Jump to content

My Server Security Breach

gallarda

By gallarda
in General/Windows

 Share

Recommended Posts

dee1

dee1 3

Posted
Posted

Hey folks,

 

Thanks for making this thread interesting, but allow me to come back to the original topic.

 

I looked into this further and discovered what is going on.

 

If you do a fresh install of Emby on a new Windows PC, the default configuration is to create an Admin account with no password and open up both the http (8096) and https (8920) ports to the Internet through UPnP on your firewall.  This allows anyone on the Internet with a web browser to connect to these ports and access Emby with admin privileges without being prompted for authentication.

 

Not a very secure default configuration.

 

Just to make sure, I installed Emby on a different PC with the same result.

 

I originally installed Emby and signed up for an Emby Premiere subscription to record Live TV with my HDHomeRun tuner.  I am not interested in remote access and had no idea Emby opened up my PC to the Internet with no password protection without my permission.

 

I am a Linux and network engineer so I figured out how to clean this all up, but your average customer may not be so lucky.

 

For a commercial software product that charges a monthly subscription fee, you may want to rethink your "community" support model where people throw darts at your paying customers first before understanding the root cause of a problem.

 

Again, when first installed, Emby enables remote access via UPnP without password protection.

 

You may want to take a look at this and try a fresh install yourself...

open up both the http (8096) and https (8920) ports to the Internet through UPnP on your firewall. 

 

Per my:

Enable automatic port mapping

Attempt to automatically map the public port to the local port via UPnP. This may not work with some router models.
 
When I did the install and saw the default settings, I wasn't impressed.  That should be a post install setting or option.  My security was in depth, and of course my router ignoring UPnP not playing that NID level, but even at the HID level the suggestion to go get some fail2ban was a head scratcher, really you should go get some routers.   Arguably you could use: gateway and then two more with Emby and content in between??  But I'd not get all that opinionated on it except to say punching a hole in a firewall isn't all that cool if the person installing the software is unaware what they just did.  Sure it worked.. they logged in effortlessly, but you just opened up their home network to the internet.
 
My real suggestion is multiple routers and one with LAN reserved IP's and dispense with all the dumb stuff.  For the link I posted you can go get two reasonable routers, leave one stock with Netgear for LAN and use the other with DD-WRT for openVPN.   With a minimal cost do it correct and have defense in depth.  That also doesn't suggest software based protection, norton etc.. 
 
Aris at medium in bridge
Front facing router
Internal router
firewall on clients
 
But suggesting fail2ban when routers are so cheap???
 
I mean serious up netgear is cheap and the 6300 is capable
 
The netgear stock firmware and the DD-wrt firmware updated behind a simple no echo at the bridge... scans move onto simpler pickings..
 
I do not suggest two identical routers, beat one, bet em both.. finding two vulnerable same time?? not so easy
 
There is allot of outdated info here and out on the internet, but routers preventing the problems is better than fail2ban though that is helpful in DOS
If somebody does do a setup with wrt, they need to keep it up  to date or get a business agreement with a credible company that will support the configuration.
But at $40 per router which you're going to update/flash anyway?
The things are sparkplugs they work or they don't!
 
Didn't like the default punch through of ports, think suggesting anything less than a router properly configured is foolish.
I've stayed at a holiday Inn express
Swynol

Swynol 375

Posted
Posted

Apologies for assuming you wanted emby accessible externally. My post and most others assumed you intended to have emby internet facing. All the post above suggest ways to better secure it when internet facing. If all you want to do is block it from the internet then remove the ports from your router.

 

For security I disable upnp, it has it benefits and it’s security risks. Most notable webcams and cctv are easily hackable because they open their default ports with upnp.

 

There are many different ways to secure emby and to different levels using some or all of the suggestions above.

 

It’s been a while since I did a fresh emby install so can’t comment on it creating an admin account with no password

 

 

 

Sent from my iPhone using Tapatalk

  • Like 2
Spaceboy

Spaceboy 2573

Posted
Posted

For those of you scared of Linux, it's a very cheap learning experience to pick up a rPi and tinker. It can do all of the fail2ban, nginx, Cron, whatever tasks once introduced into your network, with documentation all over the internet (and here).

