Leaderboard

Definately worth putting this as a sticky or a wiki article imo - some great general best practice items there.

While 4.7.12 fixes the proxy header vulnerability, the other vulnerability would also benefit from the special "local network" treatment and there might be other - yet unknown - ways to leverage this. That's why the "local network" distinction will be removed, alongside the "Do not require password in local network" option. Also, empty passwords for regular users will at least be strongly discouraged. Compensation with regards to user convenience, will be provided by new client features, for storing credentials for multiple users. That's the rough direction, same as laid out in previous posts already. Of course it will take some time to deliver all this and it won't come all at once. Meanwhile - for improved safety, you might find the following considerations and recommendations useful: Update to the latest stable or latest beta I would start moving away from using 'Do not require a password in the local network' Make sure all users (admin and non-admin) have passwords assigned As a temporary alternative, you could use the "easy password" (PIN) option - even though it is bound to the "local network" distinction as well, Generally, having any password, even the most trivial one, even when it would be just very few letters, is increasing safety by a magnitude Why? Because an attacker doesn't know about your password length. It could be one or ten chars long and it rarely makes sense to start brute-forcing which could take a massive amount of time (while you are actually seeking for getting access easily via passwordless accoutns). This will soon become even much more unattractive with the introduction of rate limiting authentication attempts. If you want it simple, you can use the same password for all (non-admin) accounts. This doesn't provide significant benefit to a hacker, not even if he knew that you're doing so Use the new Notifications feature and configure it in a way that you get notifications for "User Authentication Failed" Have them sent to your phone or via e-mail or whichever way you prefer - but make sure you'll notice these notifications - it doesn't help when these would land in some folder which your are just watching occasionally Don't use the default ports 8096 and 8920! This is how they can find your server most easily. Better: Use ports 80 and 443: Will "hide" your server within the masses of other web servers Use arbitrary ports at the upper end of the allowed range (1-65535) Your server may still be found in various ways, but doing so, moves you out of the group of the most-easy-to-find servers Risk Assessment When setting up your server, take a moment and think about the worst case: some hacker gains control over your server What would be the worst thing that can happen? How much would it hurt you? If it's just a server with media content and there's no private data of any kind accessible to the hacker, then it might be an annoyance but not the end of the world. It's much different when you have a multi-purpose server which is also used to story private data, documents, passwords, etc. So, isolation of concerns is another reasonable measure you can take. It doesn't reduce the risk of an incident to happen, but it reduces the impact in case it would happen

The incident has forced us to put a lot of things on hold, including user support. We're still catching up on those things. The report I promised is coming, though. Yet, I have provided many details already in individual posts, so when you have an urgent desire, you might do as suggested here: There's also another subject coming up regarding those so-called "isolated" or "local-only" setups of Emby Server where users are assuming they would be safe, even when using empty admin passwords. I'm just not clear yet, about how to explain the vulnerability without giving hints to potential attackers for exploiting it.

Got it working, thank you everyone!

will try and get fresh logs soon I can. thanks

This is primarily a bug fix release. Here are the changes: Improve artist splitting for artists that have a / in their title Handle invalid data when parsing video rotation information Fix error with conversion feature and videos that have audio streams with 0 channels Various intro detection bug fixes Fix errors with SMB access on Linux when non-default server port is used Various transcoding related fixes Increase default server database cache size for new installs

Changing the default port for a directly exposed to the internet port is better than nothing, but only just. If your server is responding to requests from the internet at literally on any IP:Port scheme at all by presenting an Emby login screen, it's not hidden within the masses of other web servers. Bad guys are scanning every IPv4:Port combination on the internet constantly. If you want to really hide your Emby server you can setup a VPN server, remote users would need to connect to that, and once connected they can access your Emby server through a secure VPN tunnel. If you want to marginally hide your Emby server from bulk internet scans while still making it available on the public internet, you can setup a reverse proxy. Someone hitting your IP:Port would hit your reverse proxy, but the reverse proxy won't forward that request to your Emby server unless they are accessing it via the domain name. I would recommend not using something common like emby.domain.tld, as domains can be indexed by bots as well. Both a reverse proxy and VPN servers are going to be more secure in general than exposing Emby directly to the internet, they simply have a lot more dev/security focus on the dangers associated with being exposed directly to the internet. In any case, VPN, reverse proxy, or Emby directly to the internet you need to keep the application and settings up to date and secure. Finally a small extra thing you can do is geoblocking countries you don't have users in. A lot of the probes used to find and index servers and services come from China, Russia, and a few others. You can block these countries IPs in a few different ways. This won't fully stop scans, they still use compromised machines in other countries as well as VPN services themselves. Even with geoblocking and a reverse proxy I still would not consider an Emby Server "hidden", be careful out there folks!

