jerrac 4 Posted December 12, 2020 Posted December 12, 2020 While working on setting up fail2ban, I noticed a bunch of log messages like this: Quote 2020-12-12 21:12:11.241 Info HttpClient: POST https://connect.emby.media/service/user/authenticate I have never used Emby Connect, and none of my family members have done so either. It appears that those logs appear when I use a random username and password. (Testing fail2ban...) Is Emby programmed to automatically try to authenticate via Emby Connect if the user doesn't exist locally? If so, how do I disable that? Thanks in advance! Server info: Running inside a Docker container from the official docker image. HAProxy in front of it. Pop!_OS 20.04 on the host.
Luke 42077 Posted December 12, 2020 Posted December 12, 2020 Hi, when a user logs in, it will try to authenticate with emby connect if the local login fails.
Luke 42077 Posted December 12, 2020 Posted December 12, 2020 Hi, no, but it's possible for the future. Thanks.
jerrac 4 Posted December 12, 2020 Author Posted December 12, 2020 If passwords are transmitted to Connect in a way that Connect can read them, I'd view it as a security issue. If I mistype my username, then it sends the password and username to Connect, that's a secret out the door. I'm sure Emby employees/devs are not going to do anything bad, and I'm glad to see https in use, but still, my password ends up on a server I didn't expect it to. That isn't good. That kind of application behavior needs to be opt in. Plus, I just don't want my server advertising it exists. So I'd urge that you make this an urgent issue. Thanks for the quick replies! Especially on a weekend.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now