Luke 37046 Posted April 1, 2019 Share Posted April 1, 2019 I think it is best to avoid posting any identifying information publicly so please send these types of things to me over PM. The best way to avoid this is to ensure that your admin users have strong passwords. Thanks. 1 Link to comment Share on other sites More sharing options...
m326697 0 Posted April 1, 2019 Share Posted April 1, 2019 True a strong password is a must. But this was an attack on a couple of users form the same attacker. I find this strange. Just curious, to the folks that had their accounts compromised, are you using the Emby App on another device like a Firestick ?? MT Link to comment Share on other sites More sharing options...
vaise 304 Posted April 1, 2019 Share Posted April 1, 2019 I'm reading this with interest, and a little worry for other Emby systems out there. The bear minimum config is thus : Only one 'admin only' user that does NOT have 'allow remote connections to this server'. All other users are allowed remote connections. All users have passwords, with the admin only user being a hard one. All users have the 'Enable in-network sign in with my easy PIN code' ticked and no pin so they don't need a password when on the LAN. Maybe Emby could have a 'security checkup' button to alert for possible issues ? A simple list of users with admin, remote connections and no passwords ? I personally went much further with other remote security stuff : 1 - An nginx reverse proxy (only port 443 is forwarded to that from router) 2 - Standard https via cloudflare, with the addition of Authenticate Origin Pull's. This means that attackers cannot circumvent Cloudflare's security measures and directly connect to your Nginx server 3 - I only allow cloudflare IP's to connect (unix automated scripts to keep these IP lists up to date) 4 - I enable logging of source IP's also in nginx for fail2ban (also kept up to date with linux script) 5 - I also took the geo-blocking option in cloudflar firwall to ban countries that I don't have remote emby users accessing emby - works great - as my US based monitoring thought it went offline as USA blocked then. Note - I take credit for none of the above - its all on the internet how to set this up and some on the emby forums. I have some other services running on my reverse proxy - so this is not all about Emby for any that think this is overkill. Link to comment Share on other sites More sharing options...
mchallis 9 Posted April 1, 2019 Share Posted April 1, 2019 droidman683522 hacked a server I manage for a friend. I will PM logs Link to comment Share on other sites More sharing options...
lightsout 144 Posted April 2, 2019 Share Posted April 2, 2019 Wow this is kind of scary. How can someone just be randomly finding emby servers running out there across the country? Link to comment Share on other sites More sharing options...
Happy2Play 8271 Posted April 2, 2019 Share Posted April 2, 2019 (edited) I wouldn't think it is to hard port scanning to see who has Emby's default port open. Edited April 2, 2019 by Happy2Play Link to comment Share on other sites More sharing options...
Jdiesel 1113 Posted April 2, 2019 Share Posted April 2, 2019 The more obvious case is that users are using the same login/pass for Emby Connect with other services. All other takes is one service to be compromised and one can use that information to connect to an Emby server as admin without even knowing the server IP. https://haveibeenpwned.com Link to comment Share on other sites More sharing options...
FrostByte 5049 Posted April 2, 2019 Share Posted April 2, 2019 People have also posted their logs with external IPs in the past. That along with your user name here and I'm half way there 1 Link to comment Share on other sites More sharing options...
Soggybottoms 3 Posted April 2, 2019 Share Posted April 2, 2019 Is the Emby team aware of the below? It's possible that this is nothing, but it does show up as recently discovered and states the version affected is Emby v4. https://fortiguard.com/encyclopedia/ips/47571 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 2, 2019 Share Posted April 2, 2019 (edited) Wow this is kind of scary. How can someone just be randomly finding emby servers running out there across the country? droidman683522 hacked a server I manage for a friend. I will PM logs I wouldn't give this script kiddie the credit of calling it "hacked" lol... I doubt he put in any real work, you probably posted a server log that contained your server ID hash. As for how to find emby servers.... here is every beta server open to the public running version .17 using non standard emby ports https://censys.io/ipv4?q=%22data-appversion%3D%224.1.0.17%22%22 Edited April 2, 2019 by pir8radio Link to comment Share on other sites More sharing options...
killermonkie 0 Posted April 2, 2019 Share Posted April 2, 2019 First time poster here. I would like to report that within the last three days somebody broke into my dad's emby server, deleted his administrator user, and then added two new user accounts. This was possible since his user account didn't have a password. The kicker is that the two user accounts added were also called Doom and Droidmanxxxxx (i dont remember the exact numbers after Droidman) just like PoBear. My dads emby user was also linked to my Emby Cloud account. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 2, 2019 Share Posted April 2, 2019 (edited) yeah it looks like finding exposed Emby instances is not the issue :-) Though I dont think knowing someones "server ID hash" is going to help you gain access to a system. You can get the server ID from the login page API. Yea if you already know the server IP... but most of these connect people are not setting user passwords, so using embys own servers to give up the end users ip using the server hash found on the forums gets me right to their front door.. package into a script that auto creates accounts..... Edited April 2, 2019 by pir8radio Link to comment Share on other sites More sharing options...
lightsout 144 Posted April 2, 2019 Share Posted April 2, 2019 So does a password protected admin account avoid this? Link to comment Share on other sites More sharing options...
mchallis 9 Posted April 2, 2019 Share Posted April 2, 2019 you probably posted a server log that contained your server ID hash. No, never. not this one Link to comment Share on other sites More sharing options...
arche 174 Posted April 2, 2019 Share Posted April 2, 2019 Kind of curious as to how many people are still using the same username and passwords from Plex when there servers got hacked. 1 Link to comment Share on other sites More sharing options...