 

Don't let windows hold you down [emoji6]

 

Sent from my SM-G950U using Tapatalk

for my part its not being scared of linux as such. i've dabbled a little. i've also only had a reverse proxy installed for a few months. 

 

but i have a few raspberry pi's sitting around and i can definitely see the benefit of having a reverse proxy installed on a separate device.

 

i think the reason why i'm using caddy is for it's automatic certificate renewal, so i'm going to try caddy and fail2ban on a pi

mastrmind11

mastrmind11 722

Posted
Posted

for my part its not being scared of linux as such. i've dabbled a little. i've also only had a reverse proxy installed for a few months. 

 

but i have a few raspberry pi's sitting around and i can definitely see the benefit of having a reverse proxy installed on a separate device.

 

i think the reason why i'm using caddy is for it's automatic certificate renewal, so i'm going to try caddy and fail2ban on a pi

You can set up LetsEncrypt to do auto renewal via a shell script and cron, fyi, so caddy isn't your only choice ;)

  • Like 2
Spaceboy

Spaceboy 2573

Posted
Posted (edited)

You can set up LetsEncrypt to do auto renewal via a shell script and cron, fyi, so caddy isn't your only choice ;)

is there a guide you would recommend to do this? All of it I mean, nginx fail2ban cron on a pi. Including the os? Cheers Edited by Spaceboy
KMBanana

KMBanana 116

Posted
Posted

The simplest way I've found to get nginx, fail2ban and auto-renewing LetsEncrypt certs is with the docker container linuxserver/letsencrypt.  https://hub.docker.com/r/linuxserver/letsencrypt/

 

I started using this on docker for windows, switched to running it from an Ubuntu VM though because Docker for Windows isn't 100% there yet.  I suspect it wouldn't work on the RaspberryPi version of docker though.  

Spaceboy

Spaceboy 2573

Posted
Posted

The simplest way I've found to get nginx, fail2ban and auto-renewing LetsEncrypt certs is with the docker container linuxserver/letsencrypt.  https://hub.docker.com/r/linuxserver/letsencrypt/

 

I started using this on docker for windows, switched to running it from an Ubuntu VM though because Docker for Windows isn't 100% there yet.  I suspect it wouldn't work on the RaspberryPi version of docker though.  

well i could run it in docker on my synology diskstation. might b easier than going the pi route

dee1

dee1 3

Posted
Posted (edited)

well i could run it in docker on my synology diskstation. might b easier than going the pi route

Interesting could run docker on WD cloud, I can see that additional level of security being worthwhile

Better late than never  ;)

If you want to share on the internet I suggest a topology as in this illustration

https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/DMZ_network_diagram_2_firewall.svg/2000px-DMZ_network_diagram_2_firewall.svg.png

 

The comment on the UPnP being leveraged for camera hacks and other exploits is true. 

In the diagram above the LAN side without DNS resolution can connect and do a SSL connection, You can connect directly over the internet from the wan side which would have the port forward open.   If you are using a Comcast router that ideally would be the red block in bridge mode.   Where the WWW, SMTP, and DNS is shown that would be where you emby would be located, HDhomerun, etc..   

 

One of the advantages of being in bridge mode is it disables the Xfinity public WIFI 
But the phone if you get it from comcast still works
You can get one refurb for cheap and it is just a bridge and stop renting
You might even toss OOMA in as a substitute for the phone, I spend less on OOMA than I did on Comcast modem rental.
Note OOMA will match the refurb cost if you call them.
 

 

Stopping a brute force on storage has benefits and fail2ban would provide that, also DOS attacks.

But if you want to share I suggest doing it correctly.

https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/

 

One last caveat, I'm biased to the netgear and their support, there is enough eyeballs on the code that the fixes are done in an appropriate manner

https://www.myopenrouter.com/

I'm also biased at thinking that the entry level hardware to run that is the Netgear R6300V2

https://www.pcworld.com/article/3176528/networking/netgears-r6300v2-dual-band-80211ac-router-is-down-to-70-today.html

the specs above what you need.

