Help! ALL my users logged in to the server simultaneously

[Q-Droid 989]

I've posted this before, adding here for reference.

General good practices for securing your Emby server.

1. Enable TLS/HTTPS
2. Use a reverse proxy if you can and know how to do it. If you don't know how look into Caddy and use a reverse proxy.
3. Force all users to have passwords.
4. Don't allow remote access for Admin accounts. If you do then make sure the passwords are strong.
5. Don't show users on the remote login page.
6. Don't show admin users on any login page.
7. Don't use the name Admin for your main admin user.

 

[AndreiP 33]

Q-Droid and Neminem, thank you very much! 
 

Could I ask you two questions, please:
1. Can I add/change the password from here using the mange Emby server? (Please check my screenshot).

2. If I add/change a password, will the user be able to connect to the server as before (with Emby Connect)? Or will they have to enter the password they connect the first time after changing the password? (or only the first time). They watch on TV and phones usually. 

[Neminem 1518]

2 minutes ago, Q-Droid said:

1. Enable TLS/HTTPS
2. Use a reverse proxy if you can and know how to do it. If you don't know how look into Caddy and use a reverse proxy.
3. Force all users to have passwords.
4. Don't allow remote access for Admin accounts. If you do then make sure the passwords are strong.
5. Don't show users on the remote login page.
6. Don't show admin users on any login page.
7. Don't use the name Admin for your main admin user.

That a really great write up

[Neminem 1518]

Just now, AndreiP said:

If I add/change a password, will the user be able to connect to the server as before (with Emby Connect)?

Yes

[Neminem 1518]

The password is for your local server.

Thats how they / that got in, circumventing Emby Connect.

Emby connect uses the forum credentials.

Edited August 22, 2025 by Neminem

[AndreiP 33]

Quote

1. Can I add/change the password from here using the mange Emby server? (Please check my screenshot).

So, it's possible to ad or change password from this page also?  

[Neminem 1518]

2 minutes ago, AndreiP said:

So, it's possible to ad or change password from this page also?  

You need to elaborate no this page ?

Emby Server :

Only the local password..

Emby Forum :

Emby connect password is changed via this forum.

But only by the user.

Edited August 22, 2025 by Neminem

[AndreiP 33]

Quote

 

Only the local password..

Emby connect password is changed via this forum.

 

Yes, I understand. In my case I mean I can add here the password for all my users to avoid this kind of situation, right? 

Edited August 22, 2025 by AndreiP

[Neminem 1518]

Yes that should help

It's not as safe as running disconnected from the internet, but what's the fun in that

But exposing anything to the internet has risks.

So it's up to you, now that you had a scare

[AndreiP 33]

Once again, thank you very much for what you wrote! 

I'll try to summarize the situation: a malware (?) managed to connect to my IP address using the port opened by/for Emby: 8096.
Then, from Emby's login screen, it connected all my users except admin because these users didn't have passwords configured for local access to the Emby server.
Thank you for confirming my understanding.

[Neminem 1518]

Yes that would be the short of it

Edit : 

Malware : NO.

Sorry but !!

Admin error.

So happy it was only a scare to learn from

Edited August 22, 2025 by Neminem

[AndreiP 33]

Thank you, Neminem! 

So, what/who connected to my server if it was not a malware? 

[Neminem 1518]

Bot or script kiddy ( that had fun. )

In case you are scared, you have good reason !!

if they wanted it really annoy you they would have enabled deletion of media.

And deleted all your media .

Be happy it was only a scare

Edited August 22, 2025 by Neminem

[Neminem 1518]

Also I sometime see bots savaging for open servers to add to there streaming services.

FREE access, using your media and internet.

Edited August 22, 2025 by Neminem

[AndreiP 33]

Just now, Neminem said:

Also we sometime see bots savaging for open servers to add to there streaming services.

FREE access, using your media and internet.

[Neminem 1518]

So its best to close it down tightly

[AndreiP 33]

For other users who have the same problem. Q-Droid and Neminem found the solution.

I will resume here in this post what to do. 

1. Set a password for all users, even if they use Emby Connect.

2. Put this in your users' profile settings.

 

 

And please also check the post above of Q-Droid about "General good practices for securing your Emby server". 

Quote

 

I've posted this before, adding here for reference.

General good practices for securing your Emby server.

1. Enable TLS/HTTPS
2. Use a reverse proxy if you can and know how to do it. If you don't know how look into Caddy and use a reverse proxy.
3. Force all users to have passwords.
4. Don't allow remote access for Admin accounts. If you do then make sure the passwords are strong.
5. Don't show users on the remote login page.
6. Don't show admin users on any login page.
7. Don't use the name Admin for your main admin user.

 

 

Edited August 22, 2025 by AndreiP

[AndreiP 33]

Thank you very much for your help! 

[rbjtech 5284]

1 hour ago, Q-Droid said:

I've posted this before, adding here for reference.

General good practices for securing your Emby server.

1. Enable TLS/HTTPS
2. Use a reverse proxy if you can and know how to do it. If you don't know how look into Caddy and use a reverse proxy.
3. Force all users to have passwords.
4. Don't allow remote access for Admin accounts. If you do then make sure the passwords are strong.
5. Don't show users on the remote login page.
6. Don't show admin users on any login page.
7. Don't use the name Admin for your main admin user.

 

tbh, I'm still not sure why these are not the default settings during the install wizard... 

[Q-Droid 989]

14 minutes ago, rbjtech said:

tbh, I'm still not sure why these are not the default settings during the install wizard... 

Yes, they should be. I might have suggested a built-in checker a while back, around the time of the breach, to identify and warn of settings that deviated from or were in conflict with these. But other things have higher priority.

 

[Neminem 1518]

TBH its incredible that Emby does not warn admins about these settings.

And Admins need to have a scare, to correct them.

It's both dumb and dangerous, when exposed to the internet, if these things are not mentioned or warned about.

[Neminem 1518]

For anyone seeing this please up vote this

 

[DarkStar1977 119]

Additionally you can blacklist the IP that have been used to connect with all your users into your server, i'ts not a great solution but at least you will be sure from this IP they will never access again:

In my case I've blacklisted all IP's that tried to access my server even they did not get access

[DarkStar1977 119]

As well for my users I do not let them access to my emby server via web browser, I'm forcing them to use emby apps and you can link each user to specific devices:

On Access Tab for each user:

So you can link specific users to specific devices and this will block any other type of connection even if they figure the user password, as the device will not match they will not be able to access to your server.

Hope this helps.

Edited September 20, 2025 by DarkStar1977

[AndreiP 33]

40 minutes ago, DarkStar1977 said:

As well for my users I do not let them access to my emby server via web browser, I'm forcing them to use emby apps and you can link each user to specific devices:

On Access Tab for each user:

So you can link specific users to specific devices and this will block any other type of connection even if they figure the user password, as the device will not match they will not be able to access to your server.

Hope this helps.

Thnak you. It's very strange, but in my case it didn't help. The "users" logged in Emby server even if I did the same think from Device Access.