MrHerps 2 Posted June 29, 2025 Posted June 29, 2025 Hello, I hope this is right place for this, a couple days ago some appeared to brute force their way into my Emby server, there were numerous attempts from the same IP address, the ip address is coming from Germany, this person managed to get into 2 of the accounts that I have on my server luckily they were accounts that don’t have permissions to manage the server. I went through every user account with my password manager and created cryptic passwords for everyone. I notice that on the “Activity” page that the suspicious activity started on 6/27/2025 at 3:37 AM from the IP address ending in 178 and ends at 5:42 AM. I also noticed a whole bunch of failed attempts on the "Alerts" page According to the logs a whole bunch of activity starts at 6/26/2025 at 10:21 PM and continues on. I'm just not sure what this individuals intentions were or what got from getting into my server. I've attached relevant logs and screens shots. Thanks. hardware_detection-63886725110.txt hardware_detection-63886724465.txt embyserver-63886724420.txt hardware_detection-63886717713.txt hardware_detection-63886717708.txt hardware_detection-63886715675.txt hardware_detection-63886706500.txt hardware_detection-63886652679.txt hardware_detection-63886645635.txt hardware_detection-63886600078(1).txt hardware_detection-63886582515.txt embyserver-63886582489.txt hardware_detection-63886600078.txt hardware_detection-63886746599.txt hardware_detection-63886746249.txt hardware_detection-63886746244.txt hardware_detection-63886745160.txt hardware_detection-63886745155.txt hardware_detection-63886744992.txt hardware_detection-63886744786.txt hardware_detection-63886743634.txt hardware_detection-63886740291.txt
Abobader 3464 Posted June 29, 2025 Posted June 29, 2025 Hello MrHerps, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
Odnog 0 Posted June 29, 2025 Posted June 29, 2025 The same thing happened to me, see my original post: https://emby.media/community/index.php?/topic/139762-unbekannte-loginversuche/
Luke 42078 Posted June 29, 2025 Posted June 29, 2025 Hi. Do you use a vpn by any chance? Have you setup ssl on your Emby server? Also I would suggest using a different router port from the default. That will help make your server more difficult to discover.
MrHerps 2 Posted June 29, 2025 Author Posted June 29, 2025 Hi thanks for the reply! I have tried setting up Emby to work using Nordvpn with a static IP but I could never get it to work remotely, I ended up canceling my subscription to Nordvpn for this and other reasons. I'm using a No-IP DNS Hostname for the server. I'm not sure how to use SSL, and what other port should I use? I did just go through and turned on the option "Hide this user account from login screens on devices they've never signed into" for all my users. Is this the reason this individual was able to get the usernames in the first place? I don't know how to interpret the logs is it possible to determine what this individuals intentions were? Thanks the help this has been really stressing me out, I ran an Malware bytes scan on my server and it didn't find anything, is there anything else I should check?
Luke 42078 Posted June 29, 2025 Posted June 29, 2025 Quote I did just go through and turned on the option "Hide this user account from login screens on devices they've never signed into" for all my users. Is this the reason this individual was able to get the usernames in the first place? Possibly, yes, but then there's the question of how they found your server in the first place. The most likely answer to that is with simple port scanning over lots of ip addresses where they're just sending out requests and seeing what they find. That's why using a different public racing port can help hide your emby server a little bit better than using the default. You'd have to first set a new public port number in emby server network settings, and then change the port forwarding rule in your router from 8096 to whatever the new port is that you decide on.
MrHerps 2 Posted June 29, 2025 Author Posted June 29, 2025 What port should I use instead of the Default?
Luke 42078 Posted June 29, 2025 Posted June 29, 2025 Anything your router and ISP allows. 9042, whatever you want. But simply entering it into emby server network settings by itself might not be enough. You can't skip the step about changing the port forwarding rule in your router.
sh0rty 717 Posted June 30, 2025 Posted June 30, 2025 (edited) @MrHerps It's 2025 and the web is like the wild wild west. Don't expose your Emby at home plain forwarded to the Web without additional security measurements (e.g. SSL/TLS, WAF, Crowdsec, Reverse proxy with 2FA login option -> best option: all of that). Simple as that. If you're not confident enough to take that path and learn, use a VPN like Wireguard to connect to your home network and Emby and close the Emby ports. Edited June 30, 2025 by sh0rty
MrHerps 2 Posted July 3, 2025 Author Posted July 3, 2025 My final question is what are the "hardware detection" messages?
Luke 42078 Posted July 4, 2025 Posted July 4, 2025 11 hours ago, MrHerps said: My final question is what are the "hardware detection" messages? The server detects supported graphics cards for hardware transcoding features.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now