But when you look at the link at Amazon there is two types of refurbs/used shipped the yellow and the blue

https://www.dd-wrt.com/wiki/index.php/Netgear_R6300v2

Once you have done the initial flash you of course can go to the latest so it really doesn't matter

But remember you have to reconfigure your router after a flash as the settings backed-up or saved are not necessarily correct!  

 

If you are a prime customer you can buy the refurb and return, if you follow the directions all the scary brick lingo is pretty much from the early days of WRT.

The only thing I ever bricked was a chrome box and that is because Google is evil  :D   I didn't even care, either I controlled it or they did and I trust myself not Google and never got the Bios "FULLY" onto the device.

 

So if you want to share, the correct way is best illustrated above, good luck.

If you get any problems with refurb and your a prime customer the seller has that problem, return shipping is free.

Good luck you''' I cut the cord.

I'm willing however to pay for security.

Edited by dee1
BAlGaInTl

BAlGaInTl 288

Posted
Posted

 

If you do a fresh install of Emby on a new Windows PC, the default configuration is to create an Admin account with no password and open up both the http (8096) and https (8920) ports to the Internet through UPnP on your firewall.  This allows anyone on the Internet with a web browser to connect to these ports and access Emby with admin privileges without being prompted for authentication.

 

Not a very secure default configuration.

 

Not really.

 

The default Emby install does run on those ports... but it does not open it to the internet unless you have your computer directly connected to the internet.  It opens up those ports for use on the local network. It has to, or no other computers on your network can connect to it.

 

I suppose that the install could force you to put on a password, but it's extremely easy to do that yourself.  If you have to knowingly open/forward a port on your router to access it remotely you should know that you need a strong password.  

mastrmind11

mastrmind11 722

Posted
Posted

well i could run it in docker on my synology diskstation. might b easier than going the pi route

yes, if you have a compatible OS, then the docker is definitely the simplest.  Lemme know if you want to roll your own at some point, plenty of us here have the nginx/f2b setup.

BAlGaInTl

BAlGaInTl 288

Posted
Posted

yes, if you have a compatible OS, then the docker is definitely the simplest.  Lemme know if you want to roll your own at some point, plenty of us here have the nginx/f2b setup.

 

I have f2b and nginx on my OMV build....

 

One of these day's I'll figure out how to do a proper proxy to route everything.

Tur0k

Tur0k 148

Posted
Posted (edited)

Interesting thread here. I like to see what others are using to secure their networks. I like the idea of adding in fail2ban. This is exactly the type of feature I have been looking for.

 

I had hoped that Emby would add in anti-brute force attacking that would dynamically block public IP addresses after x number of failed logons. My home automation system has that ability. I now have another networking project on my list (Fail2Ban). This feature is also missing on the handful of other services I would eventually like to make publicly available.

 

Here, I run PFSense.

1. I have Snort Running locally in PFSense In active mode and traffic that is suspect and not directly whitelisted is blocked.

2. I have PFBlockerNG running and setup to use DNSBL (block lists for DNS requests based on category) as well as public IPv4 and IPv6 block lists to a few different categories of offenses.

3. I have a purchased domain ($12 annually) and use the dynamic DNS package to keep my synthetic a record subdomain (DDNS) in sync with my public IP.

All my third level domains for my internally and or publicly accessible services are pointed back to my synthetic a record. below. This allows me to remember only subdomains not hostname/port number.

4. I use let's encrypt for all the SSL certs for my subdomain.

5. I have NAT reflection configured that allows my internal devices to connect back to my firewall via my public IP. I know this isn't optimal. I am working on dividing out my front end into two separate front ends, one public facing and the other internal facing, then adding in an internal DNS record to redirect internal clients to the inside facing IP.

6. I run a reverse proxy off of my firewall that is setup to support my home automation server, my network monitor, Emby server, and a few other services. It is setup to use the SSL certs from my let's encrypt ACME client above. It is configured not to allow unencrypted connections to my public IP. I do not have UPNP enabled in my network.

 

I determine which service is being requests based on the URL request, and whether the request is coming from on of my internal subnets or from the public Internet/guest network. Based on ACLs and action rules determine if the service is allowed externally or internally, the reverse proxy will either deny the request or dynamically give the client the appropriate SSL cert, and connect them to the appropriate back end server.

