Server security compromised?

[Luke 37046]

I think it is best to avoid posting any identifying information publicly so please send these types of things to me over PM.

 

The best way to avoid this is to ensure that your admin users have strong passwords. Thanks.

[m326697 0]

True a strong password is a must. But this was an attack on a couple of users form the same attacker. I find this strange.

Just curious, to the folks that had their accounts compromised, are you using the Emby App on another device like a Firestick ??

MT

[vaise 304]

I'm reading this with interest, and a little worry for other Emby systems out there.

 

The bear minimum config is thus :

 

Only one 'admin only' user that does NOT have 'allow remote connections to this server'.

All other users are allowed remote connections.

All users have passwords, with the admin only user being a hard one.

All users have the 'Enable in-network sign in with my easy PIN code' ticked and no pin so they don't need a password when on the LAN.

 

Maybe Emby could have a 'security checkup' button to alert for possible issues ?  A simple list of users with admin, remote connections and no passwords ?

 

I personally went much further with other remote security stuff :

 

1 - An nginx reverse proxy (only port 443 is forwarded to that from router)

2 - Standard https via cloudflare, with the addition of Authenticate Origin Pull's. This means that attackers cannot circumvent Cloudflare's security measures and directly connect to your Nginx server

3 - I only allow cloudflare IP's to connect (unix automated scripts to keep these IP lists up to date)

4 - I enable logging of source IP's also in nginx for fail2ban (also kept up to date with linux script)

5 - I also took the geo-blocking option in cloudflar firwall to ban countries that I don't have remote emby users accessing emby - works great - as my US based monitoring thought it went offline as USA blocked then.

 

Note - I take credit for none of the above - its all on the internet how to set this up and some on the emby forums.

I have some other services running on my reverse proxy - so this is not all about Emby for any that think this is overkill.

 

 

[mchallis 9]

droidman683522 hacked a server I manage for a friend. I will PM logs

[lightsout 144]

Wow this is kind of scary. How can someone just be randomly finding emby servers running out there across the country?

[Happy2Play 8271]

I wouldn't think it is to hard port scanning to see who has Emby's default port open.

Edited April 2, 2019 by Happy2Play

[Jdiesel 1113]

The more obvious case is that users are using the same login/pass for Emby Connect with other services. All other takes is one service to be compromised and one can use that information to connect to an Emby server as admin without even knowing the server IP.

 

https://haveibeenpwned.com

[FrostByte 5049]

People have also posted their logs with external IPs in the past.  That along with your user name here and I'm half way there

[Soggybottoms 3]

Is the Emby team aware of the below? It's possible that this is nothing, but it does show up as recently discovered and states the version affected is Emby v4.

 

https://fortiguard.com/encyclopedia/ips/47571

[pir8radio 1292]

Wow this is kind of scary. How can someone just be randomly finding emby servers running out there across the country?

 

 

droidman683522 hacked a server I manage for a friend. I will PM logs

 

 

I wouldn't give this script kiddie the credit of calling it "hacked" lol...   I doubt he put in any real work, you probably posted a server log that contained your server ID hash.   

 

As for how to find emby servers....      here is every beta server open to the public running version .17 using non standard emby ports       https://censys.io/ipv4?q=%22data-appversion%3D%224.1.0.17%22%22

Edited April 2, 2019 by pir8radio

[killermonkie 0]

First time poster here. I would like to report that within the last three days somebody broke into my dad's emby server, deleted his administrator user, and then added two new user accounts. This was possible since his user account didn't have a password. The kicker is that the two user accounts added were also called Doom and Droidmanxxxxx (i dont remember the exact numbers after Droidman) just like PoBear. My dads emby user was also linked to my Emby Cloud account. 

[pir8radio 1292]

yeah it looks like finding exposed Emby instances is not the issue :-)

 

Though I dont think knowing someones "server ID hash" is going to help you gain access to a system. You can get the server ID from the login page API.

 

Yea if you already know the server IP...   but most of these connect people are not setting user passwords, so using embys own servers to give up the end users ip using the server hash found on the forums gets me right to their front door..

