N0X 6 Posted December 23, 2021 Posted December 23, 2021 (edited) Is it possible to link an account to one or more specific IPs? So that account only functions on those IPs Edited December 23, 2021 by N0X
Painkiller88 250 Posted December 23, 2021 Posted December 23, 2021 no it is not, but they wanna revamp the user permissions some day
Carlo 4561 Posted December 23, 2021 Posted December 23, 2021 4 hours ago, N0X said: Is it possible to link an account to one or more specific IPs? So that account only functions on those IPs Not directly in Emby no. But depending on your overall objective might be able to be done. Do you want to do this for all remote users of just some?
N0X 6 Posted December 24, 2021 Author Posted December 24, 2021 4 hours ago, cayars said: Not directly in Emby no. But depending on your overall objective might be able to be done. Do you want to do this for all remote users of just some? I would like it to be like the binding of the devices, but with IP. The problem with setting an account to a device is that it is done in the browser, if the browser is updated or you want to use another, it does not allow you to access because the id changes. That is why I thought that as an alternative method it could be done that the accounts could only be used with a specific IP assigned to it, regardless of the browser they use. I don't know if I make myself understood ... I'm using a translator
Carlo 4561 Posted December 24, 2021 Posted December 24, 2021 In Emby you can't do both. You can set it so a user is only allowed to use one of more specific devices. You can also use white or black lists for IP filtering. There isn't a method to say Joe's iPAD can only log in from 123.34.78.23. That type of very focused security shouldn't really be needed in a home media server used to share with family and a few friends.
N0X 6 Posted December 24, 2021 Author Posted December 24, 2021 (edited) 9 minutes ago, cayars said: In Emby you can't do both. You can set it so a user is only allowed to use one of more specific devices. You can also use white or black lists for IP filtering. There isn't a method to say Joe's iPAD can only log in from 123.34.78.23. That type of very focused security shouldn't really be needed in a home media server used to share with family and a few friends. I don't mean that Joe's iPAD can only be accessed from ip 123,456,789, I mean that Joe's account can only be used from ip 123,456,789, regardless of the device. Let's say ... in the account have two options: block the account to the devices (as it is currently) or block the account by ip Edited December 24, 2021 by N0X
Carlo 4561 Posted December 24, 2021 Posted December 24, 2021 Sorry about that but doesn't help. The only IP control you have directly in Emby are these two options: The Whitelist choice will only allow IPs listed in the previous option to enter. So you would have to enter all known IP or subnets. This option of course takes a lot of prep work but could be ideal for someone running ZeroTier, TailScale, private VPN. Access only from specific IPs would be easy to configure that way. The other option is Blacklist where all IPs entered are block while everything else passes. In both cases you can enter specific IPs or groups of IPs using proper subnet masking. Personally I've never had to use either IP or device locking. I take the other approach. "Listen this is my server and I'm allowing you to use it. I have only a couple rules and if you can't follow them you won't be using it". That has always worked for me.
N0X 6 Posted December 24, 2021 Author Posted December 24, 2021 4 minutes ago, cayars said: Personally I've never had to use either IP or device locking. I take the other approach. "Listen this is my server and I'm allowing you to use it. I have only a couple rules and if you can't follow them you won't be using it". That has always worked for me. ... what is that option called ¨database¨? ... i don´t have it
Painkiller88 250 Posted December 24, 2021 Posted December 24, 2021 Keep in mind using a whitelist means all your friends need to have a static IP, otherwhise you will need to change their allowed ip once a week or when they renew their public ip lease. this is one point why a revamp of the user permissions is so important for us to get more security and a more detailed setting for the users permissions.
Happy2Play 9781 Posted December 24, 2021 Posted December 24, 2021 1 hour ago, N0X said: ... what is that option called ¨database¨? ... i don´t have it It is control for the database in the UI of 4.7. In 4.6 you can manually change them in the system.xml.
Carlo 4561 Posted December 24, 2021 Posted December 24, 2021 12 minutes ago, Painkiller8818 said: Keep in mind using a whitelist means all your friends need to have a static IP, otherwhise you will need to change their allowed ip once a week or when they renew their public ip lease. You can enter subnets/classes as well. So if the persons has an IP of 174.34.28.128 you could enter 174.34.28.0/24 instead. That would technically give access to the neighborhood but will cover this person if they get a new IP. It rare to get a subnet from a difference class C block these days. 22 minutes ago, Painkiller8818 said: this is one point why a revamp of the user permissions is so important for us to get more security and a more detailed setting for the users permissions. While I personally like lots of control as I'm one of "those guys" this isn't always the best thing. Minimal control that meets the need is usually better for the masses. The less items there are to mess with or change is usually the better security approach for those who don't know what they're doing. You can surely disagree with what I'm going to say next and 5 year ago me, would have likely objected as well. Emby is a Home Media Server made for personal/family/close friend use. It's not meant to be used to create the next Netflix or for selling subscriptions or it would be designed differently. It has good enough security measures for it's intended audience (actually more than needed). When you think about it, you should be able able to pick up the phone and talk to anyone using your server and tell them you don't like something they are doing or they need to stop using different devices and only use Emby on the living room TV etc. If you can't do that, it's probably not a family member or close friend. Just asking the person should be enough. Of course Emby adds some tools to help manage certain things when it makes sense. IP white/blacklist for example. Locking a user to a device probably isn't really needed for the target audience (even though it's nice to have). Don't get me wrong, Emby needs to think about security of the code and exploits and things like that. Any type of Server put on the Internet should be secured by the admin prior to doing that. Only specific ports should be open on the firewall to allow entry to the server. The server should be setup using a cert to prevent man-in-the-middle attacks. The software should have hooks and listen/use information in packet headers that get rewritten or look suspicious or have been change by a local reverse proxy server. Emby has all those things already to make it easy to setup in a secured environment. Anyone worried about these types of things can setup one of many reverse proxy servers like NGINX, traefik or Caddy2. These are the type of programs that should get the focus for locking things down as all packets should flow both ways through them and it's the point of the software. A good reverse proxy will even handle all your cert updating for all apps/services behind it. It can be integrated with other programs such as fail2ban for automatic IP blocking, etc. We do and are looking and talking about things like this internally and have some things we would like to do in upcoming releases to make this a little easier for the admin. Security should always be an ongoing project so to speak. So while I agree would should do more (and will) involving security it's probably more on the wider side of things and not so much narrow to specific users. That would probably be more like "permissions" than security when you get down to it. I don't think I've ever heard anyone ask for this before. There could very well be others who would like this as well. What I'd suggest is to add a feature request for it. https://emby.media/community/index.php?/forum/98-feature-requests/
pwhodges 2012 Posted December 24, 2021 Posted December 24, 2021 31 minutes ago, cayars said: You can enter subnets/classes as well. So if the persons has an IP of 174.34.28.128 you could enter 174.34.28.0/24 instead. That would technically give access to the neighborhood but will cover this person if they get a new IP. It rare to get a subnet from a difference class C block these days. That may be somewhat true for a domestic Internet connection, but access using mobile data will certainly have wildly varying IPs. Paul
Carlo 4561 Posted December 25, 2021 Posted December 25, 2021 Not a mind reader, but I'd assume if you wanted to lock a person down to an IP it would be their home IP and you don't want them going mobile. Then again, if you just lock them to a stationary device you sort of accomplished the IP lock as a byproduct.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now