gallarda 1 Posted November 3, 2017 Posted November 3, 2017 I noticed in the server logs that someone from Hungary hacked into my Emby server. I have shutdown the server and attached the log file. Please let me know if you need more info. Thanks, Doug. Log.txt
gallarda 1 Posted November 3, 2017 Author Posted November 3, 2017 (edited) The bad guy's IP address is 78.131.15.232 Edited November 3, 2017 by gallarda
Jennice 19 Posted November 3, 2017 Posted November 3, 2017 Interesting to know... Fortunately, I know the IP address of my client, and can set my router to only allow traffic from that IP on the open port. Everyone else will see a closed port/IP address. I hope this issue will get attention, though. 1
BAlGaInTl 288 Posted November 3, 2017 Posted November 3, 2017 I'm not good at reading logs yet, but it looks like you have http (non secure) open to your WAN? That's not really a good idea. How do you have your account(s) setup? Are there strong passwords?
mastrmind11 722 Posted November 3, 2017 Posted November 3, 2017 Unless the hacker knew a password, this must have been ongoing for some time. @@Jennice, I hope you're not implying this is an Emby problem.
dcrdev 255 Posted November 3, 2017 Posted November 3, 2017 Is this the first instance that IP appeared in your logs? If so then I think it's pretty safe to say that they knew your password, as the log jumps from being on the landing page to the admin dashboard straight away. Usually if there was a breach, you'd see a flood of requests i.e. bruteforce. You NEED to be using ssl for external connections and you should almost certainly set up a firewall and something like fail2ban. 1
Jennice 19 Posted November 3, 2017 Posted November 3, 2017 @mastrmind11: I'm not implying anything. I just hope we can find out the root cause by giving the case enough attention from people who know enough about IT, as I could be a potential target, too, if I open up ports without enoughh knowledge. 1
BAlGaInTl 288 Posted November 3, 2017 Posted November 3, 2017 Interesting to know... Fortunately, I know the IP address of my client, and can set my router to only allow traffic from that IP on the open port. Everyone else will see a closed port/IP address. I hope this issue will get attention, though. Unless the hacker knew a password, this must have been ongoing for some time. @@Jennice, I hope you're not implying this is an Emby problem. I certainly didn't gather that from @@Jennice 's response. Looks like that's a better model for security, but certainly not foolproof. Like I said... I'm not great at reading logs... It looks to me like that user authenticated at around 2017-11-02 13:02:40. No errors that I can see, so they must have had the password or some other token (not sure how that works exactly with Emby)
CBers 7450 Posted November 3, 2017 Posted November 3, 2017 Does a Reverse Proxy help? https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy 1
mastrmind11 722 Posted November 3, 2017 Posted November 3, 2017 The guy knew the password. Simple as that. Change your password(s), install a cert and use SSL, and get fail2ban set up properly. Problem solved. 1
BAlGaInTl 288 Posted November 3, 2017 Posted November 3, 2017 Have you given the password to anyone? The IP may appear to be from Turkey, but that's easy enough to do regardless of where the user actually is.
Luke 42078 Posted November 3, 2017 Posted November 3, 2017 They authenticated successfully on the first try so it appears they either knew your password or you were not using a password. It's possible they sniffed traffic, however it's also possible that your entire machine has been compromised, and therefore Emby along with it. We have seen that happen before where users have come in here looking to us for explanation, only to find out later that their entire environment was breached and other account passwords were obtained in addition to Emby.
dcook 299 Posted November 3, 2017 Posted November 3, 2017 Why would you open your port to the Internet without having proper security in place?
SikSlayer 249 Posted November 3, 2017 Posted November 3, 2017 The guy knew the password. Simple as that. Change your password(s), install a cert and use SSL, and get fail2ban set up properly. Problem solved. Any info here on the forums on how to do that?
Jennice 19 Posted November 3, 2017 Posted November 3, 2017 I, too, could use a little beginners guidance on the benefits of using hyyps in this case, using fail2ban, and how to get a client to access Emby over https rather than http.
Spaceboy 2573 Posted November 3, 2017 Posted November 3, 2017 Is there an equivalent of fail2ban for Windows?
