Best Practice for a Secure Emby Installation

[jon_ 22]

In the light of some recent compromises, I think it's about time for a best practice thread on how to keep your installation secure... Hopefully this will get some useful tips and tricks added and some open discussions As I get more time I'll add links to relevant howto links on the forums...

 

Most of this is only relevant if you have your Emby server open to the Internet. If you don't allow remote access, and have disabled the options to automatically open up firewall ports via UPNP (Enable Automatic Port Mapping) you should be reasonably safe.. 

 

Some Hints on Best Practice:

 

1) Make sure any users that you create who have remote access enabled have a password assigned. If they don't have a password, anyone that finds your emby server can jump right in. 

 

2) User good passwords for these users. By good, they should be of a reasonably complexity (eg. not 'password'), not reused or similar to any other sites (bad guys download password dumps from other compromised sites and look for reused logins). 

 

3) Hide users in the login page. Newer Emby betas have the ability to not show a list of users for remote connections. If the bad guy can see a username, they have half of the things they need in order to log in (username and password). For older versions, you have to disable the login screen for both local and remote connections. 

 

3) Use an HTTPS Secured connection. Emby has the option to use an HTTPS secured session for remote connections - either natively or using a reverse proxy. Enabling this stops people sniffing your traffic which may potentially include your login details. 

 

4) Implement fail2ban. On linux systems, there's a third party app called 'fail2ban' which can monitor for multiple failed logins, and then stop that IP address from making any more attempted connections. Similar options may be available for windows 'wail2ban' or other platforms. 

 

5) Don't run remote access on standard ports. Most online vulnerability scanners and/or hacking scripts look for services on standard ports - 80, 443, 8096 etc. In general, you can pick any port you like for the remote access port - anything between 1024 and 65535. If you pick a random port it makes it a lot less likely that you will show up on sites like Shodan which are one of the ways bad guys look for systems to attack. 

 

5) Split Remote Access for Admin and Non Admin users. It's also a good idea to have an account which is just used for performing admin on the server, which isn't allowed to connect remotely. For any users who view content remotely, they don't have admin rights so should the worst happen, they can't do anything too bad. 

 

6) Consider not allowing users to delete content. As an addition to point 5) - consider not having users allowed to delete content. While it's convenient, is it really needed vs. manually deleting content? If a user can't delete anything, should the worst happen, a bad guy can't delete anything either. You can also supplement this with OS file system permissions - if the emby user account can't delete anything, then it's impossible for a totally compromised system to delete anything either.

 

7) Keep Emby up to date. It's always good practice to keep both your application and your OS up to date, in case there are any bugs or vulnerabilities that get fixed. 

 

Anything else anyone can think of?

[RG9400 0]

Yeah, this is very helpful. I've been trying to figure out the best way to manage the security.

 

Do you have a reference filter for fail2ban that will work with Emby by the way? I really like this option, and since I decided to turn off my server-based auth using reverse proxy and just use Emby's authentication, I'd like to use fail2ban in conjunction with it. 

 

EDIT: Nevermind, I found one at https://emby.media/community/index.php?/topic/31362-fail2ban-custom-emby-filter/

Edited April 4, 2019 by RG9400

[Guest asrequested]

You can also hide behind a VPN service. If they can't find it, they can't access it.

[Tur0k 143]

In the light of some recent compromises, I think it's about time for a best practice thread on how to keep your installation secure... Hopefully this will get some useful tips and tricks added and some open discussions As I get more time I'll add links to relevant howto links on the forums...

 

Most of this is only relevant if you have your Emby server open to the Internet. If you don't allow remote access, and have disabled the options to automatically open up firewall ports via UPNP (Enable Automatic Port Mapping) you should be reasonably safe..

 

Some Hints on Best Practice:

 

1) Make sure any users that you create who have remote access enabled have a password assigned. If they don't have a password, anyone that finds your emby server can jump right in.

 

2) User good passwords for these users. By good, they should be of a reasonably complexity (eg. not 'password'), not reused or similar to any other sites (bad guys download password dumps from other compromised sites and look for reused logins).

 

3) Hide users in the login page. Newer Emby betas have the ability to not show a list of users for remote connections. If the bad guy can see a username, they have half of the things they need in order to log in (username and password). For older versions, you have to disable the login screen for both local and remote connections.

 

3) Use an HTTPS Secured connection. Emby has the option to use an HTTPS secured session for remote connections - either natively or using a reverse proxy. Enabling this stops people sniffing your traffic which may potentially include your login details.

 

4) Implement fail2ban. On linux systems, there's a third party app called 'fail2ban' which can monitor for multiple failed logins, and then stop that IP address from making any more attempted connections. Similar options may be available for windows 'wail2ban' or other platforms.