Hello, it will be great is Emby have fiction to work as retro games streaming server. I will add ROMs to my server and by will just stream to clients. Users will just connect pad to TV or laptop and play on Emby client like on console.

Oui merci

Well we could have a page to allow them to handle the reset process on their own without having to send them a new password. Then you only need to give them the link, which you would have to handle. to actually send them something you’re talking about a generalized means for an admin to communicate with users, which could be used for other purposes. That’s a whole separate discussion but I would consider that step two of this.

This is the permission the Emby app should ask anytime a DAC is connected to the phone, I really hope this gets implemented, the audio quality between using a DAC this way vs when using the Android driver is incomparable:

So I can use it the same as normal duel tunner, so different people can watch different channels as most providers only allow 1 stream.

I just wanted to report, as a followup to the above post, that after I rebooted the computer, with a power cycle this time,, the option to enable/disable push notifications reappeared. I am going to, for now, continue to run with them on as, so far, I have seen no adverse indications. Maybe this will help some one in the future as I do tend to break things in unusual manners and it is possible that someone else may do something as stupid as I.

Yes. Feedback is welcome! (in the beta forum please)

btw - not that I use them, but default ports are 8096 and 8920 .. not sure where 8196 has come from .. I could never remember that second number, at some point I had just written 8196 out of laziness, and it got stuck somehow. Interestingly, I'm not the only one: https://emby.media/community/index.php?/search/&q=8196&quick=1 No idea whether I can claim the "invention", though - maybe it's just a natural assumption that it might be plus 100...

Thanks, it will be great if Emby have that option. Meybe as a plugin. I today there's in development plugin for Plex called RetroArcher. https://github.com/LizardByte/RetroArcher

btw - not that I use them, but default ports are 8096 and 8920 .. not sure where 8196 has come from ..

Hi, yes it’s great idea for future updates. Thanks.

En algunas series pasa eso, que el subtítulo queda en la parte superior mientras salen los nombres de los actores. Creo que eso viene dado en el propio subtítulo, es decir que es el subtítulo el que tiene configurado la posición en determinadas posiciones de tiempo. No creo que sea posible hacer eso de manera automática. Con algún programa como por ejemplo Subtitle Edit lo podrías hacer, pero claro serie editar cada subtítulo de cada episodio...

Hola, esta petición la realicé yo hace bastante tiempo, fundamentalmente, porque en ocasiones, hay subtitulos quemados en otro idioma en la peli y se superpone el subtitulo en español, y no hay quién lo entienda..Yo lo he solucionado, poniendo el fondo del subtitulo en negro..De esa manera solapa el subtitulo quemado y entiendo lo que pone en el subtitulo en español..Saludos..

imo - It shouldn't be disclosed - until it is patched. That goes without saying. What I meant is that even a rough description of the nature of this might give away too much. There is no specific patch for this one, but the introduction of a hard requirement for having admin passwords plus rate-limiting of authentication attempts will close this. A full and direct elevation exploit is not known. But in .13 we have fixed a specific path of actions through which elevation would have been possible, when certain pre-conditions are fulfilled.

imo - It shouldn't be disclosed - until it is patched. To clarify - As I have non-Admin multi-users (all with complex passwords for remote use) sharing local devices, it would be totally impractical to enter a password each time on the local network - thus I have enabled 'Do not require a password in the local network' for these users. The Admin account is set to require a password and is set to no remote access. All behind a RP. Is this setup still considered acceptable - or are there still issues where a non-admin user can elevate priviledges for example ?

@grnmchIt should be in you users playback settings. The second to last check box.

It's just using the standard Arr quality values - cut'n'pasted from the Apps - the idea being if the Arr has renamed the file, then that's what the tag should be. These are not manually added items. If you want resolution and interlace, then you can always get that from the actual emby fields. ? It's possible to have an CSV field on the Plugin config - and it checks for those as well - maybe that's another route - you can put what you want then..