Luke 37046 Posted April 2, 2019 Share Posted April 2, 2019 Is the Emby team aware of the below? It's possible that this is nothing, but it does show up as recently discovered and states the version affected is Emby v4. https://fortiguard.com/encyclopedia/ips/47571 Yes, we are aware, and this will be resolved for the next release. Keep in mind you already need to have access to the server in order to exploit this. 1 Link to comment Share on other sites More sharing options...
Luke 37046 Posted April 2, 2019 Share Posted April 2, 2019 So does a password protected admin account avoid this? We're still investigating but a strong password is generally the best line of defense. Link to comment Share on other sites More sharing options...
chef 3745 Posted April 2, 2019 Share Posted April 2, 2019 We're still investigating but a strong password is generally the best line of defense.I know this might seem slight, but have you ever thought about adding a strength meter to the password creation page under users.Letting then know they have made a strong password. 1 Link to comment Share on other sites More sharing options...
rbjtech 4251 Posted April 2, 2019 Share Posted April 2, 2019 I know this might seem slight, but have you ever thought about adding a strength meter to the password creation page under users. Letting then know they have made a strong password. Letting them know they have NO password would be a good start .. A better solution these days is to combine this with an account compromised database lookup such as haveibeenpwned. They have an API which anonymously tests the password for breech status. https://haveibeenpwned.com/API/v2 A strong password which you *think* is secure is of little use if it's 'out there' for all to try and with breeches happening daily these days - you MUST use a password manager and unique high strength passwords per site. 2 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 2, 2019 Share Posted April 2, 2019 Letting them know they have NO password would be a good start .. A better solution these days is to combine this with an account compromised database lookup such as haveibeenpwned. They have an API which anonymously tests the password for breech status. https://haveibeenpwned.com/API/v2 A strong password which you *think* is secure is of little use if it's 'out there' for all to try and with breeches happening daily these days - you MUST use a password manager and unique high strength passwords per site. I would love to see 2FA using Authy for at least admin accounts myself. I use different passwords for all of my passwords, but like you said middle man sniffing or db breach and it’s useless. all of my online accounts that support it are using Authy. Sent from my iPhone using Tapatalk 3 Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted April 2, 2019 Share Posted April 2, 2019 (edited) Maybe Emby should not allow remote access unless all accounts have passwords? Or at least provide a VERY strongly worded warning if you try enable with accounts that don't have passwords, or create a new account without a password once it's been enabled. It seems obvious to me... but as Emby grows, there will be a lot of less tech-savy users. ETA Also, perhaps to build on the password meter idea... maybe the server admin could set a minimum password strength requirement as well. Edited April 2, 2019 by BAlGaInTl Link to comment Share on other sites More sharing options...
ebr 14910 Posted April 2, 2019 Share Posted April 2, 2019 Yes, I think we should probably consider having the system not allow remote access with no password - at least for an admin account. 4 Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted April 2, 2019 Share Posted April 2, 2019 Letting them know they have NO password would be a good start .. A better solution these days is to combine this with an account compromised database lookup such as haveibeenpwned. They have an API which anonymously tests the password for breech status. https://haveibeenpwned.com/API/v2 A strong password which you *think* is secure is of little use if it's 'out there' for all to try and with breeches happening daily these days - you MUST use a password manager and unique high strength passwords per site. It would be great to integrate that test API into the user interface for Emby. I know several other applications are starting to do that. Mostly password managers though. 1 Link to comment Share on other sites More sharing options...
rbjtech 4251 Posted April 2, 2019 Share Posted April 2, 2019 Yes, I think we should probably consider having the system not allow remote access with no password - at least for an admin account. It would also be sensible to have 'remote access' disabled by default for the Admin account - that way, you need to explicitly enable it and are warned that it must have a strong password blah blah. From my own personal experience, very rarely have I needed to Administer Emby 'remotely' - and thus having my only Admin account LAN only is the best solution for me. Link to comment Share on other sites More sharing options...
ebr 14910 Posted April 2, 2019 Share Posted April 2, 2019 It would also be sensible to have 'remote access' disabled by default for the Admin account - that way, you need to explicitly enable it and are warned that it must have a strong password blah blah. If we require a password for remote access, then isn't that just redundant complications?? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now