Raskolnikov 0 Posted May 7, 2022 Posted May 7, 2022 Hey, I would like to know what should I do about security if I want to open my emby server to WAN. My emby server is on a debian in my LAN.
QuarkZ 14 Posted May 8, 2022 Posted May 8, 2022 At the very least you need SSL certs, Let's Encrypt being the most popular. Then you should have a user with limited access, as in, the admin user shouldn't be logged on to from remote, only users that are meant to watch something. So, turn off "Allow remote connections to this Emby Server." and check "Hide this user from login screens when connected remotely" for the admin account. Then set minimal perms for the account you'll use to remote. No delete, no admin, just playback. If you want to be more secure, and make it easier, you can look into Nginx proxy manager, which can deal with the SSL part and allows you to actually get rid of port forwarding. Then Authelia,which has you authenticate before even getting to Emby, and lets you tighten things a bit more.
Raskolnikov 0 Posted May 8, 2022 Author Posted May 8, 2022 10 hours ago, QuarkZ said: At the very least you need SSL certs, Let's Encrypt being the most popular. Then you should have a user with limited access, as in, the admin user shouldn't be logged on to from remote, only users that are meant to watch something. So, turn off "Allow remote connections to this Emby Server." and check "Hide this user from login screens when connected remotely" for the admin account. Then set minimal perms for the account you'll use to remote. No delete, no admin, just playback. If you want to be more secure, and make it easier, you can look into Nginx proxy manager, which can deal with the SSL part and allows you to actually get rid of port forwarding. Then Authelia,which has you authenticate before even getting to Emby, and lets you tighten things a bit more. Thank you for your answer but I don't find "Allow remote connections to this Emby Server."
mengoshmink 16 Posted May 8, 2022 Posted May 8, 2022 (edited) Does this help: and Edited May 8, 2022 by mengoshmink
GrimReaper 4739 Posted May 8, 2022 Posted May 8, 2022 10 hours ago, QuarkZ said: So, turn off "Allow remote connections to this Emby Server." 2 minutes ago, mengoshmink said: Does this help: Guys, turning that off is beating the purpose of securing sever for WAN access in the first place, as only local connections would be allowed. @Raskolnikov, you don't want that option Off for your query. What you do want, however, is either setup SSL or go reverse proxy route, as suggested above, number of guides around forum, check out General/Windows section, adjust for Linux.
QuarkZ 14 Posted May 8, 2022 Posted May 8, 2022 34 minutes ago, GrimReaper said: Guys, turning that off is beating the purpose of securing sever for WAN access in the first place, as only local connections would be allowed. @Raskolnikov, you don't want that option Off for your query. What you do want, however, is either setup SSL or go reverse proxy route, as suggested above, number of guides around forum, check out General/Windows section, adjust for Linux. I was indeed referring to the Users option, obviously not the Network option. It should absolutely be ticked off for any admin as otherwise it could potentially allow admin remote login. I also hide the user from login screen when connecting remote.
GrimReaper 4739 Posted May 8, 2022 Posted May 8, 2022 2 minutes ago, QuarkZ said: I was indeed referring to the Users option, obviously not the Network option. It should absolutely be ticked off for any admin as otherwise it could potentially allow admin remote login. I also hide the user from login screen when connecting remote. There is NO such option on per-User basis, there is only single, global one. As far as Users are concerned, you can revoke admin privileges, hide when connected remotely (but it doesn't prevent them to login manually) and/or hide from devices they haven't logged before - but you cannot prevent remote access, admin or not.
QuarkZ 14 Posted May 8, 2022 Posted May 8, 2022 15 minutes ago, GrimReaper said: There is NO such option on per-User basis, there is only single, global one. As far as Users are concerned, you can revoke admin privileges, hide when connected remotely (but it doesn't prevent them to login manually) and/or hide from devices they haven't logged before - but you cannot prevent remote access, admin or not. Sorry, but you are simply wrong. There is a per user option, you can see it in the screenshot from mengoshmink. I have several users on my emby and can absolutely prevent only certain accounts to login when remote using that option, I actually just tested it on one account and get an error if I try to login with a user that has that option unchecked.
