ravenj 2 Posted March 1, 2017 Posted March 1, 2017 Hello. Let me tell you my story I’ve been an emby’s user for about 1 year. During this time, I’ve tried different setups being for the last 6 months, a pc with windows 10. I access emby from outside my home network through port forwarding on my router (8096 - only forward port) About a month ago, I detected, on emby’s log, someone trying to access my three accounts and, for the look of the log, the account with admin rights, was accessed. For the record, my password was not related with username and had 14 alphanumeric digits with one symbol. Immediately I changed all the passwords and hid all the accounts from login hoping this would be enough. Since then I always looked more carefully to the log, specially to logins. For some reason, I detected some logins using my public ip, not my internal ip as usual, but I didn’t give it many thoughts because I read in the forum someone in the same situation and it could be any of my devices at home. Last week, in one of my libraries, there was a new folder with some files I’ve never created. Ran AV, searched logs and nothing seemed strange so I kept going. Last Sunday, same thing happened, new folder and deleted it right away. A few minutes passed, all my library was gone, nothing very important, but it was gone. After that I was absolutely sure I was hacked and then, formatted the PC, installed new emby and closed the forward port. The damage was not extensive but it could be worst. I’m to blame because some signs were there but I’m not an IT expert and didn’t want to have the trouble to format all my system and remove outside access. Now I’m afraid to open router’s port and expose emby to the outside world. I’m not really sure emby is to blame but it was watching the only port opened and I didn’t have, as far as I know any virus. Right before the attack, someone logged to emby using my public ip. What can be done to secure emby?
Luke 42085 Posted March 1, 2017 Posted March 1, 2017 First of all we don't have any evidence (yet) of this being related to Emby and it's important to clear that up for others who might be reading. The best thing to do is put a password on your account and if you see something happen again then please let us know. There was a similar situation we dealt with privately in the past where a user assumed Emby was the cause, but more investigation revealed that his entire machine had been compromised, and that's how the Emby administrator password was obtained - as well as passwords for other accounts such as email and other things. Since you have reformatted that is probably a good start.
Rumbaar 13 Posted March 1, 2017 Posted March 1, 2017 Not getting into any of the 'hack' related talk. But a few personal questions, have you posted a log to your setup on the forums? Do you have various users accounts, and are any of these able to manage your library? I can imagine, that posting a log here that has your EMBY address for remote access, and have accounts that aren't password protected and have server management rights could allow anyone with that URL/IP to hit the address and access your system. Just typing this, has me realize that I've got an open system like that. I think I have removed server management from my 'open' accounts. But I might have to look into this more closely. I was hesitant to add password to all accounts, but might have too for this reason. Luke is there a way to restrict remote access to allow for only certain user accounts, but internally leave them without a password for ease of access?
dcook 299 Posted March 1, 2017 Posted March 1, 2017 I think there should be an IP ALLOW list for any user with "Manage Server" option Allowing Manage Server from anywhere is foolish 1
Rumbaar 13 Posted March 1, 2017 Posted March 1, 2017 I think there should be an IP ALLOW list for any user with "Manage Server" option Allowing Manage Server from anywhere is foolish I like the option to manage my account from anywhere, there are a number of occasions I've done it on the road via the mobile app.
mastrmind11 722 Posted March 2, 2017 Posted March 2, 2017 is there a way to restrict remote access to allow for only certain user accounts, but internally leave them without a password for ease of access? Yes, there's a setting to create a pin and not prompt when on the internal network. Manager Server > Users > click a user > Password > Easy Pin Code (leave blank, and check the box under the blank pin code)
ravenj 2 Posted March 2, 2017 Author Posted March 2, 2017 (edited) Not getting into any of the 'hack' related talk. But a few personal questions, have you posted a log to your setup on the forums? Do you have various users accounts, and are any of these able to manage your library? I’m carefull with these things. I’ve posted 2-3 logs and tried to delete everything that could identify me. Also, if that’s a problem, developers shouldn’t ask people to post logs freely, arranging private methods, and they shouldn’t include personal data on the logs (users and ip) that may be sent for error tracking purposes. Anyone can use the personal information being posted here to access private servers. I had several accounts and only one granted admin rights. I can’t be sure my computer got “hacked” by emby’s port and I believe no one can ever find proofs that can say for sure that’s what happened. On the other hand, there’s also nothing that can convince me otherwise because it was the only port opened, there was no virus on the pc (checked, re-rechecked, and checked again with different software, although this may not 100% accurate). The first thing I detected, according to what I wrote before, was someone trying access emby and failing serveral times until got access. If accessed the computer using other method he probably wouldn’t fail so many times and wouldn’t need emby for anything. Last, I understand your position but, as an emby’s supporter, I now want to be given absolute proofs that security is taken serious, which I didn’t see so far. Until then, and I want to speak only for myself, emby stays home and ony home. Edited March 2, 2017 by ravenj
JeremyFr79 228 Posted March 2, 2017 Posted March 2, 2017 I can say with as many people as there are running Emby these days if there were security concerns with Emby itself you'd see a WHOLE LOT of posts like yours popping up daily. Now here's what I can say. Security starts and ends with YOU. Like others have said make sure ALL user's have good passwords. Make sure only 1 is an admin (there is never EVER a time to give anyone else admin rights) Hide the admin account making sure it's not set to show on the web interface/apps etc. You can move on to using a non standard port, or even Port translation. Buy a better router/firewall. Use Unique passwords for every account. I could go on and on here. The last thing you have to realize in the digital world is that if a human created it, another human can break it/break into it. Plain and simple. In short it doesn't matter how secure you think you've made things etc if someone is determined enough they WILL get in. The only way to be 100% secure is to unplug from the internet.
ravenj 2 Posted March 3, 2017 Author Posted March 3, 2017 (edited) That's precisely my point. I’ve done it all you mentioned and, somehow, I can’t be sure. Also, as an emby’s supporter who pays to use this software, I’m entitled to some assurances. If those assurances are not met, I’m also entitled to move to another software solution. I was probably very unlucky even though I’ve taken most precautions. I’m not trying to create panic, just awareness that these things may happen even though you may be the most cautious guy on earth. Everyone chooses what to do. We’ve seen people who stuck their heads in the sand and when they take them out….it’s too late. Just my 5 cents.For me this is over and I'll make my choices accordingly. Edited March 3, 2017 by ravenj
PrincessClevage 175 Posted March 3, 2017 Posted March 3, 2017 Is it possible to have a setting for Emby accounts (similar to windows security settings) that locks the account out for 10mins after 3- 4 failed attempts? This would render brute force dictionary attacks less effective . Or perhaps emby already honours windows security settings and does this already?
Swynol 375 Posted March 3, 2017 Posted March 3, 2017 if your using port 8096 from externally, have you access emby from any public wifi? as its not an encrypted connection i.e. using http rather than https you could be open to man in the middle attacks which could of gotten your user/pass and IP info. 1
JeremyFr79 228 Posted March 3, 2017 Posted March 3, 2017 if your using port 8096 from externally, have you access emby from any public wifi? as its not an encrypted connection i.e. using http rather than https you could be open to man in the middle attacks which could of gotten your user/pass and IP info. Precisely why I run my own VPN at home and use that to connect remotely when on untrusted networks.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now