Random connection attempts

[maring7 5]

Hello,

Few days ago I noticed random connection attempts on my Emby server.
Then, 3 days after, the same thing happened : 6 connection attempts for each user. One of the user being me, always connected, and the other being a spare account not connected since a month.
You can see the IP is from a local network (managed by Docker). After the failed attempts, Emby locks the users, but I have no issue using Emby afterwars, as if nothing at all happened.

After the first attempts, I disabled outside connections just in case, but after 3 days it happened again.
During the first instance of attempts, no one was using the server.
During the second instance of attempts, I was watching something (with the Emby Windows app).

So I'm wondering if this is an internal bug or if the API key used by other services (Seerr and Homarr) could cause this. Not sure about the API because it wouldn't try to log in with the available users, it doesn't work like that (to my understanding).

Any idea what could explain this behaviour? Attached is a log extract highlighting the issue.
Thanks for your help!

 

embylog.txt

[Luke 42206]

Quote

or if the API key used by other services (Seerr and Homarr) could cause this

If it's a failed login attempt then probably not. It looks like someone is trying to login to your server.

I would suggest making sure that your users have passwords. What you can also that will help (but possibly temporarily), is you could change the public facing router port to something different than the default. It just depends on who is trying to login and how determined they are. If they do a port scan then eventually they'll find the new port.

[maring7 5]

2 minutes ago, Luke said:

If it's a failed login attempt then probably not. It looks like someone is trying to login to your server.

I would suggest making sure that your users have passwords. What you can also that will help (but possibly temporarily), is you could change the public facing router port to something different than the default. It just depends on who is trying to login and how determined they are. If they do a port scan then eventually they'll find the new port.

Thanks for your reply.

The thing is, even after disabling outside connections, new attempts occured. And same pattern (6 attemps per existing user), same time (around 11:50 am).
Both accounts already had passwords.

Is there any way to check what distant IP tried to connect? Per the log and Emby alerts, no weird IP is shown.

[Luke 42206]

41 minutes ago, maring7 said:

Thanks for your reply.

The thing is, even after disabling outside connections, new attempts occured. And same pattern (6 attemps per existing user), same time (around 11:50 am).
Both accounts already had passwords.

Is there any way to check what distant IP tried to connect? Per the log and Emby alerts, no weird IP is shown.

I think you have either the Docker container or Emby Server configured in such a way that all it sees for the client ip address is 172.18.0.1‌. That's going to cause the server to think all connections are local, thereby causing the remote access option to not work.

I would suggest re-enabling remote access, getting the network configuration right so that the server sees the original ip address. Then once you've done that, then you can turn off remote access again. But I would leave remote access on until you figure that out just in case you end up with a situation where the opposite happens, and then you end up getting locked out of your server due to that option.