Remote access behind cgnat and with security

[betobarela 2]

Hey, guys! Big problem here: 

1. I just found out I'm behind cgnat (the second hop in my tracerout leaves 10.x). 

2. Tomorrow I'll contact my ISP and ask to be removed from it and gaining a static IP -- but have very little hope they'll do it. 

3. I still want to gain remote access and am looking into 2 options for now: buying a vpn or setting up a tunnel through cloudflare's zerotrust. 

Now, it must be made clear that I have no idea what is going on -- the description above and my options come from understanding the bare minimum of the practical side of forum posts, and so I ask for your help. 

* If I buy (the cheapest) vpn available to me, can it became a chokepoint for speed on my remotely connected clients? More importantly, will my clients (non-techie family members) have to setup anything besides simply browsing to my vpn IP?

* What is the downside of setting up cloudflare's zerotrust with a free Freenom domain? 

* What about security? I confess that in the beggining I had not thought about this, but now am crazy scared about securing the server in any of the settings. What would be a nice way to do this? For example, if one would stream pirated content, could it be secure -- although, obviously, of his responsability -- ?

[Luke 42077]

Hi, please take a look at this topic about CGNat and then let us know if this helps with your questions:

Thanks !

[betobarela 2]

@LukeThank you very much!

 

I had already seen that post, though. There is another piece of information I think might be of use in my problem:

My isp opened ports 8096 and 8920 at my request, but it is still not opened 'for me' (they cannot be seen on canyouseeme) -- they are opened on a ddns.domain owned by the provider. They told me now I need to configure my server pointing to the ddns and it should work. 

 

I, however, have no idea what this means or what I should do (or even if the guy is right). 

 

I appreciate any insight! 

[GrimReaper 4739]

6 minutes ago, betobarela said:

I, however, have no idea what this means or what I should do (or even if the guy is right). 

Try configuring your server in Settings>Network tab as follows:

[betobarela 2]

@GrimReaperwow, is it really that simple? Thank you very much, can't wait to try it out! 

 

What would be the URL my clients would type to remotely access the server in the case this works? 

Edited January 9, 2023 by betobarela

[GrimReaper 4739]

Just now, betobarela said:

@GrimReaperwow, is it really that simple? Can't wait to try it out.

 

What would be the URL my clients would type to remotely access the server in the case this works? 

Your ISP's DDNS domain followed by port, i.e. http://yourisp.ddns.domain:8096 or https://yourisp.ddns.domain:8920 if you're using SSL. 

[betobarela 2]

@GrimReaperIt worked!!!!! Thank you very much!

Now I'm only worried about security. If you could link me to an existing guide/post that would help making my setup more secure, it would help me a lot! 

In any case, thank you again! 

Edited January 9, 2023 by betobarela

[GrimReaper 4739]

Just now, betobarela said:

Of you could link me to an existing guide/post that would help making my setup more secure, it would help me a lot! 

Number of pinned topics about securing your setup in General/Windows:

General/Windows - Emby Community

 

[Luke 42077]

1 hour ago, GrimReaper said:

Number of pinned topics about securing your setup in General/Windows:

General/Windows - Emby Community

 

I would suggest this one: 

 

[betobarela 2]

@GrimReaper @Luke I am grateful for the references! I should have mentioned that my server is on Linux, though. 

[Luke 42077]

1 minute ago, betobarela said:

@GrimReaper @Luke I am grateful for the references! I should have mentioned that my server is on Linux, though. 

It's only "with windows specific tips". It' is not a windows-specific article.

[Utini 14]

I had similar "concerns" and issues: 

Basically:

• I think it is always a good security measure to change a default port (see SSH Port).
• I created an extra user in emby with limited access for remote use
• My main admin user is not allowed to be used via remote
• Not sure if there is anything else you can do.

I would guess that a "rogue" person would try to port scan you until he figures out you have emby running on a specific port.

He would then look for public exploits or try to exploit you on his own.

Public exploits would probably get fixed by emby developers very quickly.

For everything else I guess you are not "interesting" enough for a hacker ;-)

[betobarela 2]

@Utiniso, I confess I have no intuition regarding this things, and am very scared as a result of posts around here which stress that SSL and certification is the very least xD

What do you mean about SSH port as a security measure? 

[Carlo 4560]

SSH is the way you interface with Linux via text mode. It has other uses as well but allows for someone to access your box from the inside.

At the least you probably want the SSH port only available to inside IPs and maybe only a select few devices you need SSH from.
Keep all ports on your firewall closed except for port that are intentionally opened and forwarded to a specific machine or service.

Run a software based firewall on all machines only allowing specific ports to be open from you LAN as well as from the Internet.
Try to use a domain and SSL certificate so username/password and other sensitive information is encrypted.

I like running behind web ports 80 and 443 (secured) going through a reverse proxy which hides the identity of the source server.

Edited January 9, 2023 by cayars

[betobarela 2]

2 hours ago, cayars said:

SSH is the way you interface with Linux via text mode. It has other uses as well but allows for someone to access your box from the inside.

At the least you probably want the SSH port only available to inside IPs and maybe only a select few devices you need SSH from.
Keep all ports on your firewall closed except for port that are intentionally opened and forwarded to a specific machine or service.

Run a software based firewall on all machines only allowing specific ports to be open from you LAN as well as from the Internet.
Try to use a domain and SSL certificate so username/password and other sensitive information is encrypted.

I like running behind web ports 80 and 443 (secured) going through a reverse proxy which hides the identity of the source server.

