Server security compromised?

[atropa 8]

OK. No idea if my problem fits the topic. But it sounds like that. For about 4 weeks, I am attacked several times a day. And always via the Emby standard ports.
At first I thought it was Nginx.
My security software reported several attacks every day via Nginx and port 443. Then the software marked Nginx as a virus and trojan and wanted to remove nginx.
So I deleted nginx and used a direct connection via Cloudflare and the SSL certificate in Emby. Unfortunately, that did not help either. Every day several attacks. And always on the standard ports. In this case 8920. With different IPS warnings. For example: Web Attack: ThinkPhPgetShell Remote Code Execution, System Infected: Downloader Download 5, Attack: Apache Struts Cve- 2017-5638 or Web Attack: Malicious OGNL Expression Upload. Now my Security Software  marked Emby as a virus and a trojan and wanted to remove Emby. WTF ???? Hmmmm...   But since i changed the standart port there are no more attacks. Wierd !!  .... So there must be some skript kiddie out there who attacks only Emby Servers ?

Edited April 3, 2019 by atropa

[Luke 37063]

So there must be some skript kiddie out there who attacks only Emby Servers ?

 

Yes I'm sure, as there are also for our competitors. Using a non-standard public port can help as well.

[atropa 8]

Yes I'm sure, as there are also for our competitors. Using a non-standard public port can help as well.

Jop. Changing the port helped. There are no more attacks since then.

[rouq 23]

I've have been under attack as well.  Also use standard 443 port because I use a freenom domain and terms and conditions are that I need to have a functional site and they check it regularly.

 

From my logs they don't use my domain, so they don't go through cloudflare.  They are using directly my public ip.  Since I force all my remote connections to be secure, they can't go futher and I see this in my logs:

 

System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

 

I don't see any user trying to log with those IPs.

[laxus 0]

Login attempts? Were there a lot of failed login attempts?

 

 

Yeah quite a few from the looks of it

 

Was your password complex? And you say it was password protected, was it the same login info used here for the forums?

 

 

 

 

Sent from my iPhone using Tapatalk

 

I would say so, capital letters, numbers and special characters and yes same login for forums but I have changed that now as well

[chjohans 32]

This thread prompted me to check my logs for any intruder attempts, and I see no such evidence. However I made the following config changes:

 

1) I used to have just one Emby account, linked to Emby connect for the convenience. I removed admin access for this user, and I also removed the rights to delete any media from my libraries. The latter does not really make any difference as the user that is running my Emby server only has read access to my libraries. This user does of course have a pretty strong password.

 

2) I added a new user with admin rights, and made sure that user is not visible on any login screens, gave it a strong password and made sure it's not linked to Emby connect.

 

I am not using any reverse proxy, just a simple pot forward on my firewall. But I think this still is sufficient to prevent any unwanted access.

 

I might look into using fail2ban to analyze the Emby server logfiles and automatically banning IP's in case of any repeated failed login attempts. I did some testing and it looks like the logfile format is pretty suitable for this. I will set this up once I have some time to spare, but for the time being this should be good enough.

[jon_ 22]

 

I might look into using fail2ban to analyze the Emby server logfiles and automatically banning IP's in case of any repeated failed login attempts. I did some testing and it looks like the logfile format is pretty suitable for this. I will set this up once I have some time to spare, but for the time being this should be good enough.

 

There's guides on here how to set up fail2ban to monitor for emby authentication failures - the logfile is compatible in the more recent emby versions

[chjohans 32]

There's guides on here how to set up fail2ban to monitor for emby authentication failures - the logfile is compatible in the more recent emby versions

Thanks yes I found that post. My problem is I'm running fail2ban on an edgerouter and Emby on windows. No easy way to get to the log file on a windows filesystem. But trying to think of some solution.

[jon_ 22]

Ahh - that makes it a bit more complex! 

 

There's another project called 'wail2ban' https://github.com/glasnt/wail2ban which purports to do the same for windows, so you could potentially use that with the local windows firewall for similar results..

[rbjtech 4260]

Thanks yes I found that post. My problem is I'm running fail2ban on an edgerouter and Emby on windows. No easy way to get to the log file on a windows filesystem. But trying to think of some solution.

 

As long as you have the API Key (which you will have) then just query Emby log the same as you would do normally on your remote system - assuming you have a route to it from the internal system of course ..

Edited April 4, 2019 by rbjtech

[runtimesandbox 152]

As long as you have the API Key (which you will have) then just query Emby log the same as you would do normally on your remote system - assuming you have a route to it from the internal system of course ..

 

Has anyone written a script to do this from a reverse proxy?

[Happy2Play 8281]

Thanks yes I found that post. My problem is I'm running fail2ban on an edgerouter and Emby on windows. No easy way to get to the log file on a windows filesystem. But trying to think of some solution.

 

There is IPBan also.

 

https://emby.media/community/index.php?/topic/69286-ipban-for-emby/

[kuebs 6]

What is the solution to this problem?   I rebuilt my server yesterday and it is hacked again, with the same logins, so it is clearly scripted and running autonomously.   

