Server security compromised?

[Senna 368]

You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby.

Censys scans this:

 

[rbjtech 4255]

my password is not weak by any means.  it wasn't brute forced, the logs doesn't show any authentication fail attempts.   he is exploiting the server or has a backdoor or something.

 

I have letsencrypt and ngnix doing the reverse proxy 

 

Is your password for Emby unique - have you used it before elsewhere ?  If yes, then it's highly likely in a breech database somewhere.  If not, then this is worrying...

[m326697 0]

Team,  I am a newbie at this. although I am pretty knowledgeable with computers but security is not my thing.

Is it possible to come up with a tutorial for setting up a secure server.

I do not use Emby outside my house.

Some step by step scenarios for people who use Emby strictly at home and for remote users.

I think this would help a lot and calm every one's fears.

Thank you Luke for the coming changes.

Regards

MT

[vaise 304]

I only use subdomains on nginx.

Nginx default is sending back a 403. Should anything scan.

Home Firewall blocks shodan stuff just in case along with lots more.

Cloudflare firewall blocks all countries except mine (australia) for access (just add the ones you want)

Cloudflare only allows their IP's, anything else gets a 403

No cost for any of this stuff - just the free account.

[pir8radio 1292]

That's interesting,

So that request from censys is hitting emby's endpoint when searching for upnp, but how is it figuring out it is Emby?

 

Is it grabbing page titles? Like the login page title?

 

Or is it recognizing the returned upnp request data as belonging to Emby?

 

If it is looking at page titles for the login, then make the login page titles customizable for the admin users.

 

 

 

 

 

Maybe emby needs to create a login attempt system that locks down the users login after failed attempts.

 

I know fail2ban is an option, but maybe emby needs to incorporate a similar system.

 

Then the admin could enable login attempts after being alerted to numerous failed attempts.

 

 

I've been hacked before and it's not fun.

 

 

You can obfuscate a little bit from shodan/Censys with a reverse proxy, scanning your IP and port 443 will show nginx or whatever instead of emby.  

 

Scanning domains does happen but not to the same degree, you might get some tiny benefit avoiding putting emby on the root of your domain or using emby.domain.com.  

 

 

there is no way for the emby team to stop this..    Censys can search for ANY source on a landing page..      Like a particular script, or a logo, or the copyright line, there will always be something unique to the any login screen or landing page and that will allow censys to run a search.     Look, i think the emby team setting up remote access blocks for admin users that don't have passwords set is a good out of the box start.  That's how the majority of these are happening...    No admin password, they think because they set a PIN or emby connect login that the account has a password set..  

[vaise 304]

Team,  I am a newbie at this. although I am pretty knowledgeable with computers but security is not my thing.

Is it possible to come up with a tutorial for setting up a secure server.

I do not use Emby outside my house.

Some step by step scenarios for people who use Emby strictly at home and for remote users.

I think this would help a lot and calm every one's fears.

Thank you Luke for the coming changes.

Regards

MT

 

You should be pretty safe if not using emby outside your house.  There wont be any port forwarding to your emby server from the internet and the router should do a good job of not allowing WAN connections that did not get requested from your LAN.  You should make sure upnp is OFF in your router, keep it's firmware up to date in case of new exploits and make sure no WAN administration is allowed (don't be tempted to tick that stuff - asking for trouble).  That's the basics for any home router though imho.  It is when people allow to connect remote users that the issues occur.  Just opening a port to emby on your router can work to get remote access for your friends and family - but that alone is just asking for trouble.  Many posts on that here with many people stating a basic minimum if you allow remote.

[chef 3745]

my password is not weak by any means. it wasn't brute forced, the logs doesn't show any authentication fail attempts. he is exploiting the server or has a backdoor or something.

 

I have letsencrypt and ngnix doing the reverse proxy

That's wierd. No failed login attempts, unless they cleaned up after themselves before logging out.

 

Any missing time in the logs?

 

I wouldn't use the web browser to hack and emby account.

 

I'd build a console app that attempted logins through the API.

 

Over and over until I received an access token.

 

Then I'd save the access token and login through a web browser.

 

There's no finesse there.

 

Is there anything like that happen somewhere in you logs?

[laxus 0]

Also been compromised

 

Just went to login to my account and user accounts replaced with one called "Darkrider"

[Guest asrequested]

It would appear that I'm hidden. At least I can't find my server on shodan. The VPN seems to be doing what it's supposed to.

[chef 3745]

Also been compromised

 

Just went to login to my account and user accounts replaced with one called "Darkrider"

What was your setup like? Any reverse proxies? Where your admin accounts password protect?

[laxus 0]

What was your setup like? Any reverse proxies? Where your admin accounts password protect?

