Question about setting up ports and their security for remote access

[boggle247 2]

I have a server running Debian. I also have an instance of Nextcloud running alongside Emby on it. Nextcloud doesn't use port 8096 and 8920, so I'm not worried about conflictions there.

 

1. Which port(s) do I use for remote access? This wiki shows both of these ports, but I would only need one of them correct? Shouldn't I use the HTTPS port?
2. Any security precautions that I should take? How do I prevent random people from accessing my emby server through that port? Do I need an emby connect account to make this secure?

 

 

[sector327 3]

 

I have a server running Debian. I also have an instance of Nextcloud running alongside Emby on it. Nextcloud doesn't use port 8096 and 8920, so I'm not worried about conflictions there.

 

1. Which port(s) do I use for remote access? This wiki shows both of these ports, but I would only need one of them correct? Shouldn't I use the HTTPS port?
2. Any security precautions that I should take? How do I prevent random people from accessing my emby server through that port? Do I need an emby connect account to make this secure?

 

 

 

I'm no expert but I'll try to help. (I'm on Fedora fwiw.) 

 

Yes I use the http port but you could have them both enabled. As for random people accessing, you'll set up users and anyone who hits that page/port will get a login screen (where btw, they'l see the names of everyone you set up to have a login. so if anyone is nervous about having their name there, just set them up as "Bob" or whatever fake name.)

 

edit - how weird. I just tried to login from outside and it actually ASKED my username and pwd. That's the manual login.  It usually shows users (shown as blocks you can choose). hmph...interesting...

 

And no, I  don't believe you need an emby account to make it secure. 

Edited May 30, 2019 by sector327

[boggle247 2]

I'm no expert but I'll try to help. (I'm on Fedora fwiw.) 

 

Yes I use the http port but you could have them both enabled. As for random people accessing, you'll set up users and anyone who hits that page/port will get a login screen (where btw, they'l see the names of everyone you set up to have a login. so if anyone is nervous about having their name there, just set them up as "Bob" or whatever fake name.)

 

edit - how weird. I just tried to login from outside and it actually ASKED my username and pwd. That's the manual login.  It usually shows users (shown as blocks you can choose). hmph...interesting...

 

And no, I  don't believe you need an emby account to make it secure. 

 

I'll just try to use the HTTPS port and leave the HTTP port closed if possible. It's good practice to not have open ports if you aren't going to use them. 

 

How do you setup new users for external access? is that done in the same screen for setting up remote access?

 

regarding your edit, are you using some other device to login  than you've used in the past? For example, maybe you normally login on a roku from outside your home, but are now trying to do it via Android? Or maybe your server version has updated?

[sector327 3]

I'll just try to use the HTTPS port and leave the HTTP port closed if possible. It's good practice to not have open ports if you aren't going to use them. 

 

How do you setup new users for external access? is that done in the same screen for setting up remote access?

 

regarding your edit, are you using some other device to login  than you've used in the past? For example, maybe you normally login on a roku from outside your home, but are now trying to do it via Android? Or maybe your server version has updated?

 

goto the Emby dashboard and select Users. set up a new user. If you use DDNS, they can set up a roku with the domain, their login info and they're in. I use it for my son who is away at college.

 

and yeah, I just updated the OS last night, tried hitting it from my phone outside the home. Its not a problem. we have the app on our phones logged in already and then the rokus. 

 

on the https, how do you set it so there's a certificate? I need to just look that whole process up I suppose. I just didnt bother and went w/ just plain http. Worst case I guess is someone grabs the pwd for that emby account and can see stuff. they cant write/delete stuff and if I see an increase in activity from an odd location then I'd kill the acct

[boggle247 2]

goto the Emby dashboard and select Users. set up a new user. If you use DDNS, they can set up a roku with the domain, their login info and they're in. I use it for my son who is away at college.

 

and yeah, I just updated the OS last night, tried hitting it from my phone outside the home. Its not a problem. we have the app on our phones logged in already and then the rokus. 