dee1 3 Posted November 3, 2017 Posted November 3, 2017 The settings Enable automatic port mapping Attempt to automatically map the public port to the local port via UPnP. This may not work with some router models. Google "disable UPnP 2017" If the person just wants to watch some of your adult content maybe it isn't a problem, otherwise they are probably turning you into a bitcoin mining operation especially if you have a great video card ideal for trans coding and they run that when you're sleeping. But if you do not succinctly know what you are doing with the router I'd not allow software to just punch holes through it. That is an option that under installation should be off and a disclaimer screaming at you if you were to enable it. There is often a request to allow UPNP and of course a disclaimer, I didn't see that when I installed this software. I stayed at a holiday inn express and passed Security +, my UPnP is disabled as well as remote admin. If the movies of your wife are really hot fail2ban might fail to protect, if she's really, really hot! (just kidding) but if you have been certainly compromised you need to rebuild. https://hackerlabs.net/2017/03/scan-network-for-active-hosts-with-nmap-in-kali-linux/ https://hackingvision.com/2017/07/07/scan-web-servers-for-vulnerabilities-using-nikto-kali-linux/ Good luck. If you want the content shared over the larger internet, you most certainly are sharing~ Locks are only for honest people
dee1 3 Posted November 3, 2017 Posted November 3, 2017 Is there an equivalent of fail2ban for Windows? You are effectively doing a firewall and IPTables https://github.com/glasnt/wail2ban In actuality, not really.. update your router, turn of any port forwarding, watch logs, but keep in mind that that IP address can change and unless your banning on attempt not really doing anything to discourage the breach. Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc). Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
Swynol 375 Posted November 3, 2017 Posted November 3, 2017 Is there an equivalent of fail2ban for Windows? not that i have found. been looking for a while. NGINX reverse proxy will give you added security. but just using emby with a valid cert and running only on port 443 would be a good start. change your password, also if your ISP is a dhcp address, reboot your router to get a new IP. hopefully the hacker wount know your new IP
Spaceboy 2573 Posted November 3, 2017 Posted November 3, 2017 not that i have found. been looking for a while. NGINX reverse proxy will give you added security. but just using emby with a valid cert and running only on port 443 would be a good start. change your password, also if your ISP is a dhcp address, reboot your router to get a new IP. hopefully the hacker wount know your new IP yeah I’m not the OP [emoji3] You helped me get caddy up and running. It’s working well but I see fail2ban mentioned but that it’s for Ubuntu only
mastrmind11 722 Posted November 3, 2017 Posted November 3, 2017 For those of you scared of Linux, it's a very cheap learning experience to pick up a rPi and tinker. It can do all of the fail2ban, nginx, Cron, whatever tasks once introduced into your network, with documentation all over the internet (and here). Don't let windows hold you down [emoji6] Sent from my SM-G950U using Tapatalk 1
dee1 3 Posted November 3, 2017 Posted November 3, 2017 (edited) not that i have found. been looking for a while. NGINX reverse proxy will give you added security. but just using emby with a valid cert and running only on port 443 would be a good start. change your password, also if your ISP is a dhcp address, reboot your router to get a new IP. hopefully the hacker wount know your new IP I was reading the other thread, sound advice. actually pretty good content https://emby.media/community/index.php?/topic/30792-howto-use-custom-ssl-cert-and-keep-private-key-secure/ This might however be a case where the user is asking for a reliable vendor. maybe the nominal cost is = peace of mind? https://flashrouters.zendesk.com/hc/en-us/articles/115000717413-Private-Internet-Access-PIA-OpenVPN-Strong-Encryption-DD-WRT-Router-Setup-Guide It's a little bit pricey however you can get it done correct and if willing to pay not have the ongoing support https://www.flashrouters.com/ I'll grant you it's pricey but you need to spell out what you want in advance https://www.flashrouters.com/partsfindertest/linksys-wrt1200ac-ddwrt-router It arrives configured.. Turn off dlna, turn off UPnP get a router and firewall professionally configured 2017-11-02 13:02:15.458 Info HttpServer: HTTP GET http://68.203.20.46:8096/dlna/xxx/description.xml. UserAgent: Python-urllib/3.5 2017-11-02 13:02:15.458 Info HttpServer: HTTP Response 200 to 78.131.15.232. Time: 0ms. http://68.203.20.46:8096/dlna/xxx/description.xml 2017-11-02 13:02:17.318 Info HttpServer: HTTP POST http://68.203.20.46:8096/dlna/xxx/contentdirectory/control. UserAgent: Linux/2.6.35, UPnP/1.0, DLNADOC/1.50 Edited November 3, 2017 by dee1
Swynol 375 Posted November 3, 2017 Posted November 3, 2017 Not heard of flash router, interesting idea. You could also implement pfsense or Sophos utm both excellent firewalls which run on low powered devices Sent from my iPhone using Tapatalk 1
dee1 3 Posted November 3, 2017 Posted November 3, 2017 Not heard of flash router, interesting idea. You could also implement pfsense or Sophos utm both excellent firewalls which run on low powered devices Sent from my iPhone using Tapatalk It's pricey.. however = piece of mind and the hardware isn't crap They will do phone support and get it in, that's what you're paying for. 78.131.15.232 is blacklisted twice for spam.. There are netgear 6300 which I like for wrt, for $35 bucks used? Flash yourself.. but that is a credible router https://www.amazon.com/gp/offer-listing/B00EM5UFP4/ref=dp_olp_all_mbc?ie=UTF8&condition=all So yeah it's pricey however they'll set you up and do it right
gallarda 1 Posted November 4, 2017 Author Posted November 4, 2017 Hey folks, Thanks for making this thread interesting, but allow me to come back to the original topic. I looked into this further and discovered what is going on. If you do a fresh install of Emby on a new Windows PC, the default configuration is to create an Admin account with no password and open up both the http (8096) and https (8920) ports to the Internet through UPnP on your firewall. This allows anyone on the Internet with a web browser to connect to these ports and access Emby with admin privileges without being prompted for authentication. Not a very secure default configuration. Just to make sure, I installed Emby on a different PC with the same result. I originally installed Emby and signed up for an Emby Premiere subscription to record Live TV with my HDHomeRun tuner. I am not interested in remote access and had no idea Emby opened up my PC to the Internet with no password protection without my permission. I am a Linux and network engineer so I figured out how to clean this all up, but your average customer may not be so lucky. For a commercial software product that charges a monthly subscription fee, you may want to rethink your "community" support model where people throw darts at your paying customers first before understanding the root cause of a problem. Again, when first installed, Emby enables remote access via UPnP without password protection. You may want to take a look at this and try a fresh install yourself... 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now