GrimReaper 4739 Posted May 8, 2022 Posted May 8, 2022 (edited) 9 minutes ago, QuarkZ said: Sorry, but you are simply wrong. There is a per user option, you can see it in the screenshot from mengoshmink. I have several users on my emby and can absolutely prevent only certain accounts to login when remote using that option, I actually just tested it on one account and get an error if I try to login with a user that has that option unchecked. There is not. What you see in that screenshot is SERVER setting, single global setting, that ANY USER with admin privileges (enabled Allow this user to manage server under User settings) can enable or disable. If ANY of those users is logged and untick Allow remote connection, NOONE will be able to acces it remotely, no other user, admin or not. Edited May 8, 2022 by GrimReaper
QuarkZ 14 Posted May 8, 2022 Posted May 8, 2022 3 minutes ago, GrimReaper said: What you see in that screenshot is SERVER setting, single global setting, that ANY USER with admin privileges (enabled Allow this user to manage server under User settings) can enable or disable. If ANY of those users is logged and untick Allow remote connection, NOONE will be able to acces it remotely, no other user, admin or not. We must be talking past eachother here. I know that the Network option must be enabled, I'm talking about the Users option, which prevents particular accounts to logging in while accessing Emby remotely. 1
GrimReaper 4739 Posted May 8, 2022 Posted May 8, 2022 (edited) 12 minutes ago, QuarkZ said: We must be talking past eachother here. I know that the Network option must be enabled, I'm talking about the Users option, which prevents particular accounts to logging in while accessing Emby remotely. I have never seen that option until now, as I don't have it under any of my servers (Windows, though). Thank you for that, it's always nice to learn something new. Is that a Linux-only thing, @Luke? Edited May 8, 2022 by GrimReaper
rodainas 191 Posted May 8, 2022 Posted May 8, 2022 4 minutes ago, GrimReaper said: I have never seen that option until now, as I don't have it under any of my servers (Windows, though). Thank you for that, it's always nice to learn something new. Is that a Linux-only thing, @Luke? If you have disabled the remote connections on the Network settings sections then it won't be available on the Users settings. 1
GrimReaper 4739 Posted May 8, 2022 Posted May 8, 2022 4 minutes ago, rodainas said: If you have disabled the remote connections on the Network settings sections then it won't be available on the Users settings. Yep, got it now, mine is always disabled hence never noticed that. 1
QuarkZ 14 Posted May 8, 2022 Posted May 8, 2022 5 minutes ago, rodainas said: If you have disabled the remote connections on the Network settings sections then it won't be available on the Users settings. Well that explains it, I was very confused here! lol Thanks! 2
CassTG 113 Posted May 9, 2022 Posted May 9, 2022 On 07/05/2022 at 19:04, Raskolnikov said: Hey, I would like to know what should I do about security if I want to open my emby server to WAN. My emby server is on a debian in my LAN. As others mentioned ssl certs a must proxy is always good In addition Fail2Ban is a good idea to stop brute force login attemps as well as a firewall obviously If using Docker and UFW firewall then you should also change how docker rules are applied, out of the box any docker container will bypass ufw. A few tweaks stops this behaviour allowing you to open said ports which will only go to the one container rather than being open to the whole system
Raskolnikov 0 Posted May 10, 2022 Author Posted May 10, 2022 20 hours ago, CassTG said: As others mentioned ssl certs a must proxy is always good In addition Fail2Ban is a good idea to stop brute force login attemps as well as a firewall obviously If using Docker and UFW firewall then you should also change how docker rules are applied, out of the box any docker container will bypass ufw. A few tweaks stops this behaviour allowing you to open said ports which will only go to the one container rather than being open to the whole system ok but according to what I understood, to have an ssl certificate and use a reverse proxy, you have to pay for a domain name, right?
