Best Practice for a Secure Emby Installation

[reneboulard 30]

Security is most important when a system is exposed to the internet.

 

Ease of use is also a concern, My user base (Childrens and grand-childrens) are not very aware of security risk or technical wizard.

It took my a while to convince them not to use the same password on multiple platform and adopt a password management tool.

 

My server is exposed to the internet, so I set it up according to recommandation. I feel confident that It is secure enough.

 

But, for added security and ease of use, Two-factor or multi-factor authentication would be an additional security layer for a server exposed to the internet. An E-Mail or a text message could be send with a pin code to complete the logging in procedure.

 

The Multi-factor authentification could be required on certain circonstances, like when logging in from the internet the first time with a new client or when logging in with an admin account.

 

Hope this help.

[Guest asrequested]

Quite interested in the VPN way but I am wondering how it would affect usability for non-tech persons.

For me it probably wouldn't be a problem I would figure it out somehow but I have a client outside my network using a FireTV Stick and there the problem begins.

Would you mind elaborate a bit how your setup looks like, please?

What I actually said is use a VPN service, not make your own VPN. While it doesn't encrypt end to end, what it does do is remove anything identifiable. So if your server searched for, it won't be found. As tur0k described earlier, once past the VPN server, everything is decrypted but is completely anonymized. In my case, my defensive security is handled by a double gateway/firewall. If you're still interested in using a VPN service, you'll need one that supports port forwarding. I use Torguard. I created a guide for it.

 

https://emby.media/community/index.php?/topic/55137-how-to-run-emby-behind-torguard-vpn

[jon_ 22]

What I actually said is use a VPN service, not make your own VPN. While it doesn't encrypt end to end, what it does do is remove anything identifiable. So if your server searched for, it won't be found. 

 

If I do a port scan of Torguard's IP space, I'll still find your emby server listening though. I won't be able to tell where it really is in the world like I could if you weren't using a VPN service, but if a remote client can connect to it over the internet, then a port scan can find it... 

 

Unless you also have to run the Torguard client on anything that you want to connect with as well, but it's not clear from your howto... 

[Guest asrequested]

If I do a port scan of Torguard's IP space, I'll still find your emby server listening though. I won't be able to tell where it really is in the world like I could if you weren't using a VPN service, but if a remote client can connect to it over the internet, then a port scan can find it...

 

Unless you also have to run the Torguard client on anything that you want to connect with as well, but it's not clear from your howto...

You don't need to run a TG client on the player device.

 

The guide is specific to using their client on a single machine. I now have an interface on pfsense, with a USG behind it. I've got firewall rules set up and Snort on pfsense. It blocks a lot of stuff. If I ever see someone get through, I'd consider using cloudflare, not sure how well that would work with TG, but I haven't got that far, yet.

 

I'm not saying that TG prevents hacking, but it does create an obstacle. While stopping my ISP snooping on me.

[BAlGaInTl 279]

Just follow along https://youtu.be/7rQ-Tgt3L18

 

It’s what I did. I’m not an IT professional in any way

Maybe not an IT professional, but still on a completely different level compared to your average user. Anybody that runs pfSense is automatically vaulted into a different tech category.

 

I'm taking a hard look at security due to the recent security incidents. I'm not ready (or skilled enough) to start giving my family users access to my server by VPN. Suddenly, not only are their Emby requests coming to me... but then I'm also filtering all of their Netflix binges, Amazon shopping, porn searches, etc. Not to mention the fact that it's hard enough to simply support them installing Emby, much less getting them to also install some sort of VPN client and teach them how to use it. No thanks.

 

I played around with one of my unused domains this weekend and managed to successfully set up a server that basically does the following

 

Cloudflare -> Router -> unRaid Nginx Docker -> unRaid Emby Docker

 

It was a lot of trial and error, but I think I'll be moving my server over to it permanently. Some bonuses already in addition to the increased security...