 

package into a script that auto creates accounts.....  

Edited April 2, 2019 by pir8radio

[lightsout 144]

So does a password protected admin account avoid this?

[mchallis 9]

 you probably posted a server log that contained your server ID hash.   

 

No, never. not this one

[arche 174]

Kind of curious as to how many people are still using the same username and passwords from Plex when there servers got hacked. 

[Luke 37046]

Is the Emby team aware of the below? It's possible that this is nothing, but it does show up as recently discovered and states the version affected is Emby v4.

 

https://fortiguard.com/encyclopedia/ips/47571

 

Yes, we are aware, and this will be resolved for the next release. Keep in mind you already need to have access to the server in order to exploit this.

[Luke 37046]

So does a password protected admin account avoid this?

 

We're still investigating but a strong password is generally the best line of defense.

[chef 3745]

We're still investigating but a strong password is generally the best line of defense.

I know this might seem slight, but have you ever thought about adding a strength meter to the password creation page under users.

Letting then know they have made a strong password.

[rbjtech 4251]

I know this might seem slight, but have you ever thought about adding a strength meter to the password creation page under users.

Letting then know they have made a strong password.

 

Letting them know they have NO password would be a good start .. 

 

A better solution these days is to combine this with an account compromised database lookup such as haveibeenpwned.  They have an API which anonymously tests the password for breech status.

 

https://haveibeenpwned.com/API/v2

 

A strong password which you *think* is secure is of little use if it's 'out there' for all to try and with breeches happening daily these days - you MUST use a password manager and unique high strength passwords per site.

[pir8radio 1292]

Letting them know they have NO password would be a good start ..

 

A better solution these days is to combine this with an account compromised database lookup such as haveibeenpwned. They have an API which anonymously tests the password for breech status.

 

https://haveibeenpwned.com/API/v2

 

A strong password which you *think* is secure is of little use if it's 'out there' for all to try and with breeches happening daily these days - you MUST use a password manager and unique high strength passwords per site.

 

I would love to see 2FA using Authy for at least admin accounts myself. I use different passwords for all of my passwords, but like you said middle man sniffing or db breach and it’s useless. all of my online accounts that support it are using Authy.

 

 

Sent from my iPhone using Tapatalk

[BAlGaInTl 279]

Maybe Emby should not allow remote access unless all accounts have passwords? Or at least provide a VERY strongly worded warning if you try enable with accounts that don't have passwords, or create a new account without a password once it's been enabled.

 

It seems obvious to me... but as Emby grows, there will be a lot of less tech-savy users.

 

ETA

 

Also, perhaps to build on the password meter idea... maybe the server admin could set a minimum password strength requirement as well.

Edited April 2, 2019 by BAlGaInTl

[ebr 14910]

Yes, I think we should probably consider having the system not allow remote access with no password - at least for an admin account.

[BAlGaInTl 279]

Letting them know they have NO password would be a good start .. 

 

A better solution these days is to combine this with an account compromised database lookup such as haveibeenpwned.  They have an API which anonymously tests the password for breech status.

 

https://haveibeenpwned.com/API/v2

 

A strong password which you *think* is secure is of little use if it's 'out there' for all to try and with breeches happening daily these days - you MUST use a password manager and unique high strength passwords per site.

It would be great to integrate that test API into the user interface for Emby. I know several other applications are starting to do that. Mostly password managers though.

[rbjtech 4251]

Yes, I think we should probably consider having the system not allow remote access with no password - at least for an admin account.

 

It would also be sensible to have 'remote access' disabled by default for the Admin account - that way, you need to explicitly enable it and are warned that it must have a strong password blah blah.  

 

From my own personal experience, very rarely have I needed to Administer Emby 'remotely' - and thus having my only Admin account LAN only is the best solution for me.

[ebr 14910]

It would also be sensible to have 'remote access' disabled by default for the Admin account - that way, you need to explicitly enable it and are warned that it must have a strong password blah blah.  

 

If we require a password for remote access, then isn't that just redundant complications??