Has anyone's Emby server ever been hacked, port open to Internet?

[Bingie 99]

Hi all,

I recently built a high performance firewall, that lets me monitor every packet that touches my home public iP address, and even though I have it configured to DROP EVERYTHING, including ping, so nobody could possibly know I even exist, there are always at least a few servers checking my firewall every damn second.  You can see my firewall thread here.

Anyways, today I decided to install IIS on the windows Emby Server, so the proxy can auto update the web cert.  I turned up the web server, and opened ports 80 and 443 on the firewall, so I could do some testing, and I kid you not, within just a few minutes, there were at least a dozen Internet servers port scanning my firewall, and a half dozen talking directly to the Emby Server.  Not cool.

I immediately closed all ports (drop everything), but here it is hours later, there are still servers out on the Internet probing my firewall.  That used to be a bannable offense by ISP's years ago, but I guess today the criminals have all the rights, and nobody cares.  Hell, even your ISP logs everything you do and sells that information to governments, advertisers, anyone who pays, and it's all legal, but don't get started on that topic.

If my firewall and Emby Server were attacked so quickly, I can't help but wonder if any of you have had your Emby Server hacked, damaged, infected, etc.  I've decided to never allow a remote connection to my Emby Server ever again, unless it's a direct point-to-point connection, whereas everyone else is dropped.  I'm pretty good at setting up openvpn's, so maybe I'll setup a proxy vpn external to my firewall, and pipe it in that way.

And for those of you reading this, if your firewall doesn't monitor hacking attempts and show you in real time, well, you probably have no idea how many times per second you are being probed, scanned and infiltrated.

 

[pwhodges 2012]

6 hours ago, Bingie said:

you probably have no idea how many times per second you are being probed, scanned and infiltrated.

It doesn't matter how much you are probed or scanned, unless the amount is at the level of a DoS attack - which is unlikely for a domestic user.  Security is about making sure that these probes don't get any further, i.e. strong password and additional protection as appropriate, which can prevent actual infiltration.

I have been running servers on my home Internet for over twenty years now, and neither my mail server, my web server, nor my SSH server has ever been penetrated.  The passwords are good, but not extreme (my password-safe software considers anything under twenty characters to be "weak"); occasional observation of the login attempts (typically several a second) shows that they are extraordinarily repetitive - the same user names and passwords are attempted again and again and again.  It's pointless, but I suppose it costs the attackers (who are presumably mainly just "script kiddies") essentially nothing in any resource terms (including thought).

But vigilance is prudent; paranoia, not so much.

The main danger to your network is not external access of this sort, but a user inviting the baddies in by clicking the wrong link in an email or visiting a dubious web site.  Good antivirus software can help protect against that (I use Eset).

Paul

 

[Q-Droid 989]

Standard and well known ports are constantly probed. A quick Shodan search shows the top open ports for Emby servers are 8096 by a huge margin, then 443 and 80. Port 8920 is well down on the list in single digit numbers. Probers are constantly searching for openings on ports for common services and Steam, Minecraft, Synology, cameras, "security" devices, you name it. If a vulnerability is disclosed publicly it triggers a surge of probes for a while.

Opening the port(s) for Emby is a small fraction of the risk if you do as @pwhodges says and have internal measures in place to prevent unauthorized access. As a residential node on the internet you're not likely to be a target but don't be low hanging fruit either. I see a dozen or two probes a day on my Emby port and a handful of https requests in a week but I've never seen hits on my WireGuard port. I know they'll happen in time and I don't monitor all that closely so could have missed a few.

 

[Bingie 99]

There's an openvpn client for phones, think I'll try that today, so I can continue streaming from Emby to my phone.  That way, the only open port to the Internet will be from openvpn, and I'll move it from port 1194 to something really high.  I'll feel safer with a aes256gcm cipher, sha512 hash,  and cert and key files, more than just strong passwords.

It's a shame the Internet is clogged with intrusive people, it wasn't that way back in the 90's, back when "netiquette" was followed.  Nobody minds their own business anymore, everyone sticking their noses into other peoples lives.  My ISP will see some openvpn connections, and that's it.

[pwhodges 2012]

What specific risk are you attempting to mitigate?

Paul

[Bingie 99]

Just locking down.  All of the cyber threats are very real, people's identities stolen all the time.  I had a Target card when Target was hacked, and my credentials were sold on the black market, just like millions of other people.  Same when yahoo got hacked, that info was stolen too.  Many large organizations have been hacked.  It's a question of when and not if your info gets stolen.  Better safe than sorry.

There are more than "script kiddies" out there, hackers are stealing info every day.  I see no reason to make it easier for them.  Plenty of ways to lock down.  This is just the latest effort, it's been too long, but I'm finally revisiting and upgrading my home cyber security.

I loved your comment about malware sent via email, that is a big one, and as you pointed out, one way is to run protection software.  There are other ways too, such as virtualization when checking questionable things, but I don't want to get too far off topic.

Thanks for asking.