 

-unRaid has a good support community (I may be moving from OMV)with excellent Docker support

-Cloudflare hides my actual IP address

-Cloudflare eliminates the need to maintain LetsEncrypt certificate and conversion to PFX for Emby

-Nginx bounces anything that isn't recognized as a subdomain

-users no longer have to remember a "cryptic" port for access from a browser it's just https://my.domain.com

 

Other than converting the certificate and private key from Cloudflare to a PFX for Emby, this was all done using some sort of GUI in Cloudflare or unRaid.

[rbjtech 4265]

My view is the thread needs to be split into two sections - 1) what is the best practice on how to setup Emby - within Emby and 2) what additional (but optional) security can be applied.

 

99% of Emby users are not going to go anywhere near VPN's, SSL certs, etc etc - they are going to click 'setup.exe' and expect it work securely, which is not unreasonable.

 

For a new install, at lease some form of password is now being enforced - but for existing users, I feel some form of security basic checklist 'wizard' needs to be re-run on the next upgrade to warn users that they are 'open' to remote connections - I suspect a lot of people will not even be aware of this.  Lets get the basics right, such as ensuring your Admin account is as secure as it needs to be.

 

Moving onto the 'additional' security - then these are all great things to do - but they really have nothing to do with Emby and are 'Cyber' best practices as opposed to 'Emby' best practices.   Combine the two by all means, but lets not try and confuse or influence people by saying it's 'best practice' to install a reverse proxy or VPN ...

Edited April 8, 2019 by rbjtech

[C.S. 62]

Just follow along

 

It’s what I did. I’m not an IT professional in any way

 

I don't know if that's the best guide. I'm only barely moderately knowledgeable about such things, but I do believe SHA1 is known to be insecure. He doesn't address that as far as I saw, and he seems to gloss over quite a bit. And that's the problem here - it's possible to have a working yet insecure VPN. Securing it (externally and internally) is where the moderate skills come in. Yes there are guides but if I were just starting out, I would run far away from Emby if I thought this is what I'd have to deal with to be secure.

 

The problem is that the barriers to running an Emby server are these:

 

1. You have to know how to turn on a computer. (Unless it's already on, I guess)

2.. You have to know how to download and run an setup file.

 

*While the barriers to successfully deploying a secure pfsense + openvpn server from scratch are considerably higher.

[BAlGaInTl 279]

My view is the thread needs to be split into two sections - 1) what is the best practice on how to setup Emby - within Emby and 2) what additional (but optional) security can be applied.

 

99% of Emby users are not going to go anywhere near VPN's, SSL certs, etc etc - they are going to click 'setup.exe' and expect it work securely, which is not unreasonable.

 

For a new install, at lease some form of password is now being enforced - but for existing users, I feel some form of security basic checklist 'wizard' needs to be re-run on the next upgrade to warn users that they are 'open' to remote connections - I suspect a lot of people will not even be aware of this.  Lets get the basics right, such as ensuring your Admin account is as secure as it needs to be.

 

Moving onto the 'additional' security - then these are all great things to do - but they really have nothing to do with Emby and are 'Cyber' best practices as opposed to 'Emby' best practices.   Combine the two by all means, but lets not try and confuse or influence people by saying it's 'best practice' to install a reverse proxy or VPN ...

Agreed.

 

It seems that the devs are on the right path to increase security out of the box.

 

I would also like to see a minimum password strength requirement. That way, users won't set up their accounts with, "the same combination I have on my luggage."

[darkassassin07 423]

for added security and ease of use, Two-factor or multi-factor authentication would be an additional security layer for a server exposed to the internet. An E-Mail or a text message could be send with a pin code to complete the logging in procedure.

 

The Multi-factor authentification could be required on certain circonstances, like when logging in from the internet the first time with a new client or when logging in with an admin account.

 

 

It would be really interesting to see a two-factor authentication option with emby:

Have each user register an email, then whenever they try to login with a new client send a pin to that email

[Spaceboy 2493]

Maybe not an IT professional, but still on a completely different level compared to your average user. Anybody that runs pfSense is automatically vaulted into a different tech category.