Thank you very much!

I have a few questions, though, as my knowledge is anecdotal and practical (besides being little, to boot xD) and it becomes very hard to translate general guides and tutorials here or on google to my specific setup not knowing what I am doing. 

1. I do understand what SSH is, but what exactly would I configure through (or in it) SSH to add to (or be a) security measure?

2. The ssl certificate module can be appropriately done through the nginx tutorial linked above?

3. Will something have to be done -- regarding any of the security 'modules' you mentioned -- on my clients side? Is this available, say, on somewhat old LG smart tvs? In any case, this would be a problem.

4. I'm very puzzled and worried about the fact that my current remote connections happen through a domain that is literally ddns.ISPCommercialName.com:8096, after they oppened the port at my request. Is this a normal and safe thing? And more importantly, in the configuration of stuff like the nginx reverse proxy and etc, what would go into the 

''Enter the IP and port of the backend emby server here.''
entry of the suggested config? Just my internal IP or the ddns point change something?

5. More importantly,  I suppose that for these reverse proxy settings, for instance, the ports 80 and 443 should be the ones opened -- the thing is I cannot have any opened port here (behind cgnat) and the 8096 and 8920 are opened by my ISP on the ddns domain (I'm aware that I'm not describing the situation precisely, I just hope I'm being able to express understandably what is my setup). Supposing I cannot ask them to close 8096/8920 and open 80/443 (which I don't know is needed or even mean anything), how would I follow the nginx guide?

Basically, I'm not sure how to follow the tutorials because of my situation of the ports not being opened here and instead I'm accessing the server remotely through a ddns.domain where the ports are opened. I apologize for the handful of not precise and probably lazy looking questions, but I just cannot understand what is already written elsewhere with my next to nothing formal knowledge of internet.

[Carlo 4560]

1. SSH allows logins to the heart of the system where everything can be controlled by command line programs. Many programs require admin/root privileges to run but that only requires a "sudo" command and password usually.  Depending on your needs if you do not use SSH often you can turn it off when not in use so it can't be exploited.  SSH can also be setup on the machine to only allow use from certain IP addresses or VLANS as well (firewall).  On my system you need to be on the management VLAN to use SSH.

2. NGINX is probably the most used Reverse Proxy with Emby. SSL can be done directly in Emby or as part of the Proxy. Technically if SSL is handled by the Proxy and not Emby you have an undecrypted part of the transmission (Emby to/from Proxy). If someone hacked your WIFI they could intercept packets and see the non-secure transmission just mentioned which would have username/passwords in the clear.

3. No other than general security all networks should have.

4. Technically you are protected more than many others who can get inbound packets on all ports and needs to be firewalled on the router.  In your case the ISP has "firewalled" you except for the port they opened for you. The port should be open regardless of domain name.  Is the ddns entry pointing to your WAN IP address which you have forwarded to the Emby Server?

With that said it's possible but not likely your ISP only forwards the port if being used by ddns.domain.ext.  What happens if you use canyouseeme.org with the correct port?

5. Generally port 80 and 443 are used with Reverse Proxies. By using those ports vs 8096 or 8920 no one would find your server running port scans.  Also you should setup your reverse proxy to look for a specific sub.domain.ext  to forward the traffic to Emby Server.  Same for other programs using your Reverse Proxy.  If your reverse proxy receives requests but isn't using the domain names you've registered and setup in Nginx/proxy then either forward to a generic error page, forward them to Google or some other location or do what I do and ignore answering the request keeping the connection open which will look like a timeout to the hacker. They will never get a response, so they are clueless what program answered the request.

@betobarela could you PM the Remote (WAN) IP shown on your Emby Server dashboard as well as the port and sub.domain URL your ISP set you up to use?
With that info I can test a couple things for you and better answer a couple parts of the above questions you asked.

Carlo

[justinrh 260]

On 1/8/2023 at 7:12 PM, GrimReaper said:

Your ISP's DDNS domain followed by port, i.e. http://yourisp.ddns.domain:8096

Sorry for being dunce, @GrimReaper but what would be a real-life example?  Does this apply only to GCNAT?  I didn't know ISPs had DDNS configured, unless you are talking about something like "68-66-73-68.client.mchsi.com", but then would change upon IP address renewal.

[GrimReaper 4739]

1 hour ago, justinrh said:

but what would be a real-life example?

Have no idea, whatever domain particular ISP is using (imaginary: ddns.atandt.com).

1 hour ago, justinrh said:

Does this apply only to GCNAT?

It applies only to the ISPs that offer such service. 

1 hour ago, justinrh said:

I didn't know ISPs had DDNS configured

I guess some do (while I reckon majority actually don't), I consider it more of an exemption than a rule. 

1 hour ago, justinrh said:

unless you are talking about something like "68-66-73-68.client.mchsi.com", but then would change upon IP address renewal.

Nope, as stated:

On 1/9/2023 at 2:00 AM, betobarela said:

My isp opened ports 8096 and 8920 at my request, but it is still not opened 'for me' (they cannot be seen on canyouseeme) -- they are opened on a ddns.domain owned by the provider.

OP's ISP opened ports on their side and that becomes external entry point to OP's network as they're forwarding those ports to OP; same as if you're using VPN that supports port forwarding (example: AirVPN), so that VPN's address becomes external entry point to your network. 

[justinrh 260]

23 hours ago, GrimReaper said:

applies only to the ISPs that offer such service

Oh, I've never heard of this for any ISP; I didn't know it was a thing.

Thanks.