 

5) Don't run remote access on standard ports. Most online vulnerability scanners and/or hacking scripts look for services on standard ports - 80, 443, 8096 etc. In general, you can pick any port you like for the remote access port - anything between 1024 and 65535. If you pick a random port it makes it a lot less likely that you will show up on sites like Shodan which are one of the ways bad guys look for systems to attack.

 

5) Split Remote Access for Admin and Non Admin users. It's also a good idea to have an account which is just used for performing admin on the server, which isn't allowed to connect remotely. For any users who view content remotely, they don't have admin rights so should the worst happen, they can't do anything too bad.

 

6) Consider not allowing users to delete content. As an addition to point 5) - consider not having users allowed to delete content. While it's convenient, is it really needed vs. manually deleting content? If a user can't delete anything, should the worst happen, a bad guy can't delete anything either. You can also supplement this with OS file system permissions - if the emby user account can't delete anything, then it's impossible for a totally compromised system to delete anything either.

 

7) Keep Emby up to date. It's always good practice to keep both your application and your OS up to date, in case there are any bugs or vulnerabilities that get fixed.

 

Anything else anyone can think of?

This is a really good list. I do all of these and I have been safe for a good long while.

 

Here, I augment my security by leveraging the following.

1. Public domain (ex: mydomain.com

2. SSL certificates through a Let’s Encrypt Acme client.

3. a reverse proxy stood up in front of my Emby server. I offload SSL encryption to the reverse proxy.

4. NGF with reverse proxy and ip/DNS blocking.

 

I have systems in place to monitor bad browsing behavior and add them to a blacklist on my firewall. This also applies to port scanners.

 

I have a software on my firewall that also blocks known malicious sources on the public Internet based on publicly maintained lists. I deny inbound and outbound traffic with those blacklists.

 

Sent from my iPhone using Tapatalk

Edited April 7, 2019 by Tur0k

[metsuke 27]

If your users are all in the same continent, you can filter all other continents' subnets by using the IANA registry: https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

 

That method has reduced my incoming malicious traffic by > 90% according to my firewall logs.

[Deathsquirrel 741]

Step 0-keep your server private to begin with.  Don't expose it to the internet at all.  Don't invite your friends and family to use it.  Instead offer to help them setup their own.

 

--Luddite out...

[Tur0k 143]

Step 0-keep your server private to begin with. Don't expose it to the internet at all. Don't invite your friends and family to use it. Instead offer to help them setup their own.

 

--Luddite out...

I agree the first question should be, do I really need this to be publicly accessible on the big I?

 

Granted outside of that there are other risks as they relate to the home network at large and how to stay safe.

 

 

Sent from my iPhone using Tapatalk

[darkassassin07 423]

I have my emby server behind an nginx reverse proxy which manages several services all on their own subdomains (service.mydomain.com) with the base domain itself leading to a blank html page with basic auth enabled (ie 401 to pretty much every request). If you don't connect using a sub domain that matches one of the services you get served the blank html.

 

It's been up for at least 9 months now and while I see random requests from random IPs every single day to the base domain or its bare IP, since putting my services on subdomains I haven't seen a single request to the services themselves where I dont recognize the client IP.

 

 

A case of can't find it, cant hack it.

 

Though I have to say it's amusing to watch login attempts flood in now and again against the basic auth on the blank html page. The username+pass for it isnt used anywhere else and even if they do manage to break into that particular login it will finally serve them nothing but an empty html file.

Edited April 6, 2019 by darkassassin07

[revengineer 125]

Unless you have to worry about bad actors on your LAN, I would agree with @ and argue that the best practice is to

 

1) Use VPN connection into your LAN

2) ignore the rest of the security advice offered in the OP. 

[jon_ 22]

Unless you have to worry about bad actors on your LAN, I would agree with @ and argue that the best practice is to

 

1) Use VPN connection into your LAN

 

 

....which is beyond the skill level of 90% of people who use the internet, and not an option for certain remote clients (FireTV, Chromecast etc) unless you use a remote router that has VPN functionality. 

 

Also, a badly configured/secured VPN is also way way less secure than exposing a single port to the internet - rather than granting open access to Emby, you are potentially exposing your entire LAN... 

 

The whole point of this thread is a few basic steps that *anyone* can carry out, no matter what their level of security awareness is that will go a long way to securing their emby installation.

[Tur0k 143]

VPNs have a place in a network admin’s tool-belt. I use them to remotely connect to my home and work networks to administer them. My problem is that my user base is not that savvy. I prefer a web presence to handle that. At work I use Citrix netscalers (reverse proxy) and at home I use HAPROXY (reverse proxy).

 

It is important to note that a VPN is only as secure as the implementation allows. This security is dependent on key complexity, authentication, algorithms used, and other configuration components. The more your force authentication and re-authentication the more likely those keys and authentication is to become compromised. Bad actors have reasonably proven that they can crack VPNs along side PKI SSL infrastructure.

