Logs are logging my URL

[muzicman0 84]

It would be nice if the logging mechanism didn't log my server URL.  I have a support thread going on, and every time I upload my FFMPEG logs, I have to sanitize it so my URL isn't posted.  I imagine the other logs do the same.

[neik 873]

Iirc there is a feature request for exactly this: Anonymizing logs

[muzicman0 84]

cool.  It should be prioritized.  They want logs, which I get, but it puts our servers in danger to publicly post these details.  I know security by obscurity isn't great, but at least it's something.

[Gilgamesh_48 1240]

People should use a VPN because then the internal ips are meaningless to outside bad actors and the "actual" ip, as seen by the internet, is also meaningless to those same bad guys.

I use a VPN and if i were to tell everyone that my internal IP is 192.168.1.123 or that my external ip is 154.6.16.191 what could they do?

I am a firm believer in VPNs and a few other security tools to keep internet activities masked.

BTW: many modern VPNs do not even slow things down much. I use ExpressVPN and I have a 400 mbs connection that, when running through the VPN only slows to about 375 mbs.

In fact I have a router that runs my VPN so I can have every device I own protected.

Lastly I can exclude any device or devices I want from the VPN so the few devices I have that fail with a VPN can still work correctly.

There are, from time to time, problems I hit with my VPN but the ease and speed of changing the VPN's apparent location and the safety I get from using the VPN makes it well worth it.

While masking the IP presented in a log is probably a good idea, no real negatives I can see, I see it as an unnecessary function that will simply waste the time of the developers and really gain nothing. I believe that using IPs found in logs to exploit a computer is a threat of the same level as being invaded by Martians even without a VPN or any masking.

.6.16.177154.6.16.177

[muzicman0 84]

I have a VPN, but there is no way I'm giving everyone access to my network with a VPN. And if you don't think exposing the url used is a security concern, then I don't know what to say other than you are wrong. 

If you don't like this idea, move along. 

[Carlo 4561]

I wouldn't use a VPN at all and it won't help anyway if you have other users hitting your server.
Just do a global search/replace for you domain if this bothers you.

Personally having your domain name in the logs is no big deal to me. The script kiddies all trade port scans and have massive lists of Plex, Emby, JellyFin systems as well as other software with open ports.

If you have a port open you will be found in like one or two days.

[muzicman0 84]

That is what I am currently doing (search and replace). 

[muzicman0 84]

10 minutes ago, cayars said:

I wouldn't use a VPN at all and it won't help anyway if you have other users hitting your server.
Just do a global search/replace for you domain if this bothers you.

Personally having your domain name in the logs is no big deal to me. The script kiddies all trade port scans and have massive lists of Plex, Emby, JellyFin systems as well as other software with open ports.

If you have a port open you will be found in like one or two days.

Like I said, security by obscurity isn't ideal, however, publicly posting a URL that resolves to your home server, on a forum that is about a consumer level media server is just asking for issues.  

I agree that most people that are hackers already know it, but other things can happen as well.  not to mention that the logs also have my user name for said server.  

Coming from someone who works with networks a lot, having this info public just doesn't seem wise. And yes, I can do the find and replace, and I am aware that I need to do that, others may not be aware.

[C.S. 93]

The problem with search and replace is you have to know what you're searching for.

The logs can be huge. When asking for help, I've always avoided uploading them because I have no idea what's in them, and I can't search thousands of lines for some unknown bit of info that maybe could be of a personal nature, if it exists, which I can't know for sure.

Is it even possible to anonymize/sterilize the logs automatically? Seems like someone would have written that plugin by now.

[Gilgamesh_48 1240]

Can anyone tell me how, if you have a good VPN at the router level where the VPN changes your external IP from time to time, anyone can even find your computer. Much less hack it. Also how, knowing any internal IP is a security risk.

If there is a risk I would like to know.

[muzicman0 84]

16 minutes ago, Gilgamesh_48 said:

Can anyone tell me how, if you have a good VPN at the router level where the VPN changes your external IP from time to time, anyone can even find your computer. Much less hack it. Also how, knowing any internal IP is a security risk.

If there is a risk I would like to know.

New vulnerabilities are discovered all the time.  BTW, the VPN can't change your external IP, that would be up to your ISP.  One problem you could face is a DDoS attack.  It's unlikely, but if you piss off the wrong person (which let's face it, in forums, this is common!!!), they could hit your IP address with loads of traffic causing all kinds of problems.  If someone was able to guess your password to your emby account, they could possibly delete your content.  Knowing your internal IP addresses is not a huge deal.

A VPN doesn't keep someone from hitting your public IP address either, although, it may hide it in the logs.

Bottom line is that you are unlikely to have issues with or without a VPN, however, the more info you put out there, the easier you make it for someone to do damage.  And trust me, I am NOT someone who is overly security conscious.  It's a matter of risk vs convenience for me, and there is just too much risk and no loss of convenience to hide this info.

