igeoorge 26 Posted October 14, 2019 Share Posted October 14, 2019 Hi friends, I use cloudflare for external access and note the following: Cloudflare reported a server attack at the same time as the server has a high memory footprint and crashes. Could someone answer if this is possible? Can an attack generate a large memory footprint and bring down the server? If this is possible, how can I solve it? Link to comment Share on other sites More sharing options...
sfatula 185 Posted October 14, 2019 Share Posted October 14, 2019 In computers, virtually anything is possible, so, yes. The way to mitigate an attack is a skilled admin who can diagnose the cause. So, you will need someone who can have full access to your system to figure it out. There are lots of possibilities, DDOS attack, more complex attacks. Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 14, 2019 Author Share Posted October 14, 2019 Hi @@sfatula thanks for the reply I use a Mikrotik as a router for the server and at the time of the attack, I do not see HTTP entries, all entries are HTTPS. Does this mean that the attack is only from the outside network? Link to comment Share on other sites More sharing options...
sfatula 185 Posted October 14, 2019 Share Posted October 14, 2019 You won't easily be able to provide enough info to determine where it came from. These sorts of things can be highly complex to diagnose. That's why you need someone there with full access to everything to review logs, crash dumps, etc. Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 14, 2019 Author Share Posted October 14, 2019 Got it friend, thanks for the return. At the moment, the fastest alternative I took was to buy a better plan on cloudflare and implement some security features that they provide. Thank God at the moment it looks like it's normal. The attacks usually have a time, it's always around 9 pm, I'll have to wait until then. Can you tell if putting a NGINX server to run in front of emby would solve the problem? Thanks again. Link to comment Share on other sites More sharing options...
Happy2Play 8239 Posted October 14, 2019 Share Posted October 14, 2019 Your log you posted the dropbox link for in the other topic shows 342 "Warn HttpServer: AUTH-ERROR: xxx.xxx.xxx.xxx - Invalid username or password entered." attempts in the 15 hours shown in that log. Link to comment Share on other sites More sharing options...
sfatula 185 Posted October 14, 2019 Share Posted October 14, 2019 So, have not seen other thread, I presume it lists an IP address, and, one could say after 15 or some small # of attempts from a given address, block that IP. Though 342 is not very many if 342 is the total number, any server of any size could handle 342 attempts even in a few minutes. There are tools to watch logs and do something based on it. 1 example of many is Fail2Ban. Link to comment Share on other sites More sharing options...
Happy2Play 8239 Posted October 14, 2019 Share Posted October 14, 2019 So, have not seen other thread, I presume it lists an IP address, and, one could say after 15 or some small # of attempts from a given address, block that IP. Though 342 is not very many if 342 is the total number, any server of any size could handle 342 attempts even in a few minutes. There are tools to watch logs and do something based on it. 1 example of many is Fail2Ban. It is almost a gig txt file over here if you want to talk a look. https://emby.media/community/index.php?/topic/78339-server-consuming-a-lot-of-memory/?p=796569 Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 14, 2019 Author Share Posted October 14, 2019 Your log you posted the dropbox link for in the other topic shows 342 "Warn HttpServer: AUTH-ERROR: xxx.xxx.xxx.xxx - Invalid username or password entered." attempts in the 15 hours shown in that log. Could you explain again? I did not understand. Link to comment Share on other sites More sharing options...
Guest asrequested Posted October 14, 2019 Share Posted October 14, 2019 Sounds like DoS. Link to comment Share on other sites More sharing options...
Happy2Play 8239 Posted October 14, 2019 Share Posted October 14, 2019 Could you explain again? I did not understand. Basically showing you have 342 failed login attempt. You would have to parse the log to determine if they were malicious attempts.. Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 14, 2019 Author Share Posted October 14, 2019 Is this all wrong with the logs? So 342 login attempts is enough to consume 32gb of ram? Friends, sorry for my ignorance, I do not understand much. Link to comment Share on other sites More sharing options...
sfatula 185 Posted October 14, 2019 Share Posted October 14, 2019 (edited) I will look at the log, but, you really need an admin if you have that many users. There are lots of tools to figure out exactly what is happening, none of us have access to your server and it's more guessing than anything useful for the most part. With that many users, there is so much that could be going on and admin skill is needed to properly manage that system and prevent attacks, security issues, manage resources, keep up on performance, capacity planning, handling any routing issues that come up from time to time, bandwidth management, etc. Attacks can almost always be handled on the server level, typically no additional hardware is needed. In one system I worked on, we handled a worldwide DDNS attack with millions of requests without any additional hardware. I doubt 342 attempts causes your issue. I see hundreds of thousands on servers where that might have an effect. I see now it's Windows NT, I have no Windows experience so can't comment much. Edited October 14, 2019 by sfatula Link to comment Share on other sites More sharing options...