 

Nope no reverse proxies and yeah accounts were password protected, I can see the login attempts in the logs.

 

Have completely uninstalled, deleted appdata, reinstalled and disabled remote connections for now, I am the only one who uses the server anyways in my home

[runtimesandbox 152]

Nope no reverse proxies and yeah accounts were password protected, I can see the login attempts in the logs.

 

Have completely uninstalled, deleted appdata, reinstalled and disabled remote connections for now, I am the only one who uses the server anyways in my home

 

Login attempts? Were there a lot of failed login attempts?

[pir8radio 1292]

Nope no reverse proxies and yeah accounts were password protected, I can see the login attempts in the logs.

 

Have completely uninstalled, deleted appdata, reinstalled and disabled remote connections for now, I am the only one who uses the server anyways in my home

Was your password complex? And you say it was password protected, was it the same login info used here for the forums?

 

 

 

 

Sent from my iPhone using Tapatalk

[pir8radio 1292]

Also. The skid hasn’t done anything on any of these servers, like delete media. Sounds like a political move. An attempt to smear emby’s reputation. Probably an affiliate of a competing product behind this. It serves no other purpose to mass compromise systems other than bring awareness to it. An actual hacker would be doing this under the radar leaving your accounts intact, downloading your media, and leaving little to no bread crumbs behind.

 

Need to find the hole and plug it. [emoji846]

 

 

Sent from my iPhone using Tapatalk

Edited April 3, 2019 by pir8radio

[chef 3745]

Also. The skid hasn’t done anything on any of these servers, like delete media. Sounds like a political move. An attempt to smear emby’s reputation. Probably an affiliate of a competing product behind this. It serves no other purpose to mass compromise systems other than bring awareness to it. An actual hacker would be doing this under the radar leaving your accounts intact, downloading your media, and leaving little to no bread crumbs behind.

 

Need to find the hole and plug it. [emoji846]

 

 

Sent from my iPhone using Tapatalk

Definitely. Good news is that instead of smearing us, by bringing attention to it, it'll help us better security. It was a favor in the end.

[ebr 14910]

Need to find the hole and plug it. [emoji846]

 

Make sure your local users have passwords.  So far, that is the "hole" we've discovered.

[Spyderturbo007 19]

I'm not a security guy by any means, but my Synology has an AutoBlock feature.  If you fail the login "X" times in "X" minutes, your IP gets blacklisted. 

 

Would that be an option for Emby to add?  The scary part is that people are getting hacked without any failed login attempts!

[chef 3745]

I'm not a security guy by any means, but my Synology has an AutoBlock feature. If you fail the login "X" times in "X" minutes, your IP gets blacklisted.

 

Would that be an option for Emby to add? The scary part is that people are getting hacked without any failed login attempts!

That sounds like a plug-in idea.

To create the blacklist.

[vaise 304]

Add logic so you can’t allow remote access if the password is blank maybe?

[Spyderturbo007 19]

I see a notification that says "User Locked Out", but no where to specify what causes a user to be locked out.

 

Another useful notification might be an authentication failure?

[ebr 14910]

 The scary part is that people are getting hacked without any failed login attempts!

 

Make sure your local users have passwords.  So far, that is the "hole" we've discovered.

[pir8radio 1292]

 

This topic was marked as fixed or best answer for adding the ability to hide users from the login page but doesn’t the API give up a list of known users? Or are they hidden in there as well? Someone’s using a script probably going to use that interface?

 

 

Also I haven’t tried it but what’s to stop me from using a user ID hash and token From the logs shared on the site?

 

 

Sent from my iPhone using Tapatalk

Edited April 3, 2019 by pir8radio

[chef 3745]

This topic was marked as fixed or best answer for adding the ability to hide users from the login page but doesn’t the API give up a list of known users? Or are they hidden in there as well? Someone’s using a script probably going to use that interface?

 

 

Sent from my iPhone using Tapatalk

I pretty sure that if the user is hidden on the login screen they don't appear under public user dto

 

You'll only be able to access the API with a token which is granted by authenticating a user. So their hash wouldn't grant access, only user data with an access token.

Edited April 3, 2019 by chef

[ebr 14910]

I pretty sure that if the user is hidden on the login screen they don't appear under public user dto

 

You'll only be able to access the API with a token which is granted by authenticating a user. So their hash wouldn't grant access, only user data with an access token.

 

This is correct.

[anthonylavado 6]

On behalf of other software, I would just like to thank @@ebr and @@Luke for responding to some questions of ours, in the interest of protecting all users.

 

Safety and security are important for all - and we don’t knowingly engage in, nor do we condone any attempts to access other user’s info. Thanks.