Der kleine Fehler wird heute ein Jahr alt. Meinen Glückwunsch zum Geburtstag. Möge kein Weiterer folgen.

i got it to side load and in this version i now have fixed video but the sound is all garbled like under water, i'll try and get a little video of how it sounds

Just woke up????? I thought you were in Europe. Clearly I was wrong. If you don't mind telling, where are you? Assuming normal sleep patterns "just woke up" would place you about in the same latitude range as India(in lie with New Delli or so), area. But there are a huge number of countries in those latitudes including Western Australia, Western China, Part of central Russia and, if my old brain remembers that area decently the countries to the west of China including a number of the " 'Stans." In notification settings the Push Notifications were already set to "off." Also if it were on then why would I get the message telling me to turn them on? However, knowing a bit about computers, I will as soon as I post this go back to that are and turn Push Notifications on. Then exit Emby. Then reenter it and tune it back off. After doing that, if I see the notice again, I will report back. However, as with the popup you had at the top of the forum, if I see it again I may just use my ad-blocker to hide it. If it works for those other things it might work for this. Also I believe I will add one more step and exit and reenter FireFox. Is it not amazing that computers can screw up so much and appear to be working correctly? EDIT to add: I performed the above, mostly, and after I reentered Emby there seems no way to disable notifications again. It just shows that it is "enabled." I will run like this for a while and, if I run into other related problems, I will get back to you here. BTW: Thanks for the help.

Install a 4.7.12 or later Assign passwords to all accounts Don't enable "Do not require a password in the local network" That's the safest way for new (and existing) installations.

Rebooting the computer is the first thing many people do when having computer issues. I have also heard that in the basement at Microsoft headquarters in Redmond Washington there is a huge red button behind glass that will reboot the whole building. The sign says: "In case of emergency break glass." I also have heard that there is a similar button at Apple but that one is not behind glass. Apple people just hate breaking things.

Right here: And here: And here: Do you want more??????

That's the problem.

Thank you, it has been solved.

I found a temporary solution: I kept the daemon.js file setting to "false" and with the Firewall rule as "8096 ALLOW IN Anywhere". However, if you know how to keep access to Emby (in fact all containers) only for the local network and specified IPs it would be of great help.

Correct, not at this time, but it would be a good thing to add.

Multiple providers for backup.

Have you ever considered checking the 'remember me' box on the login screen of literally every single app emby provides? The only time I have to enter my password is when logging in to a brand new device, or when logging in to a communal device that multiple users use (ie I don't want it to remember me). Even then I typically use the pin option, which Luke has said is only temporarily removed. My phone for example: I've had to enter my emby password twice in its lifetime (just under 2 years), once for the android app, once for the web app. If that is not working for you; perhaps submit a bug report instead of ranting about losing customers you, over a nonexistent issue for most people. Seamlessly switching users/remembering multiple user logins is a seprate feature emby just hasn't implemented yet.

@Junglejim @Cheesegeezer @rbjtech and @MBSkithanks so much for the encouragement. You and many others made this possible. Vic

Hi Luke, thanks for sending through the TestFlight link. I can confirm the issue relating to playback on files with the avc1 codec tag appears in the 2.2.8 beta. The last version that did not have this issue was 2.2.5. The audio in these files is fine but the video playback seems to stutter backwards and forwards constantly and is unwatchable.

This will take less than 5 minutes to read and will not require high levels of intelligence to understand. In order to use our software, you agreed to abide by our Terms of Service. You also purchased a 1 year Premiere license to access additional features. The Premiere license also gives you the ability to use Premiere features on 25 (weekly rolling) devices. You can have many other devices besides the 25 Premiere license devices. "Emby grants you a personal, non-commercial, worldwide, royalty-free, revocable, non-transferable, non-sublicensable, and non-exclusive license to use the software provided to you by Emby ("Software"). This license is for the sole purpose of enabling you to use and enjoy the benefit of the Software in the manner permitted by these Terms." We are the owners of the software and services that decide how it can and can't be used. We grant you a license to use our software and services, as long as it's used as agreed upon, otherwise we have the right to revoke your license and use of it. Does that answer your question regarding "who are you to judge what I do with this tool"?

I've been following all the threads surrounding this issue for the last 5 days or so, I have read and understand your explanations. The bit that has me a little confused is the number of updates vs the number of actions you've taken. I'm counting 5 'MovieDB' updates in my alerts (1.6.4 through 1.6.7 , 1.6.5 installed twice 28hr apart), each labeled 'compatibility update', as well as a server update. In which updates are you probing servers for information (getting servers to reach out to you, same difference)? How many times did that actually happen? Which of those was actually something to do with themoviedb? What actually changed to makes things 'compatible'? What's with the duplicate version number imstall? The server update was obviously the main security patch; what's going on with the two moviedb updates shortly after? (may 26th and 29th) When it comes to updates in general, 'compatibility update' isn't very descriptive to begin with, but this incident has also made that specific term/description untrustworthy to me. When I see an update with that description now, I pause and wonder what may actually be in it, both because of the lack of detail as well as the association. I can't help but question them now. TBH your comment above my last one makes me wonder more. If you're pushing updates to remove 'security tightening actions' why don't the update descriptions just say that? Eager for more info about that from @Luke This was a rare incident and I've never seen you have to take such... Unprecedented? Actions. I don't feel you abuse this power or take it lightly; but that shadow of a doubt is going to last.

