Nudes 0 Posted April 17, 2023 Posted April 17, 2023 Hello, currently I have Emby server running on a Windows PC that is on a VLAN that has no internet access. I am aware that eventually Emby will stop working properly if it can't reach out to the internet to at least validate my key every once in a while. All I need is to know what websites Emby reaches out to to validate the key so I can whitelist them in my firewall and allow Emby to check the subscription status. Would I get away with just adding Emby.media to my firewalls whitelisting list? I tried searching for other threads and only found one where someone was trying to do this exact thing but he never got any replies and I can't find any info on it. Thank you!
Abobader 3470 Posted April 17, 2023 Posted April 17, 2023 Hello Nudes, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
rbjtech 5284 Posted April 17, 2023 Posted April 17, 2023 Ensure you can get to https://mb3admin.com 1
Nudes 0 Posted April 17, 2023 Author Posted April 17, 2023 Excellent, What would I need to allow to have it pull images and metadata from the web?
Happy2Play 9783 Posted April 17, 2023 Posted April 17, 2023 4 minutes ago, Nudes said: Excellent, What would I need to allow to have it pull images and metadata from the web? Depends on the providers you have enabled. You should be able to see all of them via a server log. https://webservice.fanart.tv http://assets.fanart.tv https://api4.thetvdb.com https://artworks.thetvdb.com https://api.themoviedb.org https://image.tmdb.org https://private.omdbapi.com https://img.omdbapi.com The you have possibly Music providers, Anime providers and so one. Then server updates https://api.github.com/repos/MediaBrowser/Emby.Releases/releases
rbjtech 5284 Posted April 17, 2023 Posted April 17, 2023 (edited) Restricting outgoing destinations is a bit extreme and tbh I think you will find the overhead of doing so and keeping this updated more trouble than it's worth. What are you protecting against in this scenario ? Remembering this is outgoing/egress traffic only - ie initiated by the emby host itself, I would just allowing this host outgoing to http/https and this should be more than sufficient. Obviously any external clients will need an incoming/ingress f/w rule to the host (as well as any other local VLAN's) - this is where you need the maximum protection as it untrusted traffic - ie you did not initiated it. Edited April 17, 2023 by rbjtech
Nudes 0 Posted April 19, 2023 Author Posted April 19, 2023 rbjtech, The emby server is running on the same system as my camera system software, Blue Iris. Hikvision cameras are used in conjunction with blue iris. While the cameras provide good bang for the buck (solid build quality, features and camera quality) they have a flaw related to their security related to back door access. As long as they are on a VLAN that has no internet access, this will not be an issue. I do have SSL VPN access into that Firewall and subnet which give me access to the camera system with my app as well as Emby with the Emby app. Interesting idea, I can just allow HTTP/HTTPS traffic through if it comes from the machine Emby is on? would that give all of windows access? I wouldn't want windows to update by itself and break my Blue Iris system.
GregMo 24 Posted April 19, 2023 Posted April 19, 2023 (edited) Just turn off WIndows updates. I'm still running Win8 on my desktop and Win7 on my laptop. Every time Windows upgrades they break something so I have just adopted the policy, "If it's not broke, don't fix it". I know there are some in the security arena that would cringe hard at this, but if your an experienced user, you rarely get viruses (I've had 2 in close to 40 years), and when you do, you can handle removing them. If you're that paranoid about it, though, you really should have a dedicated machine setup just for that software. Trying to maintain the firewall like you have mentioned, and still have the computer be functional for much anything else, will be a nightmare of an admin task. Then again, another thought, your router *SHOULD* have a log somewhere that shows rejected/block requests. When you are trying to do something with Emby, or anything else for that matter, you could check this log for hosts that it's trying to reach. Edited April 19, 2023 by GregMo 1
rbjtech 5284 Posted April 19, 2023 Posted April 19, 2023 (edited) So as above - if you are serious about security - and it sounds like you are - then you should be running an isolated system for your cctv (as I do), on it's own vlan and own VM or machine. cctv has constant video feeds (even if not recording) taking up bandwidth/cpu/interface etc. And then there is the isolation you speak of - much easier if it has it's own dedicated VLAN which just BlueIris and the Cameras on it. It also makes things much 'safer' if you use security 'zones' in f/w rules etc - as you open up to your 'cctv zone' knowing everything in it has trust level 'x' or 'y'. Same for emby tbh, I have a 'media zone/vlan' which is emby, it's supporting services and the clients. Hosts with real data sit in a Core zone. @GregMo- Patching is something you need to do - If it's not exposed to the internet, then the risk is obviously much lower, but unless totally isolated - the risks are there and still need to be monitored and managed. Edited April 19, 2023 by rbjtech
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now