Jump to content

Server Attack


igeoorge

Recommended Posts

igeoorge
Hi friends,

 

I use cloudflare for external access and note the following:

 

Cloudflare reported a server attack at the same time as the server has a high memory footprint and crashes.

 

Could someone answer if this is possible?

 

Can an attack generate a large memory footprint and bring down the server?

 

If this is possible, how can I solve it?

Link to comment
Share on other sites

sfatula

In computers, virtually anything is possible, so, yes. The way to mitigate an attack is a skilled admin who can diagnose the cause. So, you will need someone who can have full access to your system to figure it out. There are lots of possibilities, DDOS attack, more complex attacks.

Link to comment
Share on other sites

igeoorge
Hi @@sfatula thanks for the reply

 

I use a Mikrotik as a router for the server and at the time of the attack, I do not see HTTP entries, all entries are HTTPS.

 

Does this mean that the attack is only from the outside network?

Link to comment
Share on other sites

sfatula

You won't easily be able to provide enough info to determine where it came from. These sorts of things can be highly complex to diagnose. That's why you need someone there with full access to everything to review logs, crash dumps, etc.

Link to comment
Share on other sites

igeoorge
Got it friend, thanks for the return.

 

At the moment, the fastest alternative I took was to buy a better plan on cloudflare and implement some security features that they provide.

 

Thank God at the moment it looks like it's normal.

 

The attacks usually have a time, it's always around 9 pm, I'll have to wait until then.

 

Can you tell if putting a NGINX server to run in front of emby would solve the problem?

 

Thanks again.

Link to comment
Share on other sites

Happy2Play

Your log you posted the dropbox link for in the other topic shows 342 "Warn HttpServer: AUTH-ERROR: xxx.xxx.xxx.xxx - Invalid username or password entered." attempts in the 15 hours shown in that log.

Link to comment
Share on other sites

sfatula

So, have not seen other thread, I presume it lists an IP address, and, one could say after 15 or some small # of attempts from a given address, block that IP. Though 342 is not very many if 342 is the total number, any server of any size could handle 342 attempts even in a few minutes. There are tools to watch logs and do something based on it. 1 example of many is Fail2Ban.

Link to comment
Share on other sites

Happy2Play

So, have not seen other thread, I presume it lists an IP address, and, one could say after 15 or some small # of attempts from a given address, block that IP. Though 342 is not very many if 342 is the total number, any server of any size could handle 342 attempts even in a few minutes. There are tools to watch logs and do something based on it. 1 example of many is Fail2Ban.

 It is almost a gig txt file over here if you want to talk a look.

 

https://emby.media/community/index.php?/topic/78339-server-consuming-a-lot-of-memory/?p=796569

Link to comment
Share on other sites

igeoorge

Your log you posted the dropbox link for in the other topic shows 342 "Warn HttpServer: AUTH-ERROR: xxx.xxx.xxx.xxx - Invalid username or password entered." attempts in the 15 hours shown in that log.

 

Could you explain again? I did not understand.

Link to comment
Share on other sites

Happy2Play

Could you explain again? I did not understand.

 

Basically showing you have 342 failed login attempt.  You would have to parse the log to determine if they were malicious attempts..

Link to comment
Share on other sites

igeoorge
Is this all wrong with the logs?

 

So 342 login attempts is enough to consume 32gb of ram?

 

Friends, sorry for my ignorance, I do not understand much.

Link to comment
Share on other sites

sfatula

I will look at the log, but, you really need an admin if you have that many users. There are lots of tools to figure out exactly what is happening, none of us have access to your server and it's more guessing than anything useful for the most part. With that many users, there is so much that could be going on and admin skill is needed to properly manage that system and prevent attacks, security issues, manage resources, keep up on performance, capacity planning, handling any routing issues that come up from time to time, bandwidth management, etc. Attacks can almost always be handled on the server level, typically no additional hardware is needed. In one system I worked on, we handled a worldwide DDNS attack with millions of requests without any additional hardware.

 

I doubt 342 attempts causes your issue. I see hundreds of thousands on servers where that might have an effect.

 

I see now it's Windows NT, I have no Windows experience so can't comment much.

Edited by sfatula
Link to comment
Share on other sites

Happy2Play

I have no idea as I don't really have any external traffic.  Occasionally 1 external connection.  Only someone that has over a 1000 users would be able to compare experiences.

Link to comment
Share on other sites

igeoorge
I use cloudflare for issuing SSL certificate and would like to have all connections through cloudflare.

 

I realize that it is still possible to access the server only through and IP and I think this is another vulnerability.

 

Am I right?

 

How do I protect the server and remove ip access from the machine?

 


These are my settings. @@pir8radio Can you help me?

 

Sem_t%C3%ADtulo.png?1571077155

Edited by igeoorge
Link to comment
Share on other sites

igeoorge

I will look at the log, but, you really need an admin if you have that many users. There are lots of tools to figure out exactly what is happening, none of us have access to your server and it's more guessing than anything useful for the most part. With that many users, there is so much that could be going on and admin skill is needed to properly manage that system and prevent attacks, security issues, manage resources, keep up on performance, capacity planning, handling any routing issues that come up from time to time, bandwidth management, etc. Attacks can almost always be handled on the server level, typically no additional hardware is needed. In one system I worked on, we handled a worldwide DDNS attack with millions of requests without any additional hardware.

 

I doubt 342 attempts causes your issue. I see hundreds of thousands on servers where that might have an effect.

 

I see now it's Windows NT, I have no Windows experience so can't comment much.

 

@@sfatula Many thanks for the clarification friend!

Link to comment
Share on other sites

igeoorge
Hi friends,

 

Being able to realize that the "memory leak" problem was a DDOS attack, to solve this problem, I added some rules to a Cloudflare filter.

 

I would like to know, where does this link go, as it is one of the most accessed by the bot. https://servidor/emby/Sessions/Playing/Progress

 

Many thanks for the help of everyone who participated.
Link to comment
Share on other sites

Happy2Play

Hi friends,

 

Being able to realize that the "memory leak" problem was a DDOS attack, to solve this problem, I added some rules to a Cloudflare filter.

 

I would like to know, where does this link go, as it is one of the most accessed by the bot. https://servidor/emby/Sessions/Playing/Progress

 

Many thanks for the help of everyone who participated.

From the API and the Wiki.

POST  ​/Sessions​/Playing​/Progress   Reports playback progress within a session
 

https://github.com/MediaBrowser/Emby/wiki/Playback-Check-ins

Link to comment
Share on other sites

pir8radio

 

I use cloudflare for issuing SSL certificate and would like to have all connections through cloudflare.
 
I realize that it is still possible to access the server only through and IP and I think this is another vulnerability.
 
Am I right?
 
How do I protect the server and remove ip access from the machine?
 
These are my settings. @@pir8radio Can you help me?
 
 

 

 

do you use emby on an internal network at all?   if not the only way to really block direct ip access is to install nginx ahead of emby, AND use cloudflare.  Or add firewall rules to block any inbound connection other than the cloudflare IP's, but that can be spoofed easily. 

 

Here are my settings, with nginx ahead of my emby server.    Bind to 127.0.0.1 will hide your lan address from emby apps (if the wan and the lan are the same like in my case, my server is directly on a major backbone).   I set lan address as 999.999.999.999 so emby knows EVERYTHING is external to it. 

 

5da9c14b1bb02_Screenshotfrom201910180839

Edited by pir8radio
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...