[Gilgamesh_48 1240]

2 minutes ago, muzicman0 said:

New vulnerabilities are discovered all the time.  BTW, the VPN can't change your external IP, that would be up to your ISP.  One problem you could face is a DDoS attack.  It's unlikely, but if you piss off the wrong person (which let's face it, in forums, this is common!!!), they could hit your IP address with loads of traffic causing all kinds of problems.  If someone was able to guess your password to your emby account, they could possibly delete your content.  Knowing your internal IP addresses is not a huge deal.

A VPN doesn't keep someone from hitting your public IP address either, although, it may hide it in the logs.

Bottom line is that you are unlikely to have issues with or without a VPN, however, the more info you put out there, the easier you make it for someone to do damage.  And trust me, I am NOT someone who is overly security conscious.  It's a matter of risk vs convenience for me, and there is just too much risk and no loss of convenience to hide this info.

You do not understand what a VPN, at least the good ones, do. Their purpose is to change the external IP of your computer or, for VPNs on the router, the whole network. They take all requests to the internet and encrypt the data and send it through their servers and then to the destination. The ip that the internet sees is the ip of the VPN servers. They also change that ip from time to time.

If you use a good VPN then nobody can possibly know your address. Unless the VPN shares it in some way and the VPN I use does not even keep logs.

Your ISP has no idea what is being sent or the actual address it is sent to. And the final destination has no way to tell what your real address is.

It is quite like having a PO box for all your mail and using only that address for everything. People that see that PO box number have no real idea about where you live.

[muzicman0 84]

You have that kinda right.  A VPN doesn't change anything, what it does is create a tunnel across an existing link that is secured.  Anything inside that tunnel is encrypted, and can't be 'read', and in most cases can't even be intercepted.  So, in essence, any outbound or inbound traffic that is going over (or through) the VPN is secure.  This does not change your actual real public IP, which can still be accessed.  So, while it does secure your traffic, it doesn't necessarily keep someone from accessing your real public IP that is assigned by your isp.  The VPN tunnel still has to have an IP connection (that's just how the internet works).  

An example would be that I have implemented a VPN for the staff at my company so that they can access our internal LAN.  They can access things such as shared drives, printers, domain resources, etc.  BUT, I can still access my Channels DVR server that sits in my office by it's real IP address.  I can also reach it over the VPN via it's local LAN address.

[Gilgamesh_48 1240]

You just have no idea what actually happens. But, it is unimportant so I give up.

[muzicman0 84]

1 minute ago, Gilgamesh_48 said:

You just have no idea what actually happens. But, it is unimportant so I give up.

ok.  if you say so.  My 15 years of enterprise networking means very little I guess.

Ultimately, it is up to you to decide if your setup is secure enough, but I do actually know what I am talking about.  

[Carlo 4561]

@muzicman0 is correct in everything he said.

You still have the IP on the WAN side of your router that your ISP gives you.  A VPN connection does not change that at all..
With the VPN turned on your routing packets out your normal WAN IP to the VPN server via a tunnel.  From there your packets are dumped on the Internet.

If Emby server is running behind a VPN it can pick up this "new" external IP but that doesn't change the fact you still have the same IP on the WAN side of your router/modem.
However in order to get Emby to function behind a public firewall like this you have to setup port forwarding for the VPN which not all VPN providers support.

Assuming you do setup port forwarding on the VPN connection you now have two IPs that can be scanned.
This type of VPN doesn't really help you in any way with security.

A much better solution is to setup a free Cloudflare account with your own domain. You can use your own cert or a Cloudflare generated cert.
I for example have my setup using port 443 in Emby for the public https port, my domain and the pk#12 cert I converted from the Cloudflare pem cert.

Now on my router I ONLY open port 443 to my Emby Server AND and I only allow incoming connections from Cloudflare.  So if you don't come from Cloudflare I have no open ports to scan.

Better yet is my domain only points to Cloudflare and no entries to my WAN/IP address.  Anyone using my domain only sees Cloudflare.
Any DDOS or similar attacks on my domain are handled by Cloudflare and I never see the traffic.

(I'll be sharing soon) is likely going to be running your Emby Server via Cloudflare with no open ports on your router.  This even works if you are behind an ISP CGNAT or taking your mobile server running on a laptop down to the local WIFI hotspot. This is done using a tunnel between your computer (or network) and Cloudflare.  More to come soon on this but some of the advantages are:

Cloudflare CDN
No ports open (increased security)
No need for Dynamic DNS set-up
Improved latency as it uses Cloudflare smart routing avoiding congested areas of the internet (yep, it can route packets differently based on Internet congestion)
Signed SSL at each stage of the process for additional security built in at multiple stages
Far less likely to get a man in the middle attack (MITM) if not impossible
All the added benefits common to using Cloudflare (DDOS protection, malware protection, GEO blocking, cached images, etc.).
Bypass double NAT issues hosting your own server publicly.
Bypass ISP blocking WAN port 443 & 80
Impossible to find the origin of the server, no IP is ever shared publicly

This should work on Windows, MacOS, Linux and Docker. On windows this can run as a service so as soon as your computer is started your tunnel is up and running. I've got this working everywhere except on docker (test on Synology).  I can establish the tunnel just fine but can't get it to auto start. I may need a docker expert to help me with the config as I'm not really a docker person.