Happy2Play 8239 Posted October 14, 2019 Share Posted October 14, 2019 I have no idea as I don't really have any external traffic. Occasionally 1 external connection. Only someone that has over a 1000 users would be able to compare experiences. Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 14, 2019 Author Share Posted October 14, 2019 (edited) I use cloudflare for issuing SSL certificate and would like to have all connections through cloudflare. I realize that it is still possible to access the server only through and IP and I think this is another vulnerability. Am I right? How do I protect the server and remove ip access from the machine? These are my settings. @@pir8radio Can you help me? Edited October 14, 2019 by igeoorge Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 14, 2019 Author Share Posted October 14, 2019 I will look at the log, but, you really need an admin if you have that many users. There are lots of tools to figure out exactly what is happening, none of us have access to your server and it's more guessing than anything useful for the most part. With that many users, there is so much that could be going on and admin skill is needed to properly manage that system and prevent attacks, security issues, manage resources, keep up on performance, capacity planning, handling any routing issues that come up from time to time, bandwidth management, etc. Attacks can almost always be handled on the server level, typically no additional hardware is needed. In one system I worked on, we handled a worldwide DDNS attack with millions of requests without any additional hardware. I doubt 342 attempts causes your issue. I see hundreds of thousands on servers where that might have an effect. I see now it's Windows NT, I have no Windows experience so can't comment much. @@sfatula Many thanks for the clarification friend! Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 15, 2019 Author Share Posted October 15, 2019 Hi friends, Being able to realize that the "memory leak" problem was a DDOS attack, to solve this problem, I added some rules to a Cloudflare filter. I would like to know, where does this link go, as it is one of the most accessed by the bot. https://servidor/emby/Sessions/Playing/Progress Many thanks for the help of everyone who participated. Link to comment Share on other sites More sharing options...
Happy2Play 8239 Posted October 15, 2019 Share Posted October 15, 2019 Hi friends, Being able to realize that the "memory leak" problem was a DDOS attack, to solve this problem, I added some rules to a Cloudflare filter. I would like to know, where does this link go, as it is one of the most accessed by the bot. https://servidor/emby/Sessions/Playing/Progress Many thanks for the help of everyone who participated. From the API and the Wiki. POST /Sessions/Playing/Progress Reports playback progress within a session https://github.com/MediaBrowser/Emby/wiki/Playback-Check-ins Link to comment Share on other sites More sharing options...
Luke 36999 Posted October 15, 2019 Share Posted October 15, 2019 From the API and the Wiki. POST /Sessions/Playing/Progress Reports playback progress within a session https://github.com/MediaBrowser/Emby/wiki/Playback-Check-ins Emby apps will send this every 10 seconds to report playback progress to the server. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted October 18, 2019 Share Posted October 18, 2019 (edited) I use cloudflare for issuing SSL certificate and would like to have all connections through cloudflare. I realize that it is still possible to access the server only through and IP and I think this is another vulnerability. Am I right? How do I protect the server and remove ip access from the machine? These are my settings. @@pir8radio Can you help me? do you use emby on an internal network at all? if not the only way to really block direct ip access is to install nginx ahead of emby, AND use cloudflare. Or add firewall rules to block any inbound connection other than the cloudflare IP's, but that can be spoofed easily. Here are my settings, with nginx ahead of my emby server. Bind to 127.0.0.1 will hide your lan address from emby apps (if the wan and the lan are the same like in my case, my server is directly on a major backbone). I set lan address as 999.999.999.999 so emby knows EVERYTHING is external to it. Edited October 18, 2019 by pir8radio Link to comment Share on other sites More sharing options...
igeoorge 26 Posted October 18, 2019 Author Share Posted October 18, 2019 Thank you dear. I understand perfectly. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now