 

With regard to VPNs It is also important to note what and where you are encrypting a connection between two points.

 

VPN private browsing service only secures your connection to the browsing service. It is important that at this point you place a good deal of trust in that service.

 

If you host an Emby service through a VPN private browsing service unencrypted it will:

1. Encrypt that traffic from your ISP and and anyone between your WAN and the VPN private browsing service.

2. It will helps to obscure your public IP address.

Once the traffic reaches the VPN private browsing service and is accessible to the big I it is still unencrypted. Authentication is plain text, and no longer externally encrypted in transit, to the big I as soon as the traffic leaves the VPN private browsing service.

 

If you host a private VPN between your Emby server directly to a client system the traffic is externally (VPN) encrypted fully in transit end to end. Other users are correct, this isn’t always supported by end point clients.

 

There are other VPNs like lan to lan. Which allows you to use network equipment on both ends to host the VPN tunnel.

 

Lastly, there are third party services that you can implement or pay for that will host your VPN as a SAAS. This takes a good deal of trust in those organizations or stacks.

 

 

 

Sent from my iPhone using Tapatalk

Edited April 6, 2019 by Tur0k

[pwhodges 1531]

2) ignore the rest of the security advice offered in the OP. 

Ignoring security advice is never a good idea, and encouraging others to is doubly bad.

[revengineer 125]

Ignoring security advice is never a good idea, and encouraging others to is doubly bad.

The steps in the OP are NOT sufficient for good security unless you completely trust emby security. If you do, then I suggest you search for the "i have been hacked posts", e.g. https://emby.media/community/index.php?/topic/72074-solved-41014-hacked/. This particular issue has been solved but history shows that it is only a matter of time until the next one is discovered.

 

I am aware that in my scenario I still have to trust OpenVPN security, and here I made the judgment that it is better vetted by security than emby.

[revengineer 125]

....which is beyond the skill level of 90% of people who use the internet, and not an option for certain remote clients (FireTV, Chromecast etc) unless you use a remote router that has VPN functionality. 

 

Also, a badly configured/secured VPN is also way way less secure than exposing a single port to the internet - rather than granting open access to Emby, you are potentially exposing your entire LAN... 

I may sound harsh but I believe that people who do not understand network security should not be opening ports into their LAN. I am running pfsense as firewall and I found activating OpenVPN is easy and I would argue no more difficult than installing https certs and fail2ban for emby.

[jon_ 22]

It appears that the reason quite a few people got hacked is because they didn't follow some basic security steps - they had admin accounts that could be logged in remotely with poor/no password. AFAIK there is no 'vulnerability' in emby that's being exploited. 

 

I agree regarding someone that doesn't know what they are doing or has a basic grasp of the fundamentals of network security shouldn't be opening ports up - the whole point of the original post is to do a bit of user education, so hopefully they will understand the issues a little better. 

[metsuke 27]

I may sound harsh but I believe that people who do not understand network security should not be opening ports into their LAN. I am running pfsense as firewall and I found activating OpenVPN is easy and I would argue no more difficult than installing https certs and fail2ban for emby.

You're right that activating OpenVPN is not difficult, but it does create an insurmountable barrier for most non-technical users that I come in contact with.

[Spaceboy 2493]

The steps in the OP are NOT sufficient for good security unless you completely trust emby security. If you do, then I suggest you search for the "i have been hacked posts", e.g. https://emby.media/community/index.php?/topic/72074-solved-41014-hacked/. This particular issue has been solved but history shows that it is only a matter of time until the next one is discovered.

 

I am aware that in my scenario I still have to trust OpenVPN security, and here I made the judgment that it is better vetted by security than emby.

the only vulnerability discovered so far is lack of passwords

[neik 837]

You can also hide behind a VPN service. If they can't find it, they can't access it.

Quite interested in the VPN way but I am wondering how it would affect usability for non-tech persons.

 

For me it probably wouldn't be a problem I would figure it out somehow but I have a client outside my network using a FireTV Stick and there the problem begins.

 

Would you mind elaborate a bit how your setup looks like, please?

[Spaceboy 2493]

Quite interested in the VPN way but I am wondering how it would affect usability for non-tech persons.

 

For me it probably wouldn't be a problem I would figure it out somehow but I have a client outside my network using a FireTV Stick and there the problem begins.

 

Would you mind elaborate a bit how your setup looks like, please?

you basically install a vpn server, typically on your router, and then the vpn client on each device you want to connect to the server. From then on your device thinks and behaves as if it is on the lan. Pfsense makes this super easy. Even a novice could manage it

[jon_ 22]

 From then on your device thinks and behaves as if it is on the lan. Pfsense makes this super easy. Even a novice could manage it

 

And herein lies the problem. Anyone you you give a VPN login to has access to *everything* on your network, as if they were sat in your house. Not just Emby. They can print to your printer. They can access anything shared via windows network shares. If they have malware on their machine (backdoors, credential stealers, ransomware etc) then potentially that'll get access too...

