Jump to content

How do I secure my server?


Recommended Posts

pguillot69

I moved from PLEX,  I have a lifetime sub but didn't like to fact that PLEX moved from being a HOME Media server to a streaming service.

My concern is this.  If we have EMBY looking thru our routers (http: mode) I don't feel safe.  A few months back, PLEX was being used as a DDOS backboard.

Steve Gibson constantly keeps up with the security issues of the day.  I always felt a little safe when you didn't have to log in your server and open ports to a website just to use it at home.

This one thing, that PLEX did has moved me from them.  Here's why...  A while back, thru no fault of my own, the ISP goes down. We were watching a show when it happened.  The server just stopped and I could not get back into the server and I was sitting at the server.  It was pretty sad that we had to watch the end of the show thru VLC on the server because we could not get into PLEX.

A friend suggested EMBY.  I can see that EMBY follows the same line as PLEX did and has stayed as a local server.  THANK YOU

Now that I have moved over everything to EMBY, I am concerned.  I would like to have my server fully secured again.  I was told I needed a Domain Name to get a Certificate to create a SSL.

I went to Godaddy to get my domain name. I got Arkansascajun.com for me.  Godaddy has parked it so now what do I do.  I just want to secure the server and only allow myself access and not a ton of others.  I do like the idea that I can visit my mothers house and get on my server.  The wording of the subscription is precise and I believe it is ok. I only want my server secure and invisible to anyone but me.

As you can tell, I have only basic skills and do not understand anything other than very simple steps.  I use the KISS method Keep IT SIMPLE STUPID.

Thanks

Link to post
Share on other sites
Abobader

Hello pguillot69,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

Link to post
Share on other sites
pwhodges
6 minutes ago, pguillot69 said:

I was told I needed a Domain Name to get a Certificate to create a SSL.
[...]
I only want my server secure and invisible to anyone but me.

You cannot really make your server invisible; what you should aim to do is make it so that no one else can get into it - and the key to this is as simple as a really good password

Using https removes the possibility of an external agent sniffing for your password, but honestly the probability of that is low; I consider getting a trojan from email or a website a greater danger for most people - having good antivirus software (and taking care) is the way to deal with that.  And yes, getting a certificate to set up https requires a domain name.

It would be possible to set up a system such that only your mother's computer could connect to yours, but that would be non-trivial.

In summary, really good passwords come first, https second, and additional measures third by a fair way.

Paul

Link to post
Share on other sites
pguillot69
1 hour ago, pwhodges said:

 

It would be possible to set up a system such that only your mother's computer could connect to yours, but that would be non-trivial.

In summary, really good passwords come first, https second, and additional measures third by a fair way.

 

I do understand.  I have a static IP for my wife's work so my IP does not move.  I have a VPN only to her system for that purpose.  All was set by her job.  I won't touch it.

It was suggested by them to have ALL items on the router with a SSL cert.  I don't have the foggiest how to work the Linux moves so I won't mess with it to get  it working..

And I do.  Thanks for the reply.

Link to post
Share on other sites
ebr
14 hours ago, pguillot69 said:

If we have EMBY looking thru our routers (http: mode) I don't feel safe

Hi.  I'm not sure what you really mean there but this:

14 hours ago, pguillot69 said:

A while back, thru no fault of my own, the ISP goes down. We were watching a show when it happened.  The server just stopped and I could not get back into the server

won't happen to you with Emby because you never go "through" us to get to your server.

Does that answer that question?

Link to post
Share on other sites
pguillot69

That is Why I moved from PLEX. You can get into EMBY without even having an internet connection.  Your shows are available but not LIVETV. (Which Now is crap)

Keep up the faith. 

I just believe we should secure our Home Servers just as well as the websites.  If you notice.  Not too many of them are not secure by SSL  I always believe if it is good enough for business.  Then me too.

Of course you can Double FireWall your system with 2 routers like I do but it is better to let  All traffic be watched and not open for attack by Bangers on the internet.

Link to post
Share on other sites
pwhodges
10 minutes ago, pguillot69 said:

Of course you can Double FireWall your system with 2 routers like I do but it is better to let  All traffic be watched and not open for attack by Bangers on the internet.

Why do you think two routers in series (I presume) is any more secure than one?

Paul

Link to post
Share on other sites
pguillot69

I have more ports open on the inner router than the one closest to the internet.  I keep all ports closed  on the outer ring except for a few exceptions.

My system are not set up automatic.  All the outside calls go thru a proxy with subdomains available.  Thus the need for SSL.

I like to be safe.  Even have Remote turned off on EMBY until I KNOW it can't be used to hack into my network.

I have a Full Router from Century Link as the router 1.  I then have a Nighthawk R7000 in First Port. Second and third are NAS (If QNAP doesn't fix the problem, then it is coming down) EDIT: The R7000 also has a NAS set on it internaly.

