Server security compromised?

[rbjtech 4254]

If we require a password for remote access, then isn't that just redundant complications??

 

Not at all - if you have no need to Administer the server remotely, then why put your Admin account up for possible abuse ?  

 

tbh - this is all cyber industry standard 'best practice' - we are not making this up .. 

[BAlGaInTl 279]

If we require a password for remote access, then isn't that just redundant complications??

Yes and No.

 

It is rendundant, but redundancies are sometimes good.

[Senna 368]

So in what way can Emby users with remote access enabled (secured with SSL or not etc),  prevent sites like Shodan or Censys to collect user data of remote IP's with Emby running ?

 

What Censys/Shodan also returns for a Emby query is this (Cencys example):

 

 

@@ebr & @Luke

So it's like a Emby flag on the internet, saying her I am. Is there anything Emby Devs can do, to not give such an obvious return for the page title or anything else that loads for the login screen ?

 

 

 

[PoBear 19]

I can't remember if my users had passwords or not but they were originally created on a version of Media Browser where remote access was not an option! I did not enable remote access and have never had a need for the facility.

 

So one of the things that should be changed is enabling this option by default.

Edited April 2, 2019 by PoBear

[anthonylavado 6]

@@Luke - I realize you probably get a lot of messages, but can we chat about this thread?

Thanks 

[JDizzy 21]

I am sorry to say... same exact thing to my Emby server... same 2 culprits.

[Fr4nsson 1]

I am sorry to say... same exact thing to my Emby server... same 2 culprits.

Do you have passwords on users, and are they visible at the login screen?

[Luke 37050]

We're going to make some changes for the upcoming 4.1 release:

• We will split the "hide user from login screens" setting into two settings, one for the local network, one for remote connections. For remote connections this will be hidden by default.
• Admin users will need to have passwords

You can preemptively make these changes and protect yourself by hiding users from login screens, as well as making sure your admin users have passwords. Thanks guys.

[chef 3745]

So in what way can Emby users with remote access enabled (secured with SSL or not etc), prevent sites like Shodan or Censys to collect user data of remote IP's with Emby running ?

 

What Censys/Shodan also returns for a Emby query is this (Cencys example):

 

 

@@ebr & @Luke

So it's like a Emby flag on the internet, saying her I am. Is there anything Emby Devs can do, to not give such an obvious return for the page title or anything else that loads for the login screen ?

That's interesting,

So that request from censys is hitting emby's endpoint when searching for upnp, but how is it figuring out it is Emby?

 

Is it grabbing page titles? Like the login page title?

 

Or is it recognizing the returned upnp request data as belonging to Emby?

 

If it is looking at page titles for the login, then make the login page titles customizable for the admin users.

 

 

 

 

 

Maybe emby needs to create a login attempt system that locks down the users login after failed attempts.

 

I know fail2ban is an option, but maybe emby needs to incorporate a similar system.

 

Then the admin could enable login attempts after being alerted to numerous failed attempts.

 

 

I've been hacked before and it's not fun.

Edited April 2, 2019 by chef

[KMBanana 84]

You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby.  

 

Scanning domains does happen but not to the same degree, you might get some tiny benefit avoiding putting emby on the root of your domain or using emby.domain.com.  

[chef 3745]

But upon some more public API data requests without logging in, there isn't a whole lot of public info that any 'hack' can get from the login page.

 

This is definitely a password issue.

 

You gotta use strong passwords, and ... use passwords.

[Spaceboy 2493]

You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby.

 

Scanning domains does happen but not to the same degree, you might get some tiny benefit avoiding putting emby on the root of your domain or using emby.domain.com.

i found a guy that lives close to me that is using nginx but you can still find him by searching on emby. It shows me he is using port 443 and I can click straight through to his login page.

 

I may pop round and tell him!

 

He probably hasn’t enabled all the security options in nginx as I also use it and am not listed on Shodan

[KMBanana 84]

i found a guy that lives close to me that is using nginx but you can still find him by searching on emby. It shows me he is using port 443 and I can click straight through to his login page.

 

I may pop round and tell him!

 

He probably hasn’t enabled all the security options in nginx as I also use it and am not listed on Shodan

I think this should only happen if your default site in the site config is emby.  

[jon_ 22]

You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby.  

 

Scanning domains does happen but not to the same degree, you might get some tiny benefit avoiding putting emby on the root of your domain or using emby.domain.com.  