 

I'm taking a hard look at security due to the recent security incidents. I'm not ready (or skilled enough) to start giving my family users access to my server by VPN. Suddenly, not only are their Emby requests coming to me... but then I'm also filtering all of their Netflix binges, Amazon shopping, porn searches, etc. Not to mention the fact that it's hard enough to simply support them installing Emby, much less getting them to also install some sort of VPN client and teach them how to use it. No thanks.

 

I played around with one of my unused domains this weekend and managed to successfully set up a server that basically does the following

 

Cloudflare -> Router -> unRaid Nginx Docker -> unRaid Emby Docker

 

It was a lot of trial and error, but I think I'll be moving my server over to it permanently. Some bonuses already in addition to the increased security...

 

-unRaid has a good support community (I may be moving from OMV)with excellent Docker support

-Cloudflare hides my actual IP address

-Cloudflare eliminates the need to maintain LetsEncrypt certificate and conversion to PFX for Emby

-Nginx bounces anything that isn't recognized as a subdomain

-users no longer have to remember a "cryptic" port for access from a browser it's just https://my.domain.com

 

Other than converting the certificate and private key from Cloudflare to a PFX for Emby, this was all done using some sort of GUI in Cloudflare or unRaid.

thats demonstrably untrue. I am less than an average user. The question is can you follow instructions by rote?

[Spaceboy 2493]

I don't know if that's the best guide. I'm only barely moderately knowledgeable about such things, but I do believe SHA1 is known to be insecure. He doesn't address that as far as I saw, and he seems to gloss over quite a bit. And that's the problem here - it's possible to have a working yet insecure VPN. Securing it (externally and internally) is where the moderate skills come in. Yes there are guides but if I were just starting out, I would run far away from Emby if I thought this is what I'd have to deal with to be secure.

 

The problem is that the barriers to running an Emby server are these:

 

1. You have to know how to turn on a computer. (Unless it's already on, I guess)

2.. You have to know how to download and run an setup file.

 

*While the barriers to successfully deploying a secure pfsense + openvpn server from scratch are considerably higher.

well rather than criticising why don’t you provide an alternative?

[BAlGaInTl 279]

thats demonstrably untrue. I am less than an average user. The question is can you follow instructions by rote?

Agree to disagree then.

 

Average users have never heard of pfSense. They use routers rented to them their ISP, or at best buy their own commercial one.

[C.S. 62]

well rather than criticising why don’t you provide an alternative?

 

Because then I'd be pretending to be an expert. I'm not saying you're going to be hacked after following that guide. Having any kind of security is far better than none. All I'm saying is don't use SHA1, just to be on the safe side, based on the barely moderate amount of knowledge I have on the subject.

 

That's all I know (not really worth a whole new guide).

[Guest asrequested]

I think the majority of people have a very basic setup. Adding heavy security doesn't really make sense. If someone gains access to your Emby server, just unplug the internet, add the IP to the blacklist, change your password, remove any unwanted accounts and plug the internet back in. It's not like we're dealing with government secrets. For most people, nothing will ever happen. Of course, if you have more network stuff going on and additional ports open etc. then look at taking more security measures. I mean, if a hacker really wants to gain access to your network, I'm sure they'll find a way. But most of us don't have very much they'll spend the time to go after. Simple exploits may get tested with scripts, but if you have decent passwords, you likely will be just fine. A reverse proxy just for Emby is a little OTT. A basic domain with SSL, sure.

Edited April 14, 2019 by Doofus

[anujpuri85 1]

Sorry, I have a couple noob questions here, and have very basic techie knowledge, so please bear that in mind. Also, lemme know if this is not the right place to post these questions.

 

My current setup consists of a windows machine that has several services running (emby, radarr, etc.) I also have a domain purchased and have several subdomains setup (emby.domain.com, radarr.domain.com, etc.). I have an nginx script setup to then route me to the appropriate service based on that subdomain and sending them to the internal/localhost IP with the appropriate service's port. I also tie in SSL certificates through the nginx.