I have a trick in my front end action rules where in the event that the URL request does not match any of my ACL enumerated subdomains the reverse proxy forwards the attacker to a bunk backend server and they get a 503 service unavailable error page. They are not allowed to attempt to login at this point. I implemented this on the advice of a good friend, about a week ago and it works really well at making an attacker go away...

I still need to finish working to get x509 certificates implemented on my reverse proxy as this would allow me to implement two factor authentication. In this case I would need to distribute client certificates to any device I want to provision remote access to my sites. Remote clients to any of my sites would need to:

1. navigate to my public using a URL with one of my subdomains in it.

2. Not be on any of my above ip block lists in PFBlockerNG.

3. provide a client certificate before access to the site is granted.

4. Login to the website.

 

In Emby server:

1. I set the "Hide this user from login screens" on all my user accounts.

2. I don't have a default username like "admin" or "administrator".

3. I created a self signed ssl cert on the server and have it setup in Emby. This is used for direct connections to the htpc server.

4. I have the setting "require HTTPS for external connections" set.

5. I do not have "automatic port mapping" enabled.

6. The account I have associated with Emby connect is not the admin account in my instance of Emby.

 

I think the OP's root gripe is valid

1. default admin account with no password

2. automatically punching holes in home routers with UPNP without prompting the user if they even want remote access.

 

I think we should confirm whether an admin account is being created with no password (I don't recall this when I first built my Emby server, but I would have fixed it when I saw it), on initial installation with the normal installer, dot net install, and portable install.

If this is indeed happening, I think that this should be accounted for on initial startup of Emby server, force the user to create an initial admin account and password. Here, I don't like default usernames like admin, administrator, Cisco, netgear, etc as these give an attacker fewer constraints to overcome and more information about the device that they are attacking than necessary.

 

I also think the same kind of prompt after initial startup to prompt if the user wants remote access is a good idea. Then prompt for insecure secure only or both. Only if they select yes does Emby go out and attempt to setup the ports.

 

I would also like to see three features added to Emby:

1. account lockout on x failed attempts per user account.

2. Ability to enumerate multiple local subnets and treat them as internal access.

3. enumerating if an account should be allowed to login from internal subnet or remote or both.

 

Based on the OP's original post the attacker was able to authenticate without failing on first attempt. This would not have been as easy if:

A. The admin account already had a password associated with it and or wasn't something easy to guess like (admin).

B. The holes were not punched in the home router to allow remote access.

C. The admin account was only allowed to login on local subnets.

D. The client had to have some type of two factor authentication.

E. The client's source IP address was on a blocks on the user's firewall.

F. The user had a explicit allow only public IP list.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
  • Like 1
dee1

dee1 3

Posted
Posted

Interesting thread here. I like to see what others are using to secure their networks. I like the idea of adding in fail2ban. This is exactly the type of feature I have been looking for.

 

I had hoped that Emby would add in anti-brute force attacking that would dynamically block public IP addresses after x number of failed logons. My home automation system has that ability. I now have another networking project on my list (Fail2Ban). This feature is also missing on the handful of other services I would eventually like to make publicly available.

 

Here, I run PFSense.

1. I have Snort Running locally in PFSense In active mode and traffic that is suspect and not directly whitelisted is blocked.

2. I have PFBlockerNG running and setup to use DNSBL (block lists for DNS requests based on category) as well as public IPv4 and IPv6 block lists to a few different categories of offenses.

3. I have a purchased domain ($12 annually) and use the dynamic DNS package to keep my synthetic a record subdomain (DDNS) in sync with my public IP.

All my third level domains for my internally and or publicly accessible services are pointed back to my synthetic a record. below. This allows me to remember only subdomains not hostname/port number.

4. I use let's encrypt for all the SSL certs for my subdomain.

5. I have NAT reflection configured that allows my internal devices to connect back to my firewall via my public IP. I know this isn't optimal. I am working on dividing out my front end into two separate front ends, one public facing and the other internal facing, then adding in an internal DNS record to redirect internal clients to the inside facing IP.

6. I run a reverse proxy off of my firewall that is setup to support my home automation server, my network monitor, Emby server, and a few other services. It is setup to use the SSL certs from my let's encrypt ACME client above. It is configured not to allow unencrypted connections to my public IP. I do not have UPNP enabled in my network.