My Wife's system is set as a DMZ on the CL Router with VPN and SSL locking to her job.  The IP is also Whitelisted. HINT HINT.

All else is routed to the R7000.  From there, I have my EMBY Server connected on a subdomain setting.  With the WIFI ON the R7000 You have access to my system only.  The guests can only see a little of the internet and none of EMBY.  Only my 2nd Wifi can see it with the TV's

I even have a 100 ft cable gong to a WiFi Mesh to my back yard.  I live on 1.5 acres.  I don't want passerbys and Wifi junkies.

 

There has been occasions that I have experimented with certain configurations but I love Hidden Network settings as they keep thing quiet unless you know it.

We have TOO MUCH broadcasting WIFI & Bluetooth signals not to be concerned.

Link to post
Share on other sites
OCDcrazy

Sounds like myself, I used plex for a year and a half and never heard of emby when I bought a lifetime pass to plex that I cant even sell on ebay for $20 now. I now have emby and deleted plex and hopefully got all the files off my computer and I also want to secure the mess I have on my system. So far my computer went from running like a windows 98 machine with 512ram to running like it should with the help of a great person on here Hxemby001, you can follow what is working for me so far if you like 

 

Link to post
Share on other sites
pwhodges
2 hours ago, pguillot69 said:

I have more ports open on the inner router than the one closest to the internet.  I keep all ports closed  on the outer ring except for a few exceptions.

My system are not set up automatic.  All the outside calls go thru a proxy with subdomains available.  Thus the need for SSL.

I like to be safe.  Even have Remote turned off on EMBY until I KNOW it can't be used to hack into my network.

I have a Full Router from Century Link as the router 1.  I then have a Nighthawk R7000 in First Port. Second and third are NAS (If QNAP doesn't fix the problem, then it is coming down) EDIT: The R7000 also has a NAS set on it internaly.

My Wife's system is set as a DMZ on the CL Router with VPN and SSL locking to her job.  The IP is also Whitelisted. HINT HINT.

All else is routed to the R7000.  From there, I have my EMBY Server connected on a subdomain setting.  With the WIFI ON the R7000 You have access to my system only.  The guests can only see a little of the internet and none of EMBY.  Only my 2nd Wifi can see it with the TV's

I even have a 100 ft cable gong to a WiFi Mesh to my back yard.  I live on 1.5 acres.  I don't want passerbys and Wifi junkies.

 

There has been occasions that I have experimented with certain configurations but I love Hidden Network settings as they keep thing quiet unless you know it.

We have TOO MUCH broadcasting WIFI & Bluetooth signals not to be concerned.

It seems that your statement in the first post of this thread: "As you can tell, I have only basic skills and do not understand anything other than very simple steps" was a little misleading! 

Your setup is a lot more segmented than I have bothered with, actually - but I can't see anything you've done which I couldn't set up in my single router (Draytek Vigor 2860ac).

Before I retired I ran the networks, including security, for a university medical research department doing clinical trials.  My experience there showed that there is no way to stop people knocking at the door - it's all about ensuring that your system doesn't respond when it shouldn't.

At least I was never in the position of the person from a different department who had his stuff in the rack next to mine in the server room.  He got a call from GCHQ (UK equivalent of NSA for you in the US) telling him that his Linux server cluster had been compromised - which he hadn't known - and, alarmingly, asking him (well, telling him, actually) to leave it untouched as what the hack was doing was very interesting to them, and they wanted to be able to study it without letting the hackers know that they'd been discovered!  Don't listen to people who tell you that running Windows is a security risk that running Linux avoids - it's not that simple!

Paul

  • Like 1
Link to post
Share on other sites

If used correctly, encrypts the information being sent between systems to prevent MiTM attacks. For instance username and passwords.. and personal information like credit card numbers and the usual. Short of it.

Link to post
Share on other sites
Mister Steve

Is using a VPN server advisable in pguillot69's scenario as opposed to directly exposing an Emby service?  He would need to run the VPN client for access, which adds a layer of protection.  He might also choose to restrict the VPN service to access only his internal Emby service.  I'm in the same boat, where I want to remotely access Emby securely.

Link to post
Share on other sites
pguillot69
11 minutes ago, Mister Steve said:

Is using a VPN server advisable in pguillot69's scenario as opposed to directly exposing an Emby service?  He would need to run the VPN client for access, which adds a layer of protection.  He might also choose to restrict the VPN service to access only his internal Emby service.  I'm in the same boat, where I want to remotely access Emby securely.

That is part of the question also.  My system was set up by a network tech that talked us thru it because of my wife's work.  She (I believe) has a static IP address & a VPN going to her computer.  I can see it on the CL Router as a DMZ (pwhodges), I don't fully understand that so that is why I say basic knowledge. This was thrown in my exsisting system when COVID hit. I can get a VPN for my system but I don't know if that will fix the problem or cause more of a mess.  I was told that a VPN would work but a SSL cert was better. Nobody likes throwing money away for nothing, That is why I would rather give it to you in the form of a donation.

