Need help - protecting the server

[Fl0ppy 3]

I know what you're thinking after reading the title: "Ah, s*** here we go again."

 

But I really need help to secure my server and others posts didn't help me.

I recently acquired Emby to set up a multimedia server, and it works perfectly fine on my local network as well as remotely, but it's not very secure.

I want to know some "easy" steps to protect it. I'm not an expert, but I can do some basic things. Currently, I have a VPN that I use for personnal use, but not for my server.

 

My server runs on Windows (I know, sorry).

Any help would be greatly appreciated.

 

Regards.

 

Edited March 24, 2023 by Fl0ppy

[neik 873]

4 minutes ago, Fl0ppy said:

but it's not very secure.

Why's that?

4 minutes ago, Fl0ppy said:

Currently, I have a VPN that I use for personnal use, but not for my server.

If you already use a VPN you don't need to open up ports, just login via VPN to your local network and then you're appear to "at home" and can access the server.
I'm currently accessing my homeserver exactly like that, no port is open apart from the one required for Wireguard (VPN).

[Fl0ppy 3]

2 minutes ago, neik said:

Why's that?

 

I mean that my server currently has no protection at all.

 

2 minutes ago, neik said:

If you already use a VPN you don't need to open up ports, just login via VPN to your local network and then you're appear to "at home" and can access the server.
I'm currently accessing my homeserver exactly like that, no port is open apart from the one required for Wireguard (VPN).

 

It would be good but other members of my familly may access it, and it's going to be hard to install the VPN and teach them how to use it

 

[GrimReaper 4749]

26 minutes ago, Fl0ppy said:

I really need help to secure my server

 

26 minutes ago, Fl0ppy said:

I want to know some "easy" steps to protect it.

To secure your server, an SSL setup is required. First thing to decide is whether you want reverse proxy (not mandatory) to handle it or not. Either way, number of related Guides/How-to's pinned in General/Windows and also around various forum sections (Search is your friend). 

Examples:

No reverse proxy:

 

Reverse proxy:

 

Once you choose desired method, if any issues encountered, you can post in related thread. 

Edited March 24, 2023 by GrimReaper

[pwhodges 2012]

How are you defining "secure"?  What are you trying to secure against?

Paul

[Fl0ppy 3]

30 minutes ago, GrimReaper said:

 

To secure your server, an SSL setup is required. First thing to decide is whether you want reverse proxy (not mandatory) to handle it or not. Either way, number of related Guides/How-to's pinned in General/Windows and also around various forum sections (Search is your friend). 

Examples:

No reverse proxy

Reverse proxy

 

Once you choose desired method, if any issues encountered, you can post in related thread. 

What's the main difference between theses two and what's the best to use ?

[Fl0ppy 3]

22 minutes ago, pwhodges said:

How are you defining "secure"?  What are you trying to secure against?

Paul

By "secure" I mean only me and my family can access it, I don't want any other person to

[pwhodges 2012]

That's what the Emby login is for.

Adding SSL would prevent (the very unlikely) sniffing of access to your server, which could expose the logins and passwords; easy to add, and so a no-brainer.

You can avoid publicising your domain name and use an unusual port for Emby - but that can't prevent random scanning finding it eventually.

You can hide login names for external access (Emby setting) to make it harder for anyone who reaches the login page.

You could limit external access by client IP address, if you know them, and they are fixed (which is unusual if using mobile devices); Emby can do this by network, and a reverse proxy would offer many more specific options (including geographic ones). 

You can limit the devices that your users can use to those you know are theirs (an Emby setting).

If external access is only by browser, you could use a reverse proxy to impose a basicauth login before showing the Emby login page (the clients don't know about that, so wouldn't be able to operate with it).

Using a VPN can hide your identity as an Emby user, but doesn't address the other issues.

Using Tailscale or Zero Tier and installing on all your users' devices can make them all appear to be local to your network, and thus enable you to block all "external" access in Emby; that might be the nearest to what you want, I guess.

...just a few thoughts.  But anyway, why do you feel the login is insufficient?

Paul

Edited March 24, 2023 by pwhodges

[pir8radio 1312]

4 hours ago, Fl0ppy said:

By "secure" I mean only me and my family can access it, I don't want any other person to

it doesn't sound like you have the most basic of built in security setup..    are you saying any stranger can get to your media today?    If yes..   you need to make sure every account has a password and is required to use it. 

[crusher11 1102]

On 3/24/2023 at 9:27 PM, pwhodges said:

Using Tailscale or Zero Tier and installing on all your users' devices can make them all appear to be local to your network, and thus enable you to block all "external" access in Emby; that might be the nearest to what you want, I guess.
 

I tried setting up Tailscale on my Synology, but I couldn't get it to work.

Some sort of bruteforce prevention would be the next step, too.

[pwhodges 2012]

Brute force?  The OP hasn't even yet said why the Emby login doesn't achieve his stated aim.

Paul