 

on the https, how do you set it so there's a certificate? I need to just look that whole process up I suppose. I just didnt bother and went w/ just plain http. Worst case I guess is someone grabs the pwd for that emby account and can see stuff. they cant write/delete stuff and if I see an increase in activity from an odd location then I'd kill the acct

 

 

I see. Yeah I'll setup another DDNS for this service (I have one for nextcloud). 

 

I'm not sure about the certificate, I forgot about that. I just assumed that emby would have Let's encrypt integrated into it for that reason. On my nextcloud server, Let's Encrypt is bundled (in NextcloudPi) so I just turn it on and point it at my ddns address. Maybe someone can explain how to do this on emby.

[boggle247 2]

goto the Emby dashboard and select Users. set up a new user. If you use DDNS, they can set up a roku with the domain, their login info and they're in. I use it for my son who is away at college.

 

and yeah, I just updated the OS last night, tried hitting it from my phone outside the home. Its not a problem. we have the app on our phones logged in already and then the rokus. 

 

on the https, how do you set it so there's a certificate? I need to just look that whole process up I suppose. I just didnt bother and went w/ just plain http. Worst case I guess is someone grabs the pwd for that emby account and can see stuff. they cant write/delete stuff and if I see an increase in activity from an odd location then I'd kill the acct

 

I found this for HTTPS certificates: https://github.com/MediaBrowser/Wiki/wiki/Secure-Your-Server but it looks a bit deep and involved. Sounds like I will have to renew this and redo this whole process every so often, I'm not doing that.....

[Luke 37251]

Well renewing is just that, it's not re-doing the entire process each time.

[BAlGaInTl 279]

I recently set up my domain with Cloudflare's free service and certificate. I definitely prefer it over Let's Encrypt. It gets rid of the need to renew the certificate.

 

Other good practices

 

Make sure that all remote users have a strong password

 

Hide the user ID on the remote login to force them to use a traditional username to login

 

If possible, don't allow any remote users to be an admin. Keep that account separate, and disable remote access.

 

Sent from my Pixel 2 XL using Tapatalk

[boggle247 2]

I recently set up my domain with Cloudflare's free service and certificate. I definitely prefer it over Let's Encrypt. It gets rid of the need to renew the certificate.

 

Other good practices

 

Make sure that all remote users have a strong password

 

Hide the user ID on the remote login to force them to use a traditional username to login

 

If possible, don't allow any remote users to be an admin. Keep that account separate, and disable remote access.

 

Sent from my Pixel 2 XL using Tapatalk

 

So is that an alternative to using a DNS provider like no-ip as well? would it provide me a free domain name to tie to my IP and ports, and also have a certificate system built into it that updates itself?

[BAlGaInTl 279]

So is that an alternative to using a DNS provider like no-ip as well? would it provide me a free domain name to tie to my IP and ports, and also have a certificate system built into it that updates itself?

 

You still need a domain through another provider.  Then you have to set up something to update your dynamic IP with Cloudflare.

 

In a nutshell I use

 

My own domain.net (through Google Domains)

Cloudflare

DNS-o-Matic

ddclient

 

You will also have to take the certs from Cloudflare to make a certificate file for Emby.

 

I essentially followed this guide:

 

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

There's a link to the DNS-o-Matic guide by the same author at the end of that.

 

so now, my users just go to something like https://emby.mydomain.com to access the server.

[mastrmind11 717]

So is that an alternative to using a DNS provider like no-ip as well? would it provide me a free domain name to tie to my IP and ports, and also have a certificate system built into it that updates itself?

No, you still have to handle the ddns thing.  It's well documented on their website how to set it up.  but yeah, for free, cloudflare is the way to go.  (you can do a reverse proxy and fail2ban oin your http port if its a must), plenty of tutorials out there to get it set up.

[BAlGaInTl 279]

I also use cloudflare rules to only allow traffic from the U.S.

[boggle247 2]

@@Luke BTW the Emby wiki for setting up https connection suggests using dynu.com however, they only permit you to redirect http ports not https. With them, you must use port 443 for https. Which I can't if I wanted to since nextcloud is using that port on my machine.

 

Anyway, maybe you want to consider removing them from the wiki, or state that it will only work with http. just a thought.

[chef 3749]

Edited July 5, 2019 by chef