 

If they have a 'dumb' device like a FireTV, then you have to set up a a site to site connection (ie. their router connects to your router), so their network is connected to yours. Now everyone on their network can access anything on your network. Maybe they've not put a password on their wifi, or shared it with the neighbours. So now anyone in their neighbourhood can also access all of your stuff. 

 

Do you really want that?

 

Yes, in certain cases a VPN can be more secure. But it can also be way, way way less secure, and badly configuring a VPN is a lot harder than following some basic steps and opening up a single port to the internet...

[Spaceboy 2493]

And herein lies the problem. Anyone you you give a VPN login to has access to *everything* on your network, as if they were sat in your house. Not just Emby. They can print to your printer. They can access anything shared via windows network shares. If they have malware on their machine (backdoors, credential stealers, ransomware etc) then potentially that'll get access too...

 

If they have a 'dumb' device like a FireTV, then you have to set up a a site to site connection (ie. their router connects to your router), so their network is connected to yours. Now everyone on their network can access anything on your network. Maybe they've not put a password on their wifi, or shared it with the neighbours. So now anyone in their neighbourhood can also access all of your stuff.

 

Do you really want that?

 

Yes, in certain cases a VPN can be more secure. But it can also be way, way way less secure, and badly configuring a VPN is a lot harder than following some basic steps and opening up a single port to the internet...

i wasn’t coming down on either side of the argument, just explaining. Personally I use both methods: nginx rp using cloudflare and a pfsense created vpn. Both work great but I wouldn’t expect my non technical remote users to use a vpn.

[jon_ 22]

i wasn’t coming down on either side of the argument, just explaining. Personally I use both methods: nginx rp using cloudflare and a pfsense created vpn. Both work great but I wouldn’t expect my non technical remote users to use a vpn.

 

It's OK - I get that My point is that using a VPN won't solve all of your security issues. It may solve some, but it could create a whole load of more serious ones

 

For purely personal use - where you or your direct trusted family members want to access content as if they were at home on a device that can run a VPN client, it's a good option. But you will still need to follow a whole load of best practice to make sure it's secure. 

[C.S. 62]

And herein lies the problem. Anyone you you give a VPN login to has access to *everything* on your network, as if they were sat in your house. Not just Emby. They can print to your printer. They can access anything shared via windows network shares. If they have malware on their machine (backdoors, credential stealers, ransomware etc) then potentially that'll get access too...

 

This is only true if you want it to be. VPN connections are subject to restrictions set by the firewall, so it's up to you what they have access to. But I disagree with anyone who says it's simple enough for a beginner. Maybe a "novice" with some pfsense experience can figure out openvpn, but telling people who can barely set a decent password to set up a VPN server "because it's easy" is kind of sadistic.

 

What I've learned in switching from @! to Emby is that securing Emby is not really for beginners. If you want easy security, you have to stick with that other software which I shall not name here. I like Emby better than that other thing because it gives me more control, but to exercise that control, I have to employ my extremely moderate (not beginner) skills.

[Spaceboy 2493]

This is only true if you want it to be. VPN connections are subject to restrictions set by the firewall, so it's up to you what they have access to. But I disagree with anyone who says it's simple enough for a beginner. Maybe a "novice" with some pfsense experience can figure out openvpn, but telling people who can barely set a decent password to set up a VPN server "because it's easy" is kind of sadistic.

 

What I've learned in switching from @! to Emby is that securing Emby is not really for beginners. If you want easy security, you have to stick with that other software which I shall not name here. I like Emby better than that other thing because it gives me more control, but to exercise that control, I have to employ my extremely moderate (not beginner) skills.

Just follow along https://youtu.be/7rQ-Tgt3L18

 

It’s what I did. I’m not an IT professional in any way

Edited April 8, 2019 by Spaceboy

[jon_ 22]

This is only true if you want it to be. VPN connections are subject to restrictions set by the firewall, so it's up to you what they have access to. But I disagree with anyone who says it's simple enough for a beginner. Maybe a "novice" with some pfsense experience can figure out openvpn, but telling people who can barely set a decent password to set up a VPN server "because it's easy" is kind of sadistic.

 

That's my point, and you explained it very well - if you can't cope with taking some basic security precautions, you are likely not going to be able to build out a firewall policy that locks down VPN users to only access specific services on your network, what's more likely is that you create more holes than you started with

 

I think the recent incidents have been a bit of a wake up call to the emby team, and they are improving the out of the box security settings, which can only be a good thing.