Security Advice - CentOS7, Nginx

[altramarine 21]

Hello ladies and gents,

 

I am looking to setup a folder with family photos/videos to share with my remote family/ies.

Because that means exposing Emby server to the Internet I am trying to device as secure environment as humanly possible.

Have a similar environment? please share I beg you:)

My environment is mostly Virtual so sky is the limit. By environment I mean: server loaded with vmware ESXi. Most of my VMs are CentOS7 as a personal preference.

 

Currently, Emby server runs on a CentOS7 VM. It is/was meant for an in-house use only.

This VM has access to my NAS share via CIFS using a user that has full access to that share content.(I know, short sighted of me)

 

My security plans:

 

Plan A:

1. Create another VM loaded with Emby
   1. this VM will have access to NAS via CIFS using a very restrictive account, meaning only folder/s designed for sharing with family will be mounted in read-only. All other shares on that same NAS are off the table.
2. Create SSL certificate via Lets Encrypt
3. Create yet another VM with Nginx as Reverse proxy, redirecting traffic from 443 designated for Emby to the VM outlined in step 1 above.
   1. this VM will have no visibility of NAS
   2. nginx will be the only non-system installed package
   3. hardened to oblivion

Plan B:

1. Use existing VM loaded with Emby
   1. this VM has access to NAS via CIFS using an full-access account. This makes me nervous.
   2. This VM also runs other services (backup, etc)
2. Create SSL certificate via Lets Encrypt
3. Create another VM with Nginx as Reverse proxy, redirecting traffic from 443 designated for Emby to the VM outlined in step 1 above.
   1. this VM will have no visibility of NAS
   2. nginx will be the only non-system installed package
   3. hardened to oblivion

 

Now, I have never used nginx before, let alone in reverse proxy, so I have no idea whether having it installed as a separate VM will help with the security aspect, from an attacker's point of view. Please advice.

Also, I am not sure how hardy the Emby user authentication system is. Again, please advice.

I do know for certain that having a VM with limited visibility/access to share is more secure, at an expense of convince. But that means I will have to:

• run yet another Emby instance in an another VM
• not future proof, redundant should I decide to share other portions of my NAS in the future

Obviously, a potential attacker will look at a lot more than just how I have nginx/emby VMs configured, so perhaps it's an over simplification approach. That said, I'd like to be believe (foolishly), I have a pretty robust firewall, settings and practices in place.

 

I understand that this question is not entirely Emby related so apologies in advance. However, it feels like many other folks maybe running Emby at the same capacity and have similar concerns.

Again, any advice is welcome:)

Cheers!

 

PS Am I really over-complicating things?

Edited October 15, 2016 by altramarine

[pir8radio 1312]

"Now, I have never used nginx before, let alone in reverse proxy, so I have no idea whether having it installed as a separate VM will help with the security aspect, from an attacker's point of view."

 

     Nginx will still pass any requests it receives to emby..  Your concern will be with the original application's security (emby).  Nginx does give you way more control and visibility over the connections TO emby so I would still run traffic through nginx.   Nginx also has all kinds of handy tricks up its sleeves, you can rewrite html/js/css on the fly using sub_filter, you can change, add, and modify headers, nginx can be setup to only allow connections from specific devices and/or IP's.  nginx can handle all of the SSL, ipv6 etc all up front, meaning the connection from nginx to emby can stay http & ipv4.

 

     I'm no VM expert, actually I avoid them when only running a few different applications that I can put on a single server, but if you can support standing up two more vm's for your emby, its always handy to be able to trash a vm and go back to a snapshot if something goes wrong..  Otherwise I would say only stand up the nginx vm. 

 

    My emby (media browser) server has been on the net (public) for quite a few years, you are more than welcome to look around, if you spot any security issues, let me know      I'm running nginx ahead of emby, and doing a little of all the things I mentioned above.  Like dynamically rewriting html, injecting my own JS for user tracking, nginx is doing the ssl and ipv6 connection, providing detailed access logs, etc...

 

 

I know I didn't answer your main question, but I threw in what I know and prefer.  Someone who knows the ins and outs of the emby code can go into detail on its security, and possible loop holes, if any.

Edited January 26, 2017 by pir8radio

[altramarine 21]

Thanks for your reply!

I am pretty new to nginx so all of the mentioned tricks are way over my head. Would you perhaps mind sharing with some of these via a PM? I'd like to see that ngix server hardened!

That said, I ended up spinning a VM with nginx in reverse proxy forwarding traffic to existing emby server. Took me a bit of time to figure out LetsEncrypt, and having nginx play along with SElinux but I think I got it under control.

Can you recommend any security tips regarding emby hardening?

 

Thanks!

[pir8radio 1312]

I don't have much advice for hardening emby..  Without knowing what vulnerabilities may exist, we don't know what to block in nginx.

 

One thing I am not comfortable with, though I also have not had any issues with, is emby admins have the ability to delete actual media...   So hardening wise maybe set emby's access to media, to read, write, only, but not delete?   Again, I'm not familiar with emby code, so there may be some security holes somewhere somehow, THAT someone else will need to comment on...  lol i only know nginx!      I can help you there...