Mister Steve: Thank You for the support..  I been looking into my routers and the paperwork trying to make sense of it.  I'm 65, When I was young, I worked on Unix 1.2 but that was a long time ago.  I have become aware that more and more, we just use any and all WIFI and Bluetooth and Cellular items around our home.  When you watch an episode on twit.tv about security, you start to wonder about it all.  Will your stereo betray you, or your TV, or maybe even your coffee maker.  Hell for a while, I had my printer online with the internet until I got a bunch of garbage sent to it.  Don't know how that happened but hey.  It's off now.

If you did a full survey of all items that connect to the internet in and around your home, you would think too.

For Example:  A few years back, we all know that many systems had a default user/password.  Even if they were told to change it customers don't. The reason they didn't was they had trouble resetting it if the power went down.  Nowadays everyone has the best snooping tool in their hands.  THEIR phone.  Activate the WIFI and you can sniff out SIID all over. Activate your Bluetooth and you can see tons of signals.

Our phones connect to our home network, Our security system, our TV, our Stereo, Google Echo, and a ton of other things I fear to mention.  Watching ads with a guy sitting in his home talking nonstop to Alexis about setting up his coffee and dimming the lights, and locking the doors.  checking to see if you car is still in the driveway.  Getting a GPS fix on your kids.

AND BROTHER THE BIG ONE.  An app on you phone that will show you anyone who might have come in contact with a COVID 19 carrier.  All of these are pinholes into your life and your network.  A crook can use anyone of a hundred ways to get into your system.

The most recent Podcast with Steve was "A Spy in your Pocket"  It is about all of the data being sent to Google and Apple without your permission and what were they doing with it.

Thanks again.

I'm trying the SSL with Cloudflare  article.  I hope to succeed.

 

Link to post
Share on other sites
Mister Steve

Hey pguillot69 - your are far ahead of most simply because you understand the problem, and you can configure and run your own in-house services, things like Emby and Home Assistant that do not track you.  

  • Agree 2
Link to post
Share on other sites
rbjtech

Network security is a BIG topic - but attempting to build a 'secure' network with little knowledge or experience is a dangerous thing and you may be unknowingly exposing more than you think you are.

As an example - the fact you have named the model of your routers/firewalls is a bad idea, simply because any hacker worth their name will now look to see if there are any known vulnerabilities to bypass your security on this hardware ...

A VPN will encrypt traffic across it's two end points, but it could use a weak cipher to do so.

SSL should be using TLS 1.2 or above and (currently) there are no known weaknesses - but as indicated above, hackers will never attempt to 'decrypt' SSL traffic (they can't), so they will simply bypass it with other vulnerabilities including the weakest of them all - humans - hence phishing etc.. ;)

Whatever you do to secure your network - test it to ensure the basics are covered - if you use GRC's port scanner (as by Steve, I assume you mean Steve Gibson) and get a clean bill of health - then as has been said above, you have reduced your attack surface considerably and unless you have state secrets on your home network - you are (with respect) not worth the time and effort to hack .. 🤪

 

Edited by rbjtech
Link to post
Share on other sites
pguillot69

I use his port scanner all the time. I have found a bunch of leaks and that is why I am trying to secure my server.

 

Link to post
Share on other sites
pwhodges

But what do you mean by a leak?  A port being visible doesn't mean that it's vulnerable - only that it's necessary to ensure that it's secure.

Paul

  • Like 1
Link to post
Share on other sites

Tenable Nessus Essentials is a good vulnerability scanner, also helps point the way to fixing results of your scan.. I stood behind it for years...

You can see from their main page at Tenable® - The Cyber Exposure Company What they do.. and how much paid support actually costs a business. They make Nessus Essentials Free for Home use for up to 16 IP addresses. It does take a second to figure out how to configure and launch a scan but once you get going and get a result you will love it.

Recently I reinstalled it after not using it for years.. and found several device specific issues... It does take up several GB on your systems but it renders something unique including letting you know exactly what certain software and devices are opening up on your system. It does run as a service and operates through the Web UI. Takes a while to download and compile the plugins.. ( downloads about 8GB of them for penetration testing )..

You have to remember your passwords though once your locked out NOBODY can help you.. You have to start all over from scratch. 

EDIT: Actually there are several forms of command line help to actually get this back ( instead of starting over..

Added a few screenshots.. ( of a basic scan )

04_08.2021_164028.thumb.jpg.c002393b1b5f35a60f766649e7289f13.jpg04_08.2021_164213.thumb.jpg.6191e96ef4cda5b300fdb390d52b05b8.jpg04_08.2021_164334.thumb.jpg.fc976a596fb35d113fd93f86ee65ed89.jpg04_08.2021_164455.thumb.jpg.b225b746540a49dd5f9c58e7bdc1a15b.jpg

Edited by Guest
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...