How soon until 4.1 is released?

[ebr 14912]

What is the solution to this problem?   

 

The solution is simply to confirm that your LOCAL admin user has a password defined.  Go to Users configuration, select user, select "Password" at top.

 

 

I rebuilt my server yesterday and it is hacked again, with the same logins, so it is clearly scripted and running autonomously.   

 

Can you please PM me the log from when this occurred?

 

Thanks.

[kuebs 6]

all of my accounts have a password.  With letters and numbers.   No accounts have no password.

 

I can't provide logs because I cannot get emby to install now.  So I don't even remember the path for the logs.

 

But I am now getting more concerned that I cannot run the installation.  I can't run the setup.exe and I may have to find another solution for my media.

 

I don't want to have to be a sophisticated admin to be able to watch my movies.  Emby is/was a great solution that just generally worked, and did not require a huge amount of attention from me.  
But right now, we are dead in the water, and I cannot install emby from the web or the full download to even begin the process of rebuilding the server and the libraries again.

 

I am curios if we could get an idea of the eta on a new, fixed version?
 

[Happy2Play 8281]

all of my accounts have a password.  With letters and numbers.   No accounts have no password.

 

I can't provide logs because I cannot get emby to install now.  So I don't even remember the path for the logs.

 

But I am now getting more concerned that I cannot run the installation.  I can't run the setup.exe and I may have to find another solution for my media.

 

I don't want to have to be a sophisticated admin to be able to watch my movies.  Emby is/was a great solution that just generally worked, and did not require a huge amount of attention from me.  

But right now, we are dead in the water, and I cannot install emby from the web or the full download to even begin the process of rebuilding the server and the libraries again.

 

I am curios if we could get an idea of the eta on a new, fixed version?

 

 

There is nothing different in the beta but more restrictions and options.  So what are you calling a fixed version?

 

If you can not run the setup.exe or get the portable version to work then to me there is a larger issue with the machine.

[ebr 14912]

all of my accounts have a password.  With letters and numbers.   No accounts have no password.

 

I believe that you believe that was the case.  However, I think it is likely that it actually wasn't (and you just didn't realize it).  This is due to the way the initial setup of the server works and we are changing that.  But that is the only thing that 4.1 is doing so the solution to your issue is still in your hands (as soon as you get re-installed).

[Guest asrequested]

all of my accounts have a password. With letters and numbers. No accounts have no password.

 

 

 

Did you change them, after you were hacked?

[chjohans 32]

There is IPBan also.

 

https://emby.media/community/index.php?/topic/69286-ipban-for-emby/

 

Thanks that looks promising, will look into that.

[rms8 12]

GEEZE.

 

We haven't watched a movie for quite a while so I'm not sure when it may have actually happened.

 

We went to watch a movie tonight and EMC wanted a password for either of 3 logins I have never seen.  I went to the Server and tried to open it, but it too wanted a password for one of 3 logins.

 

Are there any log files on the Server which I can look at to see when these new accounts were created and mine deleted?  Would these show any IP info of the incoming source?

 

Any insight would be appreciated !!!

 

 

 

[Guest asrequested]

https://emby.media/community/index.php?/topic/71982-server-security-compromised/

[Happy2Play 8281]

It all depends on when this happened as logs are only maintain for 3 days by default.  But you would check your Emby server logs, and yes you would see their ip.  Log location is dependent on the OS you are on. 

 

Windows "C:\Users\username\AppData\Roaming\Emby-Server\programdata\logs"

[CBers 6771]

Stop Emby running.

 

You can go into /Emby-Server/config/users and delete all of those user folders found there.

 

Edit the system.xml file and find the tag named "IsStartupWizardCompleted" and change it to false.

 

If you then start Emby and open it in a browser, it should run through the install wizard and set up a new user.

Make sure you set a password for the user and turn off remote access.

 

I have just performed this on my test server and it worked fine, retaining the libraries I had previously setup.

 

It may be worth upgrading to the latest beta of Emby server, as it has some additional security built-in.

 

Update: You may need to delete the users.db and authentication.db files (/Emby-Server/data) as well.

 

 

.

Edited April 6, 2019 by CBers

[rms8 12]

https://emby.media/community/index.php?/topic/71982-server-security-compromised/

 

 

HOLY CRAP !!!!

 

 

Those are the SAME  accounts which hacked my Server!!!!!!!!!!!!

 

 

@@Luke

@@ebr

 

This can't be a coincidence.  That the exact same accounts which hacked my server have hacked someone else's.   I have to then assume my server wasn't just a random attack but more like someone who knows the interworkings of Emby Server  ??????

Edited April 6, 2019 by rms8

[ebr 14912]

This can't be a coincidence.  That the exact same accounts which hacked my server have hacked someone else's.   I have to then assume my server wasn't just a random attack but more like someone who knows the interworkings of Emby Server  ??????

 

Yes, it is the same people but the vulnerability is the fact that people have users with no passwords defined.  Please be sure your users all have LOCAL passwords defined for them (Users->select user->Password).

 

Thanks.