 

I determine which service is being requests based on the URL request, and whether the request is coming from on of my internal subnets or from the public Internet/guest network. Based on ACLs and action rules determine if the service is allowed externally or internally, the reverse proxy will either deny the request or dynamically give the client the appropriate SSL cert, and connect them to the appropriate back end server.

I have a trick in my front end action rules where in the event that the URL request does not match any of my ACL enumerated subdomains the reverse proxy forwards the attacker to a bunk backend server and they get a 503 service unavailable error page. They are not allowed to attempt to login at this point. I implemented this about a week ago and it works really well at making an attacker go away...

I still need to finish working to get x509 certificates implemented on my reverse proxy as this would allow me to implement two factor authentication. In this case I would need to distribute client certificates to any device I want to provision remote access to my sites. Remote clients to any of my sites would need to:

1. navigate to my public using a URL with one of my subdomains in it.

2. Not be on any of my above ip block lists in PFBlockerNG.

3. provide a client certificate before access to the site is granted.

4. Login to the website.

 

In Emby server:

1. I set the "Hide this user from login screens" on all my user accounts.

2. I don't have a default username like "admin" or "administrator".

3. I created a self signed ssl cert on the server and have it setup in Emby.

4. I have the require HTTPS for external connections set.

5. I do not have automatic port mapping enabled.

6. The account I have associated with Emby connect is not the admin account in my instance of Emby.

 

I think the OP's root gripe is valid

1. default admin account with no password

2. automatically punching holes in home routers with UPNP without prompting the user if they even want remote access.

 

I think we should confirm whether an admin account is being created with no password (I don't recall this when I first built my Emby server, but I would have fixed it when I saw it), on initial installation with the normal installer, dot net install, and portable install.

If this is indeed happening, I think that this should be accounted for on initial startup of Emby server, force the user to create an initial admin account and password. Here, I don't like default usernames like admin, administrator, Cisco, netgear, etc as these give an attacker fewer constraints to overcome and more information about the device that they are attacking than necessary.

 

I also think the same kind of prompt after initial startup to prompt if the user wants remote access is a good idea. Then prompt for insecure secure only or both. Only if they select yes does Emby go out and attempt to setup the ports.

 

I would also like to see three features added to Emby:

1. account lockout on x failed attempts per user account.

2. Ability to enumerate multiple local subnets and treat them as internal access.

3. enumerating if an account should be allowed to login from internal subnet or remote or both.

 

Based on the OP's original post the attacker was able to authenticate without failing on first attempt. This would not have been as easy if:

A. The admin account already had a password associated with it and or wasn't something easy to guess like (admin).

B. The holes were not punched in the home router to allow remote access.

C. The admin account was only allowed to login on local subnets.

D. The client had to have some type of two factor authentication.

E. The client's source IP address was on a blocks on the user's firewall.

F. The user had a explicit allow only public IP list.

 

 

Sent from my iPhone using Tapatalk

^

Good advice

Kali like

  • Like 1
Spaceboy

Spaceboy 2573

Posted
Posted

yes, if you have a compatible OS, then the docker is definitely the simplest. Lemme know if you want to roll your own at some point, plenty of us here have the nginx/f2b setup.

cam you expand? What is the difference? Ta
revengineer

revengineer 142

Posted
Posted

Above I see a lot of tips for putting patches on the network, attached systems, and software. IMHO, the attackers have to be stopped at the front door, i.e. the firewall. It is crazy to open ports to create all sorts of exceptions to access software, including emby, that may not be sufficiently hardened for attacks. It is up to the firewall (not emby) to solve this problem. My solution is to run openvpn on the firewall and let the openvpn ports be the only ones open to the public. Use certificate+password security to minimize likelihood for a break-in. There are openvpn clients for all OS including those running on smartphones. It is really easy to use, just takes an extra tap to start openvpn when I need to get into my network. I have used this setup to access emby on my home network for ~2 years now, and it has been working flawlessly.