Edited October 15, 2021 by cayars

[muzicman0 84]

@cayarsI would for sure be interested in more details on that setup.  Could you run multiple services over that link?  I currently use Caddy, and use multiple subdomains to access my NAS, Synology Photos, Emby, etc.  All over port 443.

[rodainas 191]

Yes, you can add multiple subdomains as CNAME pointing them to your domain (this one as "A" type proxied by cloudfare), and caddy will receive the incoming connections and redirect through all your services, all the services from those subdomains will get the proxy benefit.

[Carlo 4561]

1 hour ago, muzicman0 said:

@cayarsI would for sure be interested in more details on that setup.  Could you run multiple services over that link?  I currently use Caddy, and use multiple subdomains to access my NAS, Synology Photos, Emby, etc.  All over port 443.

Yes you can.  Actually a couple of different ways.  You could do one tunnel and handle things conventionally with a local proxy setup like caddy2 or nginx routing things or you could setup specific subdomains such as www.mydomain.com, emby.mydomain.com, photos.mydomain.com, dsm.mydomain.com, nextcloud.mydomain.com, etc  Then for each subdomain you would run a specific tunnel just for that.  In this way your www & dsm could be located at home. photos and emby running on a collation box while nextcloud sits at your parents house.  Of course they could all be in your basement as well but it allows you to use specific tunnels if you like.

You can also have one tunnel handling multiple apps.  For example your windows server could establish one tunnel that is used for all the subs and locally redirect very similar to how people use nginx.

ingress:
  # Rules map for Emby
  - hostname: "emby.mydomain.com"
    service: http://192.168.1.10:8096
  # Rules map for DSM access
  - hostname: "dsm.mydomain.com"
    service: http://192.168.1.10:5000
  # Rules match Search :)
  - hostname: "search.mydomain.com"
    service: https://www.google.com
  # Rules match wildcard character:
  - hostname: "*.mydomain.com"
    service: http://my-local-web-site:80
  # An example of a catch-all rule:
  - service: service: http_status:404

While not the intent you could also have a "family domain" and do something like "john.family.com" and "bob.family.com" with two tunnels to different houses so both you and your brother could share a domain and both have Emby online with no ports open on either router.

You're not limited to just http/https either.
You can use SSH, RDP, arbitrary TCP services, and unix sockets as well.

Obviously it's quite flexible but my intent is to make this easy to use for Emby customers, especially those in double NAT situations.
So a simple 1,2,3 step guide is what I'm going for.

Right now with a domain already setup in Cloudflare I can have a tunnel up and running for Emby in 2 to 3 minutes which includes making changes in Emby networking, logging into Cloudflare for authentication of the tunnel setup request, testing the connection works and setting this to run as a service automatically.  It takes longer to restart Windows and Emby Server then it does to setup it up. Now if only I could say the same for Sinology/Docker.

If any of you guys know docker configs really well and want to assist me, I won't turn any help down.

[muzicman0 84]

I have played around with Docker, but would consider myself a noob on that.  I do have mine autostart.

I will be looking forward to your set up guide for CloudFlare, and will give it a try.

[Carlo 4561]

3 hours ago, muzicman0 said:

but would consider myself a noob on that.

Same here. Being that I mostly choose to run Windows I never paid much attention to docker.  Even on Linux I would normally just use host installs which worked for me.
Enter Synology and not having packages for things you want to play with but available via docker and it's a different story. I have a handful of things running just fine in docker on Synology but this project which I initially thought would be easy based on what I learned already setting it up in Windows isn't.  I can run everything manually and it works.  Just can't automate the docker setup yet because I'm probably doing it wrong.

What OS are you running Emby Server on?

[muzicman0 84]

16 minutes ago, cayars said:

Same here. Being that I mostly choose to run Windows I never paid much attention to docker.  Even on Linux I would normally just use host installs which worked for me.
Enter Synology and not having packages for things you want to play with but available via docker and it's a different story. I have a handful of things running just fine in docker on Synology but this project which I initially thought would be easy based on what I learned already setting it up in Windows isn't.  I can run everything manually and it works.  Just can't automate the docker setup yet because I'm probably doing it wrong.

What OS are you running Emby Server on?

I run my Emby Server on my Windows PC at home.  It's a multi-purpose PC, but it's an i9, so plenty of horsepower.  I run a Channels DVR server on Linux, and consider myself moderately good at Linux.  I can script in Bash (basic stuff), understand permissions, etc.  Have a couple Linux server only VM's (no UI) to run openVPN, AP Controllers, etc.

I have run Emby on Linux back when I was using it to record TV, but since the playback isn't that demanding, my current Emby server (like I said) is on Windows.

I probably prefer Linux for this kind of stuff because I can control updates (and the needed reboots) better. 

I assume you have the "--restart always" flags enabled on the Synology Docker image?

Edited October 15, 2021 by muzicman0

[Carlo 4561]

Send me a PM and we can take this offline.
I'll show you how it works on Windows/Linux as well as what I've done in Docker.