How do I report a malicious user that hacked into my Emby server?

[virtualtinker 8]

This morning, I came to find out that all of my user accounts were deleted on my Emby server (3.2.36.0 running on Windows 8.1). The end user seemed to authenticate using my password protected local Emby account externally over the internet. From there, they deleted every local user account on my server. Then they added an Emby connect account which I can only assume is their own, elevate the rights on that, login with that account, then blow away my account. Luckily, I guess they tried to restart the server at this point which is broken on my install, so Emby never came up after that, cutting off any other access and damage they could have done. I had backups and was able to restore my user accounts and for the time being, have turned off the external NAT to my media server so I've at least stopped the bleeding.

 

I grabbed the server logs during when all this took place, and also screenshotted the actions in the GUI with the time stamps when the user logged in. I also screenshotted the Emby connect info with the user account that was added as well as the external IP they used to login. Is there anything in the logs that might point how they were able to use my account to login? Is there any way I can report the user that did this? I see they created their account on the Emby community this month and have no posts or anything so I don't necessarily expect any real kind of repercussions, but just the same, I want to do my part and not just let it be if there is something I can do.

 

I guess lastly, I would love to maybe here some suggestions on how others protect their externally accessible Emby servers, so maybe I can tighten the screws a bit if and when I decide to turn the NAT back on.

 

Thanks!

[Luke 42086]

Hi, if you send me the server logs over private message we'll review them. Thanks.

[Jdiesel 1431]

There is a recent thread around here somewhere on the exact topic.

 

A couple of tips:

 

1) If you post log files on the forums be sure to scrub out all relevant information. Log files contain your public IP which makes for an easy target to focus on.

 

2)Hide users from login screen. Now unauthorized users must know the username and the password versus just the password.

 

3) Use a unique and complex password, especially for your admin account.

 

4) Get a SSL cert and only allowed connections over HTTPS.

 

4) Optional, setup Fail2Ban on your server to lockout multiple failed login attempts.

Edited January 1, 2018 by Jdiesel

[CBers 7474]

There is a recent thread around here somewhere on the exact topic.

 

https://emby.media/community/index.php?/topic/53986-compromised-login-investigate-odd-ips

[Tur0k 148]

Find their remote IP by searching your log.

 

Stand up F2B/W2B or stand up a firewall that allows you to block inbound traffic by public IP.

 

Explicitly deny access to their public IP. The problem with any of them is is that if they can get a new public IP you have to go through the same process to catch them.

 

I am still working on getting client certificate authentication working on my reverse proxy. The plan is that if a public IP address doesn't authenticate with a proper certificate, the client isn't allows to log into the web front.

 

 

 

 

Sent from my iPhone using Tapatalk

Edited January 1, 2018 by Tur0k

[virtualtinker 8]

Thanks for the suggestions so. I've gone ahead and done the following so far.

 

- Created a new user account with a unique name that isn't admin/administrator with full rights that is hidden from the login prompt. I then took away administrative rights from my account, so I will essentially need to elevate to manage the server.

- Moved my DNS to Cloudflare and put it behind their CDN to mask my IP.

- Through Cloudflare, my media server is secured end to end with a trusted SSL cert.

- Via Windows firewall, put in rules to blacklist all incoming web traffic to my media server except from Cloudflare's IP ranges.

 

Overall, I'm pretty happy with the way things have turned out except the performance I am getting when behind Cloudflare. I was using their shared SSL and installed the origin CA on the media server, and set the SSL to strict. I also tried some of the settings that one of the other users suggested for the cache in another thread. Set this way, the media server runs like crap, if at all. If I take the CDN and proxied IP entirely out of the loop, then everything runs fine.

 

I'm going to fight with getting this to work as I want the benefit of the proxied IP, but if anyone else has any stories on how they got their Cloudflare setup optimally that maybe hasn't already been covered in another thread, I'd appreciate it. Thanks!