 

If you decide to go this route, pfsense is a decent free firewall that provides above capability. When setting up openvpn, I recommend setting up two openvpn services. The first one runs UDP on port 1194, which is the standard setup. The second one uses TCP on port 443. I have found that many hotels block ports other than those for web surfing and the service on port 443 will allow openvpn use on these hotel networks. TCP is slower than UDP, but I have not noticed this in practice and experienced any issues. If anything my bottleneck is my uplink speed on my home network, which is noticeable when I remote sync movies from emby.

  • Like 2
dee1

dee1 3

Posted
Posted

Above I see a lot of tips for putting patches on the network, attached systems, and software. IMHO, the attackers have to be stopped at the front door, i.e. the firewall. It is crazy to open ports to create all sorts of exceptions to access software, including emby, that may not be sufficiently hardened for attacks. It is up to the firewall (not emby) to solve this problem. My solution is to run openvpn on the firewall and let the openvpn ports be the only ones open to the public. Use certificate+password security to minimize likelihood for a break-in. There are openvpn clients for all OS including those running on smartphones. It is really easy to use, just takes an extra tap to start openvpn when I need to get into my network. I have used this setup to access emby on my home network for ~2 years now, and it has been working flawlessly.

 

If you decide to go this route, pfsense is a decent free firewall that provides above capability. When setting up openvpn, I recommend setting up two openvpn services. The first one runs UDP on port 1194, which is the standard setup. The second one uses TCP on port 443. I have found that many hotels block ports other than those for web surfing and the service on port 443 will allow openvpn use on these hotel networks. TCP is slower than UDP, but I have not noticed this in practice and experienced any issues. If anything my bottleneck is my uplink speed on my home network, which is noticeable when I remote sync movies from emby.

I was sort of credulous as well however fail2ban cannot hurt, but I agree not keeping them out which is what a firewall does!

The DD-WRT OpenVPN is possibly the only reliable solution and then I'd still split things up on a segmented network by need.

https://www.bleepingcomputer.com/news/security/over-104-000-samba-installations-vulnerable-to-remote-takeover-attacks/

Nas are there own freaking zoo.

Not to pick on one vendor

https://threatpost.com/unpatched-western-digital-bugs-leave-nas-boxes-open-to-attack/124125/

 

The speed at which camera's get hacked.

https://security.stackexchange.com/questions/129972/how-can-my-ip-camera-be-hacked-behind-a-nat

 

It is possible that the camera is still reachable from the network, even if UPnP, port forward is disabled, and the camera is behind NAT.

Some camera manufacturers use "UDP hole punching method".The API looks like the following:

  1. The camera sends UDP packets to a server every 30 seconds or less. This makes this connection alive, thus the camera can be reached from the server.

  2. The client software initiates a connection with the camera server, and it sends the camera ID to the server.

  3. The camera server connects to the camera through the alive UDP connection, and it notifies the camera that a client is trying to connect to the camera.

  4. The camera connects to the client software directly. If the client software is not behind NAT or firewalled, the connection succeeds. Now there is a working UDP channel between the client software and the camera.

In reality, this process is a bit more complicated with more scenarios, but this is basically how a camera can be reached via the camera server, only by knowing its camera ID. 

 

So lets discuss this practically and there is no single solution for all the possible scenarios

 

At the router:

First disable UPnP at the router which is updated and has a strong password without remote management 

 

Within Emby:

Disable

Enable Dlna server
Allows UPnP devices on your network to browse and play Emby content.
 
Within Emby:
Disable
Enable automatic port mapping
Attempt to automatically map the public port to the local port via UPnP. This may not work with some router models.

 

Within Emby:
Disable
Enable automatic server updates
 
Allow the server to restart automatically to apply updates
The server will only restart during idle periods, when no users are active.
 
Check
under dashboard Remote (WAN) access:  
 
Port 8096 is closed on xx.xxx.xxx.x.
 