 

If I want to make my traffic/visibility safer from prying eyes and make my traffic anonymous, what's the best way to do that? What I do not want is to have to give VPN software to users just so they can access the services. I just want them to be able to go to the subdomain in a browser and be directed to the service's login page. Any thoughts?

 

I tried setting up a VPN with torguard, but they don't allow to forward port 443. So anytime i have the VPN turned on, those subdomains do not work. And yes, I updated my DNS settings for my domain to point to the VPN IP, and those subdomains/domain still do not work. Anyone know how to get this working or any other solution? Or is keeping just the nginx running like I have the best solution?

 

Also, what is cloudflare exactly and how/can that help in this scenario?

[darkassassin07 423]

Cloudflare is effectively a reverse proxy+firewall infront of your servers.
When a client requests your ip from cloudflares dns servers, they are given a cloudflare server ip to connect to. Cloudflare will then decide based on an ip threat database as well as rules you define, such as allowing access from certian countries only for example, whether or not they will connect that client to your backend servers. They can also do things like provide a captcha to connections that appear to be robotic, and even provide a little bit of caching so static files can be served directly from cloudflare instead of having to request them from the backend every time.

You have to use cloudflare as your dns service to make this work, but they allow you to turn on/off the reverse proxy side of it per-sub domain.


_{The only problem I have with the service is the free account they provide doesn't have the option to pass the real client ip to your servers. This means its not possible to setup something like fail-2-ban unless you pay for the enterprise level package. If you do, you just end up banning all the cloudflare servers and then no one can access your services}.

The above was based off the 'true-client-ip header' setting in cloudflares dashboard. Turns out they do sent the client's ip via the X-Forwarded-For header.

Edited April 12, 2019 by darkassassin07

[anujpuri85 1]

Interesting, so cloudflare would allow me to continue using nginx and the subdomains I have setup? Do you have a quick summary of how I would set it up? And would I then remove the ssl certs from my nginx?

[Guest asrequested]

@@Swynol has some info for you.

 

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

[darkassassin07 423]

Yeah, your server continues to run as-is.

 

Getting setup was pretty easy,

 

Once you have a cloudflare account, you change the settings in your domain registrar to use the servers cloudflare provides as dns servers. During that process you can also have cloudflare read your existing dns records and duplicate them or you can manually setup your dns records yourself from the dashboard.

 

Cloudflare manages the ssl cert on the frontline more-or-less on its own and actually shares it with other free accounts unless you have a paid subscription. With that you get the ability to upload your own or just have cloudflare issue one dedicated to you.

 

As far as the connection between CF and your server goes you have a couple options. Regular http, but thats not a great plan, or always use https. If you have CF connect to you with https, you have the option to change whether or not CF checks if the cert your server provides is valid. Ie you can use a self signed cert or an old expired cert, as long as data can be encrypted with it, or you can enforce that it be a valid cert just like the front line (your best option really, valid certs are free).

 

I believe they will also provide a valid cert that you can use for your backend server if you want, plus an API that you can use to automate renewal. Personally I just use Letsencrypt certs renewed by acme.sh.

 

 

One thing to note: The client IP in your nginx logs by default is the IP address that is directly connecting to you. With cloudflares reverse proxy in between you and the actual client, the client IP in your logs will just be the cloudflare server that passed that connection. That threw me off for far too long :/

You will likely want to change it to include the X-Forwarded-For or CF-Connecting-IP http header(s) if you want to use fail2ban or a log analizer.

Cloudflare headers

Edited April 13, 2019 by darkassassin07

[anujpuri85 1]

@@Swynol has some info for you.

 

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

Thank you @, this helped a lot!

 

 

 

 

Yeah, your server continues to run as-is.

