Securing outside IP

[UltimateOne 1]

Hello,

I currently have Emby running on a Windows 10 server. (I know, I was building a test bed and ended up being stuck with it because of Media file structure). Anyway, I have the external IP address open so my family can have access to my limited library of music and movies. I just recently noticed that there have been login attempts on a handful of my user accounts.

 

Are there any tools or plugins available in Emby that would ban the IP address after a handful of attempted logins? If not, does anyone out there have any recommendations on how to set this up? I'm currently using strong passwords, but I just don't like the idea of people/scripts banging on my front door.

[brothom 177]

 

21 minutes ago, UltimateOne said:

I currently have Emby running on a Windows 10 server. (I know, I was building a test bed and ended up being stuck with it because of Media file structure).

Don't feel bad, there's plenty more Windows installations of Emby running than we can both imagine I bet (myself included).

I don't believe there's a ratelimit / autoban function within Emby. If such a function would exist, it would be implemented be regardless of the OS since Emby is a web app.
If there isn't, this is something i'd be interested in having as well. 

Eventhough none of my users have the download priviledge or even transcoding permissions (prevent server spam), this is something actually vital to have in the current web landscape.

 

[Neminem 1518]

@UltimateOne

You say " login attempts on a handful of my user accounts"

Are those user accounts showing when remote?

If they are disable that, NOW.

Are you using Emby standart port's?

Change them to something not known.

Read this Secure Your Server | Emby Documentation

 

And pay attention to the details, and how you might put your self at risk.

If a bot / script kiddy scan the internet for open Emby ports, they will try to hack it.

If you have user names showing on login screen, they have half the login.

And will try to brute force the password.

 

Have a good read through on these postes.

 

Edited January 18 by Neminem

[UltimateOne 1]

Ok! Great info. I'll go through it all this weekend.

It did not publish the IP anywhere, but yes, I imagine a script kiddy just put some code together and started scanning. With a brute force attack, it's just a matter of "when" they break in. 

I'll go through the posts and find the best solution. Thanks again @Neminemvery much appreciated!

[Neminem 1518]

You are welcome.

Hope it works out for you.

Let us know if, you need more info.

[Luke 42077]

Users get locked out temporarily after a certain number of incorrect login attempts. This helps prevent brute force attacks from succeeding.

[brothom 177]

11 hours ago, Luke said:

Users get locked out temporarily after a certain number of incorrect login attempts. This helps prevent brute force attacks from succeeding.

I didn't know this actually. Is there any documentation on this feature (how long the timeout is, how many login attempts, etc?)

[Luke 42077]

32 minutes ago, brothom said:

I didn't know this actually. Is there any documentation on this feature (how long the timeout is, how many login attempts, etc?)

@sa2000

[sa2000 674]

52 minutes ago, brothom said:

Is there any documentation on this feature (how long the timeout is, how many login attempts, etc?

This is not stated at the moment in our Secure Your Server article. I don't think it would be a good idea to publish the internal security measures.

What is important here is establishing if these were actual login attempts or just accessing the public IP and public port - because the latter happens all the times with bots

If they were attempts to login then to establish if attempting some random user names or specific names like admin or actually for some of the emby server user accounts. The user names are not disclosed by emby server for remote connections by default and as mentioned by @Neminemyou need to go through the server user accounts and check the setting for remote visibility 

 

[brothom 177]

11 hours ago, sa2000 said:

This is not stated at the moment in our Secure Your Server article. I don't think it would be a good idea to publish the internal security measures.

I doubt this should be an issue since any leaky server is just one bruteforce away to find that out anyway. Other APIs usually indicate their timeouts via oauth and such. Regardless, the choice is yours ofcourse.

 

For server admins (us) It's important to note that "Hide this user from login screen" only literally hides this user from the user-selection screen.

"Hidden" users can still log with their username using the "Manual Login" method.

[sa2000 674]

3 hours ago, brothom said:

Hidden" users can still log with their username using the "Manual Login" method

Yes of course. The difference is that the user would need to know what the username is

 

[ebr 16169]

Right.  Otherwise, it wouldn't be "hidden" it would be disabled - which is another option.  And there is an option to not allow remote access.

[brothom 177]

Just trying to make it clear for OP and any future viewers having the same question, to prevent any misinterpretation.

[Neminem 1518]

@brothomI think we had this talk before

[brothom 177]

@Neminemwe sure did haha. It seems to be a reocurring topic though. Even with more seasoned users who miss posts like these. I don't want to be bold, but maybe it's an indicator that the current process might not be clear enough at the current time.

[Neminem 1518]

1 minute ago, brothom said:

I don't want to be bold, but maybe it's an indicator that the current process might not be clear enough at the current time.

Bold is the only language I know "well its for the most part honest."

And yes there need to be a clear how to. 

But I my experience those guides have a warranty date, and need a lot of work to update.

And since Emby does not have a onboarding program, who should tell admins what to do or secure.

So how should Emby convey the security issues user might encounter.

Due to admin not knowing the risks or what they are doing.

I will stop my rant here  

[brothom 177]

1 hour ago, Neminem said:

I will stop my rant here  

Absolutely, and I don't consider it a rant but more of a truth. There's just a couple of things that keep popping up every so often.

Perhaps a separate page on the website that gets mentioned/reference in the appropriate pages containing information about (among other things); Empty passwords, Hidden users, Dangers of public IP-addresses, why SSL-certificates, etc etc.

I'd also like to reiterate that having a way to "force" users to login via Emby Connect (only) would be another way to add another layer in security, just like how 2FA would also add even more security. There's a bunch of things that need to be done anyway.

[Neminem 1518]

2 minutes ago, brothom said:

I'd also like to reiterate that having a way to "force" users to login via Emby Connect (only) would be another way to add another layer in security, just like how 2FA would also add even more security.

I'm not sure if thats the solution.

When using connect, password are still not required by default, and will leve the server open as h%&l.

And with the combination of showing usernames on login screen  

Its just dumb and stupid.

 

[brothom 177]

2 minutes ago, Neminem said:

I'm not sure if thats the solution.

When using connect, password are still not required by default, and will leve the server open as h%&l.

Unless there's a massive notification "ARE YOU SURE YOU WANT TO SAVE THIS USER WITHOUT A PASSWORD", being able to force a user to login via Emby Connect would take away that authentication.  I agree though, there needs to be some sort of consensus.