If you only show the title and year, the next release of the Roku app should do this for you. If you show more fields, the title will be limited.

Is it also planned to add some kind of „editable“ „non editable“ options? Iirc currently users can modify all playlists. So I‘d like to create playlists which other users can see, but not edit.

Jellyfin is great - if you are a coder and you want to make it "yours" plus put up with the quirks that inevitably come from open source. Plex is great if you are a mindless drone or such a complete luddite you want to push an button and it all works AND you are willing to put up with totally useless new features and a design that is evolving into mobile use. Emby is for watching media. It lets you set it up based on what you want, its simple but complex where it needs to be. Plus even in the months since I became a premium member there has been positive evolution in the design. But that's not what I'm here for, I'm here so I can decide what meta matches my media - that's one of the biggest reasons. That and pick what you need and want. Plus meta for personal files where you can add Grandma, as a actor, add a picture, and video, and a bio, and click to find all the media with her in it, and add tags to sort by whatever, and make it easy to use, which beats the hell out of the other guys.

I just bought an Amazon Echo today and also paid for the Emby subscription.. obviously hoping to be able to use it, and now I just found out that this is not possible! (call me naive) I couldn't care less about German or Spanish or Swajilli or whatever exotic random language, I just want to install the Emby skill IN ENGLISH in an Echo that is linked to the Amazon Germany shop. Why do we need to wait years for this?

oh i meant change the icon image because like that picture its hard to recognize wich one is the correct library

Hallo, Wie siehts aus ? Ich schreib absichtlich in Deutsch damit es registriert wird das es auch noch Kunden in Deutschland gibt die man Unterstützen sollte Gruß

Reason 3 was that being open source was gaining us nothing as we got no significant contributions from anyone outside our team. All it was doing was giving away all of our hard work for free and we simply couldn't continue to do that and also be able to continue to build and support the system the way we want to.

This is a very interesting topic. A lot of new comers here need to understand how Emby has come about and the history behind where we are today. I would like to defend Eric and Luke here. I have known @ebrEric since about 2008 when i stumbled across the MCE plugin and started using it, i started to learn code and wanted to do some stuff with VideoBrowser (yes that what it was called). He helped me out quite a bit with Themes at the start. He was the original admin with the other guy (can't remember his name) It then changedto MediaBrowser, still only a complete MCE plugin which was coded purely in C# and mcml. @Luke came on the scene a very long time ago can't remember when exactly, 10yrs or so, and was writing amazing plugins for the MCE app. He evolved and off his own back, and Eric's, They then started to create a server where apps would access it! MediaBrowser 3.0 was born!! Bearing in mind all this was still very free and actually it was the plugin and theme creators that could charge for their work, MediaBrowser 3.0 was still very free. Hours and hours of work went into MB3.0 to which i used to donate $10-$15 a month to them to thank them for their amazing work. The project was moving in the right direction. Then the project moved to Emby and new era a new structure. So what if they want to charge you for all of their hard work over at least the last 15yrs and make the project closed source. The whole reason for this, was because having open source, people would fork the repo, remove the premium validation and distribute it for free and use the server and apps for free. The whole reason it has been closed source now, is because of the UNMORAL & DISHONEST people in the world. They do this full time now so give them respect, pay your subscription and enjoy the app. Jellyfin do what they do and the interfaces are still from way back when, nothing has changed other than a few cosmetic enhancements. They snoop the forums for ideas and hoping to "acquire" code from plugin developers... to keep up with the Jones'. There are 2 guys here... that work their asses off to bring this amazing media experience, give em credit and support them as you should. And yes... Jellyfin should credit the devs. What makes me laugh is there are still so many components in their source code which have an emby prefix... so i guess that is some accreditation. (I'm just donning my Bomb Disposal Suit now...... for all the trollers out there!!)

glad you registered to share this insight

Hi, I am looking to move from Plex to Emby specifically because the above feature is missing in Plex. The detection appears to be notoriously buggy in both Emby and Plex, and my intended server target is low power ARM machines, so any and all transcoding is completely out of the question. Plex already doesn't implement transcoding at all in their ARM binaries, but capability detection is still implemented, frequently resulting in mis-detection and a message that media cannot be transcoded (despite the fact that the same media worked fine before and a recent auto-detection "enhancement" broke it. I am happy to contribute time and effort to implement the above feature (to disable any attempt at capability auto-detection and DirectPlay everything, and if the receiving device chokes on it, so be it), but since I have never looked at Emby code before, some guidance from more seasoned Emby developers would be welcome (starting with which files and functions I am likely to need to modify to add the feature). TIA