Sammy 790 Posted September 9, 2020 Posted September 9, 2020 This seems to be a lot of nefarious activity. @cayars , maybe you have some insight?
rbjtech 5284 Posted September 9, 2020 Posted September 9, 2020 (edited) From the looks of it - yes. Your IPS is listing these as threats, But, I question I have is why are they even getting though to your IPS - your firewall should be dropping these at source. If you are allowing 8096 (emby HTTP) then I would seriously reconsider only allowing HTTPS (8920). I also note a TCP Port 81 on the IPS - how did that get past your firewall ? Check your firewall is dropping all INCOMING traffic from the internet unless explicitly allowed. You may choose to allow all OUTGOING traffic - that is not recommended but usually fine. Edited September 9, 2020 by rbjtech
Carlo 4561 Posted September 9, 2020 Posted September 9, 2020 Pretty much agree with what rbjech just said.
Sammy 790 Posted September 10, 2020 Author Posted September 10, 2020 I checked and these are suppressed in my IPS on the UDM. I'll drop 8096 from the allowed connections in Port Forwarding. If anybody has connection issues to my server I'l deal with that but most are via Emby Connect now.
pwhodges 2014 Posted September 10, 2020 Posted September 10, 2020 Emby Connect doesn't get around access problems, though - it's more of a directory service. Paul
rbjtech 5284 Posted September 11, 2020 Posted September 11, 2020 (edited) I would personally do a full audit of the services that were accessible from the web - a) by checking the forwarding rules and b) double checking this by doing a port scan from the likes of grc.com Port TCP 81 (likely unencrypted) from China would concern me - I think something must be listening on this port for the IPS to consider it a threat .. Not sure if the UDM has Geo-Blocking (think it does..) but if it were me, and I was only expecting external connections from my home country, then I would also turn on geo-blocking to block the rest of the world... yes VPN's will get around this, but it will block your mass port scanner bots ... Edited September 11, 2020 by rbjtech
Sammy 790 Posted September 11, 2020 Author Posted September 11, 2020 Port 81 is BlueIris Server. They use something called stunnel for https remote connections which I could never get hooked up right. This may be the server that runs their app and maybe not. I will post in the IPCamTalk forum or maybe @cayars can assist with setting it up with cloudflare or something like that. Nobody's complained about Emby connections so all is well on the https port it seems.
Carlo 4561 Posted September 11, 2020 Posted September 11, 2020 You rang? Is BlueIris on the same machine as your Emby Server or a different PC?
Sammy 790 Posted September 11, 2020 Author Posted September 11, 2020 (edited) 8 minutes ago, cayars said: You rang? Is BlueIris on the same machine as your Emby Server or a different PC? Same. This PC runs everything that isn't on my VeraPlus Controller or in the UDM itself.. One thing I can say Doofus set me up good with this Ryzen 3700x. I do think I need to add more RAM and another m.2 drive but it is running swimmingly as it is now. Edited September 11, 2020 by Sammy
Carlo 4561 Posted September 11, 2020 Posted September 11, 2020 If you don't mind making a change to BI to use a different port you can use Cloudflare. Since it's on the same machine you already have A or C record pointing to your machine by name (same as how you access Emby) so all you need to do is change the port BI uses and of course setup your router for this new port forward. So pick one of these ports not in use and make the port forwarding changes in the router and it should work. HTTP ports supported by Cloudflare: 80 8080 8880 2052 2082 2086 2095 HTTPS ports supported by Cloudflare: 443 2053 2083 2087 2096 8443
Sammy 790 Posted September 11, 2020 Author Posted September 11, 2020 Emby is using 443 so not that one I suppose.. Do I just make changes in the port forwarding table or do I need to make changes in Cloudflare too? If I understand this correctly, I map the https port to the local port in the port forwarding table?
Carlo 4561 Posted September 11, 2020 Posted September 11, 2020 Depends if you can set BI to use the CF cert we setup already in Emby. That cert will work for anything using your domain name. If you can't figure this out in BI, then you could also try this. CF SSL/TLS top level tab. Now choose EDGE CERTIFICATES sub tab. Scroll down and turn off "Always Use HTTPS" That should allow the use of "http" without getting redirected to "https" so essentially allowing a connection to be made to your server without SSL.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now