse proxies and yeah accounts were password protected, I can see the login attempts in the logs. Have completely uninstalled, deleted appdata, reinstalled and disabled remote connections for now, I am the only one who uses the server anyways in my home Login attempts? Were there a lot of failed login attempts? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 3, 2019 Share Posted April 3, 2019 Nope no reverse proxies and yeah accounts were password protected, I can see the login attempts in the logs. Have completely uninstalled, deleted appdata, reinstalled and disabled remote connections for now, I am the only one who uses the server anyways in my home Was your password complex? And you say it was password protected, was it the same login info used here for the forums? Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 3, 2019 Share Posted April 3, 2019 (edited) Also. The skid hasn’t done anything on any of these servers, like delete media. Sounds like a political move. An attempt to smear emby’s reputation. Probably an affiliate of a competing product behind this. It serves no other purpose to mass compromise systems other than bring awareness to it. An actual hacker would be doing this under the radar leaving your accounts intact, downloading your media, and leaving little to no bread crumbs behind. Need to find the hole and plug it. [emoji846] Sent from my iPhone using Tapatalk Edited April 3, 2019 by pir8radio 6 Link to comment Share on other sites More sharing options...
chef 3746 Posted April 3, 2019 Share Posted April 3, 2019 Also. The skid hasn’t done anything on any of these servers, like delete media. Sounds like a political move. An attempt to smear emby’s reputation. Probably an affiliate of a competing product behind this. It serves no other purpose to mass compromise systems other than bring awareness to it. An actual hacker would be doing this under the radar leaving your accounts intact, downloading your media, and leaving little to no bread crumbs behind. Need to find the hole and plug it. [emoji846] Sent from my iPhone using Tapatalk Definitely. Good news is that instead of smearing us, by bringing attention to it, it'll help us better security. It was a favor in the end. Link to comment Share on other sites More sharing options...
ebr 14935 Posted April 3, 2019 Share Posted April 3, 2019 Need to find the hole and plug it. [emoji846] Make sure your local users have passwords. So far, that is the "hole" we've discovered. Link to comment Share on other sites More sharing options...
Spyderturbo007 19 Posted April 3, 2019 Share Posted April 3, 2019 I'm not a security guy by any means, but my Synology has an AutoBlock feature. If you fail the login "X" times in "X" minutes, your IP gets blacklisted. Would that be an option for Emby to add? The scary part is that people are getting hacked without any failed login attempts! Link to comment Share on other sites More sharing options...
chef 3746 Posted April 3, 2019 Share Posted April 3, 2019 I'm not a security guy by any means, but my Synology has an AutoBlock feature. If you fail the login "X" times in "X" minutes, your IP gets blacklisted. Would that be an option for Emby to add? The scary part is that people are getting hacked without any failed login attempts! That sounds like a plug-in idea. To create the blacklist. Link to comment Share on other sites More sharing options...
vaise 307 Posted April 3, 2019 Share Posted April 3, 2019 Add logic so you can’t allow remote access if the password is blank maybe? Link to comment Share on other sites More sharing options...
Spyderturbo007 19 Posted April 3, 2019 Share Posted April 3, 2019 I see a notification that says "User Locked Out", but no where to specify what causes a user to be locked out. Another useful notification might be an authentication failure? Link to comment Share on other sites More sharing options...
ebr 14935 Posted April 3, 2019 Share Posted April 3, 2019 The scary part is that people are getting hacked without any failed login attempts! Make sure your local users have passwords. So far, that is the "hole" we've discovered. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 3, 2019 Share Posted April 3, 2019 (edited) This topic was marked as fixed or best answer for adding the ability to hide users from the login page but doesn’t the API give up a list of known users? Or are they hidden in there as well? Someone’s using a script probably going to use that interface? Also I haven’t tried it but what’s to stop me from using a user ID hash and token From the logs shared on the site? Sent from my iPhone using Tapatalk Edited April 3, 2019 by pir8radio Link to comment Share on other sites More sharing options...
chef 3746 Posted April 3, 2019 Share Posted April 3, 2019 (edited) This topic was marked as fixed or best answer for adding the ability to hide users from the login page but doesn’t the API give up a list of known users? Or are they hidden in there as well? Someone’s using a script probably going to use that interface? Sent from my iPhone using Tapatalk I pretty sure that if the user is hidden on the login screen they don't appear under public user dto You'll only be able to access the API with a token which is granted by authenticating a user. So their hash wouldn't grant access, only user data with an access token. Edited April 3, 2019 by chef Link to comment Share on other sites More sharing options...
ebr 14935 Posted April 3, 2019 Share Posted April 3, 2019 I pretty sure that if the user is hidden on the login screen they don't appear under public user dto You'll only be able to access the API with a token which is granted by authenticating a user. So their hash wouldn't grant access, only user data with an access token. This is correct. Link to comment Share on other sites More sharing options...
anthonylavado 6 Posted April 3, 2019 Share Posted April 3, 2019 On behalf of other software, I would just like to thank @@ebr and @@Luke for responding to some questions of ours, in the interest of protecting all users. Safety and security are important for all - and we don’t knowingly engage in, nor do we condone any attempts to access other user’s info. Thanks. 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now