 

Using a port other than 443 (or the standard emby ports) is also a good start. There is really no need to use 'standard' ports unless you have some kind of remote access restriction (ie. corporate firewall that doesn't allow non standard ports) - disable UPNP, pick a random port and forward that instead (and update your local config to match). Everything will still work, it just makes it a bit harder to remotely ID what you have running. I think Shodan etc only scans for common services (HTTP / HTTPS / SSH etc) rather than a full port scan so you probably won't show up as running Emby anymore. Looking on Shodan at my server doesn't show me as running either plex or emby on non standard ports...

 

Likewise, if you are using a reverse proxy, you can put a block on requests to '/' - by default if you go to the root, it helpfully redirects you to the emby login page (which may helpfully suggest a list of users you can log in as!). If you block '/' then you have to *know* to connect to /emby/ in order to get any useful information. This will stop a lot of the sites like Shodan and also a lot of script kiddies from identifying what service you have running behind that port. I have a feeling that may break emby connect though...

[chi88 0]

also got hacked by the same user,  

 

This is the hacker's public IP i found in the log:  172.58.7.95

 

 

saw this in the log as well, shows his email and username created:

2019-04-01 22:48:43.824 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=DarkRider
2019-04-01 22:49:10.902 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 22:49:59.961 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 22:50:46.763 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=DarkRider
2019-04-01 22:50:46.915 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=DarkRider
2019-04-01 22:51:18.946 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=droidman68@gmail.com
2019-04-01 22:58:58.830 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=chancehall61@gmail.com
2019-04-01 22:59:33.660 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 23:06:20.174 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 23:07:52.133 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=droidman68@gmail.com

Edited April 2, 2019 by chi88

[Happy2Play 8278]

 

also got hacked by the same user,  

 

This is the hacker's public IP i found in the log:  172.58.7.95

 

 

saw this in the log as well, shows his email and username created:

2019-04-01 22:48:43.824 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=DarkRider
2019-04-01 22:49:10.902 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 22:49:59.961 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 22:50:46.763 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=DarkRider
2019-04-01 22:50:46.915 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=DarkRider
2019-04-01 22:51:18.946 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=droidman68@gmail.com
2019-04-01 22:58:58.830 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=chancehall61@gmail.com
2019-04-01 22:59:33.660 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 23:06:20.174 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=skywireless31063@gmail.com
2019-04-01 23:07:52.133 Info HttpClient: GET https://connect.emby.media/service/user?nameOrEmail=droidman68@gmail.com

 

Please pm log to @@Luke

[Guest asrequested]

I'm gonna blacklist that IP

[runtimesandbox 152]

I would think it is to hard port scanning to see who has Emby's default port open.

 

This is really easy to do with free tools available online, one such being Shodan. A simple search for "Emby" reveals a boat load 

https://www.shodan.io/search?query=emby&page=2

 

My guess would that people are using wordlists of top used passwords from latest databreaches to bruteforce weak passwords. 

Does emby login have any form of rate limiting @@Luke?

[Luke 37050]

i think that will be the next thing to add.

[chi88 0]

my password is not weak by any means.  it wasn't brute forced, the logs doesn't show any authentication fail attempts.   he is exploiting the server or has a backdoor or something.

 

I have letsencrypt and ngnix doing the reverse proxy 

[Happy2Play 8278]

I'm gonna blacklist that IP

 

It is a T-Mobile ip so I would guess they are not static as that is different then the one from OP in this topic.

[runtimesandbox 152]

You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby.  

 

Scanning domains does happen but not to the same degree, you might get some tiny benefit avoiding putting emby on the root of your domain or using emby.domain.com.  

 

If you are using a reverse proxy, you can incorporate code to block by "user agents". This will help filter out a lot of stuff that will scan you like shodan and censys (obviously its not fool proof). 

 

If anyone has been hacked and is behind a reverse proxy, can you get the access logs from nginx? It would be quite interesting to see what user agent is supplied and whether this is some kind of script kiddie with a python script. 

[Happy2Play 8278]

Logs shown so far have not show any failed authentication attempts that I have seen so either there is no password or they know your existing password.

[runtimesandbox 152]

It is a T-Mobile ip so I would guess they are not static as that is different then the one from OP in this topic.

 

T-mobile is very likely a dynamic changing IP address. Its also trivial to change the IP address

[Guest asrequested]

It is a T-Mobile ip so I would guess they are not static as that is different then the one from OP in this topic.

Yeah, I considered that, but I've added both IPs anyway. I've got pfsense blocking failed attempts, too. When I get a chance, I'll look at it's logs and see if there's anything there. I imagine the VPN is hiding everything, too. But I'm following this, with interest.