At the bottom of that link click "Scan All Common Ports "
 
Open Port 21 is closed on xxx.xxx.xxx.xxx
Open Port 22 is closed on xxx.xxx.xxx.xxx
Open Port 23 is closed on xxx.xxx.xxx.xxx
Open Port 25 is closed on xxx.xxx.xxx.xxx
Open Port 53 is closed on xxx.xxx.xxx.xxx
Open Port 80 is closed on xxx.xxx.xxx.xxx
Open Port 110 is closed on xxx.xxx.xxx.xxx
Open Port 115 is closed on xxx.xxx.xxx.xxx
Open Port 135 is closed on xxx.xxx.xxx.xxx
Open Port 139 is closed on xxx.xxx.xxx.xxx
Open Port 143 is closed on xxx.xxx.xxx.xxx
Open Port 194 is closed on xxx.xxx.xxx.xxx
Open Port 443 is closed on xxx.xxx.xxx.xxx
Open Port 445 is closed on xxx.xxx.xxx.xxx
Open Port 1433 is closed on xxx.xxx.xxx.xxx
Open Port 3306 is closed on xxx.xxx.xxx.xxx
Open Port 3389 is closed on xxx.xxx.xxx.xxx
Open Port 5632 is closed on xxx.xxx.xxx.xxx
Open Port 5900 is closed on xxx.xxx.xxx.xxx
Open Port 6112 is closed on xxx.xxx.xxx.xxx
 
Your computers, your security, your responsibility. 
 
Get Kali and run a PENTEST and create a baseline.
 
I also very highly suggest reserve IP so you know where stuff is at!
However if you think you are going to do this correctly with a rented modem, crap router, one router, or without proven tools your foolish.
 
But if you are not certain where you stand, check 1st and that common port scan isn't of course exhaustive, but if 8096 is hanging open, "gaping" invitation for mischief at your expense, scripts just troll for this
 
For whatever reason you want the internet access and you are not comfortable setting up security yourself, then get someone who is and is a professional to do it.  Not somebody who knows allot, the neighbors kid.. 
 
I added allot external links, but your security is your responsibility.  I was at a freaking gun show Sat. and was watching a guy dispense firearm sales advice to a woman and it was bad damn advice, the product he was hawking was online at $200 for that pistol 380 
 
And he was gaping her at $375 at the show.
But that is the cost of an education, she gets home googles the item.. he's gone
 
But google yourself
 
And then check your logs on your routers, how far did the checks go??
But going back to my previous links.. you probably want WRT to do it correctly.
I also listed a reliable vendor that can ship you a correctly configured router though they are indeed pricey, but unlike the gun salesman they don't apologize for your ignorance.
 
If you want the convenience of accessing your system anywhere it's going to cost some money to do it safely.
  • Like 1
Tur0k

Tur0k 148

Posted
Posted (edited)

I have that gun. I bargained them down to $190 but I also learn the product I want to buy before splitting ways with my money. It is a terrible gun imo. I tried to make it work with the extended grip on the mag, and shooting regularly every week. It is great as a concealed gun for its size but not much else. LCP for $400 is theft. Just goes to show you can't trust the world of men.

 

I agree that people should be performing regular assessments of their network. I would also recommend that they annually check their publicly accessible sites and confirm the security protocols they use:

https://www.ssllabs.com/ssltest/

 

What's more there is also internal vulnerabilities that need to be addressed. The latest KRACK vulnerability in the WPA 4-way handshake that occurs in wifi networks make what was once considered internal access only now more like it is a publicly accessible front. This potentially means that:

1. Unencrypted (HTTPS or VPN) connections can be attacked with MITM attacks. Encrypted with self signed certificate are at a higher risk of successful attack if the end user isn't aware of changes in unsigned certificates.

2. devices can be added to a wifi network and further attacks to the internal network can be implemented from there.

 

Most people think that this isn't a horrible vulnerability because the attacker needs to be in physical proximity to the wifi network, but the proliferation of IOT devices that are already vulnerable (remote code execution and root level access (no root PWD)) means that these vulnerable IOT devices could be used to implement an attack at greater distance. What's more the patching for the KRACK vulnerability needs to be implemented at the AP, client WLAN driver, and or OS (depending on device type).

 

I won't lie I am not a fan of unhardened IOT, and I am also suspicious of almost all other cloud connected devices.

Here I run separate VLANS for Network equipment, internal, server, cameras, and guest traffic. Guests to my house are forced to the secured guest network. That network suppresses broadcast and multicast traffic. Additionally, the guest wifi forces guest isolation on connected devices. IOT devices that need access to the Internet (ex: irrigation system, my work VoIP phone, and our amazon DOT) live on this network as they don't need direct access to my internal network and rely on the Internet for functionality.

