Concerns

November 2, 2020

Ok so I had issues connecting outside of my home network and I setup port forwarding which fixed that issue but after talking to my brother I realized that turning on port forwarding allows anyone to access my home network which puts a lot of my info at risk I’m running the server on my laptop and I have the content on a external HD so after giving some of my family access to the server now I have to turn off port forwarding to protect myself I was wondering if anyone has any info on how I can securely do this

I still like the Emby platform and I can see the stuff on multiple devices at home but I would really like to give myself and some family access as well

Thanks

November 2, 2020

Hi, well that's not entirely true. It exposes your Emby Server over the internet, not the contents of your entire home network.

November 2, 2020

@Luke is correct but there are other perfectly good reasons not to expose any part of your network to the outside world. I do not allow any outside connection that i do not directly initialize and, when I do,, I always have a good VPN active.

There are enough risks to using the internet without creating new ones.

There are lots and lots of people that use Emby (or Plex for that matter) and allow multiple people to remotely access their server and have not even one issue and that is exactly what should be expected. Remote access for Emby is about as safe as any internet connection can be but I would never ever allow it.

It is up to each individual what level of risk is acceptable and, for me, allow remote access is not acceptable.

In any situation involving risk you must say to yourself: "Yes, I'm paranoid. But am I paranoid enough."

November 2, 2020

1 hour ago, howieT82 said:

Ok so I had issues connecting outside of my home network and I setup port forwarding which fixed that issue but after talking to my brother I realized that turning on port forwarding allows anyone to access my home network which puts a lot of my info at risk I’m running the server on my laptop and I have the content on a external HD so after giving some of my family access to the server now I have to turn off port forwarding to protect myself I was wondering if anyone has any info on how I can securely do this

I still like the Emby platform and I can see the stuff on multiple devices at home but I would really like to give myself and some family access as well

Thanks

Why do you or your brother think this is insecure?

You should have only opened 1 port (either non SSL or SSL) or both at most but not a range. You setup forwarding of these 1 or 2 ports specifically to 1 IP on your network that is running Emby. The user will have NO ACCESS to any service except for Emby since that's the app that answers on those two ports. Where is the insecurity?

Now with that said, there are things you can do to make your setup even more secure. Non of these are required but totally optional for the paranoid.

This is by no means exhaustive but just the main things.

1) Only open SSL port of 8920 and setup Emby with a Domain & Cert. This way all communication is encrypted.
2) Setup your network using VLANs with routing from the outside going to only one VLAN that has Emby in it.
3) Setup a dedicated computer on this VLAN specific for Emby and attach storage directly to this computer or on a NAS in that dedicated VLAN.
4) Put NO documents or anything other than media on that VLAN. In other words if someone was to copy ever bit of info from that VLAN they'd have nothing personal

5) Setup a Reverse proxy on your network
6) Setup your system behind Cloudflare or other CDN
7) Make use of 5 & 6 to filter out all country IPs you don't want to connect to your setup or only allow specific IPs

You can also make use of private VPNs and other things but then they often get in the way of apps working properly.

November 3, 2020

On 11/1/2020 at 9:12 PM, Luke said:

Hi, well that's not entirely true. It exposes your Emby Server over the internet, not the contents of your entire home network.

Ok I wasn’t totally sure how it all works that’s for clearing that up

November 3, 2020

On 11/1/2020 at 9:30 PM, Gilgamesh_48 said:

@Luke is correct but there are other perfectly good reasons not to expose any part of your network to the outside world. I do not allow any outside connection that i do not directly initialize and, when I do,, I always have a good VPN active.

There are enough risks to using the internet without creating new ones.

There are lots and lots of people that use Emby (or Plex for that matter) and allow multiple people to remotely access their server and have not even one issue and that is exactly what should be expected. Remote access for Emby is about as safe as any internet connection can be but I would never ever allow it.

It is up to each individual what level of risk is acceptable and, for me, allow remote access is not acceptable.

In any situation involving risk you must say to yourself: "Yes, I'm paranoid. But am I paranoid enough."

I guess after I talked to my brother I got a bit paranoid I mean you hear about people getting their servers hacked or personal info accessed but I’m fairly new to this so after reading these replies I’m not as concerned as I was last night

thanks

November 3, 2020

22 hours ago, cayars said:

Why do you or your brother think this is insecure?

You should have only opened 1 port (either non SSL or SSL) or both at most but not a range. You setup forwarding of these 1 or 2 ports specifically to 1 IP on your network that is running Emby. The user will have NO ACCESS to any service except for Emby since that's the app that answers on those two ports. Where is the insecurity?

Now with that said, there are things you can do to make your setup even more secure. Non of these are required but totally optional for the paranoid.

This is by no means exhaustive but just the main things.

1) Only open SSL port of 8920 and setup Emby with a Domain & Cert. This way all communication is encrypted.
2) Setup your network using VLANs with routing from the outside going to only one VLAN that has Emby in it.
3) Setup a dedicated computer on this VLAN specific for Emby and attach storage directly to this computer or on a NAS in that dedicated VLAN.
4) Put NO documents or anything other than media on that VLAN. In other words if someone was to copy ever bit of info from that VLAN they'd have nothing personal

5) Setup a Reverse proxy on your network
6) Setup your system behind Cloudflare or other CDN
7) Make use of 5 & 6 to filter out all country IPs you don't want to connect to your setup or only allow specific IPs

You can also make use of private VPNs and other things but then they often get in the way of apps working properly.

I’m not all the way familiar with the terms or how to go about doing those things but I’ll try to research Them and figure it out I appreciate all of the info

November 3, 2020

One single exposed device on the network can be an attack vector for the entire network. If a malicious actor is able to gain control of an exposed device, they may be able to compromise all devices on the network. I worked for many years managing networks and this is a valid concern. Note that I am NOT making any comments specifically on Emby, but the concern in general is valid. The steps outlined by Cayars are excellent actions to take to safeguard your network regardless of the application / device you are exposing to the Internet. A VLAN will help, but don't rely on it as a solo solution, make sure to use SSL, a reverse proxy, and a service like Cloudflare. Of course private VPNs are an excellent solution.

Sign In

Concerns

Recommended Posts

howieT82 2

Luke 42083

Gilgamesh_48 1240

Carlo 4561

howieT82 2

howieT82 2

howieT82 2

richt 94

Create an account or sign in to comment

Create an account

Sign in

Activity