 

Getting setup was pretty easy,

 

Once you have a cloudflare account, you change the settings in your domain registrar to use the servers cloudflare provides as dns servers. During that process you can also have cloudflare read your existing dns records and duplicate them or you can manually setup your dns records yourself from the dashboard.

 

Cloudflare manages the ssl cert on the frontline more-or-less on its own and actually shares it with other free accounts unless you have a paid subscription. With that you get the ability to upload your own or just have cloudflare issue one dedicated to you.

 

As far as the connection between CF and your server goes you have a couple options. Regular http, but thats not a great plan, or always use https. If you have CF connect to you with https, you have the option to change whether or not CF checks if the cert your server provides is valid. Ie you can use a self signed cert or an old expired cert, as long as data can be encrypted with it, or you can enforce that it be a valid cert just like the front line (your best option really, valid certs are free).

 

I believe they will also provide a valid cert that you can use for your backend server if you want, plus an API that you can use to automate renewal. Personally I just use Letsencrypt certs renewed by acme.sh.

 

 

One thing to note: The client IP in your nginx logs by default is the IP address that is directly connecting to you. With cloudflares reverse proxy in between you and the actual client, the client IP in your logs will just be the cloudflare server that passed that connection. That threw me off for far too long :/

You will likely want to change it to include the X-Forwarded-For or CF-Connecting-IP http header(s) if you want to use fail2ban or a log analizer.

Cloudflare headers

@@darkassassin07: Thanks for clarifying and I've made adjustments based on your recommendations. I setup the cloudflare last night, and everything seems to be working, but the problem is, sometimes it takes a long time to load the server. Sometimes it'll load quick, but then other times it'll just show a black screen and I'll have to refresh, and then it'll show the scrolling wheel, then after about a minute, I refresh and then everything loads properly. Are there additional settings I should set to speed things up?

Edited April 13, 2019 by anujpuri85

[Guest asrequested]

Thank you @, this helped a lot!

 

 

 

 

 

@@darkassassin07: Thanks for clarifying and I've made adjustments based on your recommendations. I setup the cloudflare last night, and everything seems to be working, but the problem is, sometimes it takes a long time to load the server. Sometimes it'll load quick, but then other times it'll just show a black screen and I'll have to refresh, and then it'll show the scrolling wheel, then after about a minute, I refresh and then everything loads properly. Are there additional settings I should set to speed things up?

 

This might help

 

https://emby.media/community/index.php?/topic/72426-question-about-cloudfare/

[anujpuri85 1]

This might help

 

https://emby.media/community/index.php?/topic/72426-question-about-cloudfare/

I saw that earlier and none of those suggestions helped unfortunately, including turning off dos protection on my router. I'm wondering if I need to edit my cache settings in cloudflare?

[darkassassin07 423]

Hmm... I haven't noticed this problem myself aside from an intermittent connection issue a week ago that hasnt come back.

 

A couple things to check I guess:

'automatic https rewrites' as well as 'always use https' to ensure all traffic goes over https.

'ssl' set to 'full(strict)' (assuming you have a valid cert on the backend)

 

You could also disable caching in CF and clear your browsers cache then try again.

 

 

On the dns page, you can bypass the reverse proxy service on the fly by clicking on the little cloud icon for each domain. Cant hurt to test with it on and off to be sure its the proxy thats the issue

Edited April 13, 2019 by darkassassin07

[anujpuri85 1]

I actually made some adjustments to the cache and it seems to be working well now. Thanks everyone for your help!

[neik 837]

I am currently using nginx based on a tutorial made available by null_pointer somewhere here in the forum and am wondering now if adding / using Cloudfare instead would add any security layer.

Additional to nginx I also let ufw (iptables) blocking all ports but my Emby (https) + SSH port.

 

Things I will add:

 

- fail2ban for SSH and Emby

- Blocking IP's from outside my country

 

Things I would like to add but haven't figured out how:

 

- I have a domain for my Emby server but if I enter the IP it isn't forwarded/redirected to the domain. Is this even possible? xxx.yyy.zzz.aa:8920 -> domain:8920