IOT devices that do not need access to the Internet are segregated to a separate network. That network is broadcast and multicast isolated, and gets no access to the public Internet. The VLAN is also only allowed access to absolutely necessary internal IP addresses on specified ports. All other access to internal resources is restricted.

Terminal AND UI access to the firewall switch and controller are limited as their interfaces also live on a separate VLAN. ONLY 2 switch ports are configured to allow access to that VLAN.

 

Consumers really need to ask the question "does this device really need access to the Internet?", "does this service really need to be publicly accessible?", "if this device becomes compromised on the Internet what could I lose?", and "how can I mitigate further risk in the event this devices is compromised?". If the answer is yes there needs to be an understanding that some risk must be accepted. The problem is that not everyone is an IT professional.

As related to the OP's post, If an admin account really gets created with no password, that is literally the miss that got equifax hacked... this is avoidable by forcing the user to set one up at initial startup. Same prompt at initial start up can be used to make sure the user understands the risk of opening ports for remote access.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
dee1

dee1 3

Posted
Posted

I have that gun. I bargained them down to $190 but I also learn the product I want to buy before splitting ways with my money. It is a terrible gun imo. I tried to make it work with the extended grip on the mag, and shooting regularly every week. It is great as a concealed gun for its size but not much else. LCP for $400 is theft. Just goes to show you can't trust the world of men.

I also agree that people should be performing regular assessments of their network. I also think that people really need to ask the question "does this device really need access to the Internet?" and "does this service really need to be publicly accessible?" If the answer is yes there needs to be an understanding that some risk is acceptable. The problem is that not everyone is an IT professional. I really think that most of this can be averted by prompting the user to setup the admin username and password and ask for direction on remote access at the initial startup of a fresh Emby server install.

 

If the admin account really gets created with no password, that is literally the miss that got equifax hacked...

 

Sent from my iPhone using Tapatalk

I'm heading out to watch football, this is the coverage map.

I'd like to discuss out of market access for football, I have an old HDHOMERUN Prime (cable cardM) I'd trade with another member here, I could help with security and routers, but small professional group for circumstances like today.

https://www.bleedinggreennation.com/2017/11/5/16608732/eagles-broncos-game-tv-coverage-map-2017-nfl-week-9-how-watch-stream-philadelphia-denver-live-cbs

 

On guns

I do round wheels and suggest a revolver for home defense especially first gun, and I see credible revolvers 38's at the $300 mark 

https://grabagun.com/ruger-5430-lcrx-38sp-p-1-875-hog-blk.html

 

For a starter gun a Tarus or even a windicator

https://grabagun.com/eaa-windicator-38spl-6rd-2-bl-rub.html

 

I have an old colt I'm retiring and I use a 7 shot Tarus 66 stainless in 357 for home, I load and I'm packing 5.5 HP 38 or Win 231 on these

https://rmrbullets.com/shop/bullets-for-reloading/bullets-for-reloading-357-38-13/357-200-gr-speer-total-metal-jacket-tmj-bullets-new-2nds/?v=7516fd43adaa#prettyPhoto

I don't care if I print...

 

She got robbed.. tag me if any interested (any all of you)  I have Baltimore market and PHI most of the time

2.1 WMAR-HD
2.2 WMARDT1
2.3 BOUNCE
8.1 WGAL-TV
8.2 WGAL-DT
11.1 WBAL-DT
11.2 WBAL-SD
13.1 WJZ-TV
13.2 Decades
14.1 WFDC-DT
14.2 GET-TV
14.3 GRIT
14.4 BOUNCE
15.1 Grit
15.2 Comet
22.1 MPT-HD
22.2 MPT-2
22.3 MPTKIDS
22.4 NHK-WLD
24.1 WUTB-HD
24.2 Grit-TV
24.3 Stadium
24.4 Get TV
43.1 WPMT-DT
43.2 Antenna
43.3 This TV
45.1 WBFF-HD
45.2 Weather
45.3 This
54.1 WNUV-HD
54.2 Antenna
54.3 Comet
67.1 MPT-HD
67.2 MPT-2
67.3 MPTKIDS
67.4 NHK-WLD

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...