CassTG 113 Posted May 10, 2022 Posted May 10, 2022 (edited) 5 hours ago, Raskolnikov said: ok but according to what I understood, to have an ssl certificate and use a reverse proxy, you have to pay for a domain name, right? Some people do it with the free domain providers, not tried it myself but there are some out there I use ovh for all my domains and can be had for £1 plus £1 for anycast dns which speeds up propagation I know Youtuber TechnoTim / network chuck (1 of them) has used this for throwaway projects Free Domains Select the .tk domain or one of the otheres listed as provided free and give it a try Edited May 10, 2022 by CassTG 2
shoodidagen 3 Posted November 7, 2023 Posted November 7, 2023 (edited) On 10/05/2022 at 19:54, CassTG said: My Complete Docker Setup Guide (inc reverse proxy) >> Using Docker and UFW Firewall, YOU ARE NOT PROTECTED But you can be! Just wanted to thank you for the Complete Docker guide and UFW links!!! I'm moving everything over to docker currently and I feel like I've hit the Jackpot with these links! My Complete Docker Setup Guide (inc reverse proxy) >> Using Docker and UFW Firewall, YOU ARE NOT PROTECTED But you can be! Thankyou! Edited November 7, 2023 by shoodidagen 2
CassTG 113 Posted November 8, 2023 Posted November 8, 2023 (edited) 22 hours ago, shoodidagen said: Just wanted to thank you for the Complete Docker guide and UFW links!!! I'm moving everything over to docker currently and I feel like I've hit the Jackpot with these links! My Complete Docker Setup Guide (inc reverse proxy) >> Using Docker and UFW Firewall, YOU ARE NOT PROTECTED But you can be! Thankyou! Hi and thanks I may need to take a look again at the configs to make sure they are all current (just updated a cpl of my servers for other stuff and tweaked the fail2bvan configs) The UFW setup is the most important as docker ports that are published bypasses the UFW, so this is key to get right. Also another thing to look at which can be run side by side quite happily with fail2ban (some advise not to but i have noticed no conflicts and they stop different things) is also installing crowdsec. Crowdsec is very easy to setup, and they have a hub or app store that you can add different modules for, i.e there is a dedicated emby jail, arrs jails nextcloud, nginx authelia etc etc, and its as easy installing the extra "parser" (they provide the link on each page) and then adding the paths to the logs. They also allow you two major blocklists you can apply, so depending on the blacklist it will auto ban known hackers spammers etc IPS and list updates dynamically. You can then see the decisions being made via their website where you enroll you servers, all for free Crodwsec Install Crowdsec Emby Parser Crowdsec is split into 3 parts. Crowdsec System, Crowdsec Bouncers and CrowdSec Parsers. The system is the main part like fail2ban, on its own its useless. Bouncers are the equivilant of fail2ban actions in a roundabout way, its how or what the system should interact with. If using ufw then the bouncer iptables will be installed by default. Parsers are the equivalent of fail2ban filters i.e what in the logs the system should look for (failed logins etc). The beauty is you do not need to know the expressions they are written and updated by people who know. Then once installed, all you need to do it edit one file to add the log file path for that parser, so for example: nano /etc/crowdsec/acquis.yaml And using the emby link i sent you would add the following to the bottom of the file --- filenames: - /var/log/embyserver.txt labels: type: emby Where you would change the log path to match that of your docker so e.g /var/lib/docker/volumes/emby_data/_data/log/embyserver.txt (path will be different just an example And one new update depending on who your domain provider is both SWAG and NGINX Proxy Manager currently fail obtaining certs with OVH and GODADDY when using DNS validation, this is due to certbot not being updated for their NULL responses, this can be updated within both containers by updating to certbot 2.7.2 if your not affected by this then all good, if you are i can post the python commands to update the 3 elements needed Edited November 8, 2023 by CassTG
plittlefield 56 Posted September 12, 2024 Posted September 12, 2024 (edited) Odd one this ... I have CS running on my cloud server in docker protecting Traefik and web sites (using the traefik-bouncer) with no problems - and have tested it with the usual command ... docker exec crowdsec cscli decisions add --ip 51.101.192.81 --duration 2m ... and this ran perfectly. I have now installed CS in a docker at home protecting my Emby server. However, when I run the same command to test banning an IP, I get this error:- docker exec crowdsec cscli decisions add --ip 51.101.192.81 --duration 2m level=fatal msg="51.101.192.81\u200c isn't a valid ip" Is it because I don't have a bouncer installed for Emby? docker exec crowdsec cscli bouncers list ------------------------------------------------------------------ Name IP Address Valid Last API pull Type Version Auth Type ------------------------------------------------------------------ ------------------------------------------------------------------ Which bouncer am I supposed to use to protect Emby? I'm using https://app.crowdsec.net/hub/author/LePresidente/collections/emby Thanks. Paully Edited September 12, 2024 by plittlefield
plittlefield 56 Posted October 6, 2024 Posted October 6, 2024 I fixed this by typing in the IP address by hand for the command. The reason it didn’t work before was because I had copied the command from a web page and it pasted spurious characters at the end! Problem solved. i will try out those UFW tweaks for Docker and the Emby crowdsec then report back.
ZanderKeen 72 Posted October 6, 2024 Posted October 6, 2024 There is some good feedback in this thread. I just thought I would add one other thing I did personally as well. I changed my default SSH port & put it behind my network firewall. If you need to access it outside your network, you could proxy into it by connecting to a different device in one way or another as a proxy then go into your server from that device. I just personally don't like to let SSH see the internet.
plittlefield 56 Posted October 6, 2024 Posted October 6, 2024 Oh I never do that for home … VPN in and then SSH All my cloud servers are on different ports and restricted to a specific IP address anyway.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now