Veygr 0 Posted June 6, 2021 Posted June 6, 2021 After updating emby to version 4.6.2.0, I see suspicious activity on the server.The outbound network usage is very high. After turning off emby, everything returns to normal. After IP banning, new ones appear. There is no activity in emby. 2 days ago, the output was 100 mbps (limit 30) and cpu 100%
Q-Droid 989 Posted June 6, 2021 Posted June 6, 2021 Check your emby server logs for that remote IP address which appears to be an exit point for Proton VPN. Do you have remote users? Look for playback activity in the server log, lines with "User policy" contain user name and usually followed by RemoteIP entries. Hopefully this logging hasn't changed for 4.6, I haven't upgraded yet.
Veygr 0 Posted June 6, 2021 Author Posted June 6, 2021 /var/lib/emby# grep -r "137.59.253.56" * No results I have remote users but nobody has logged in recently. In activity I only see myself with a local ip.
Q-Droid 989 Posted June 6, 2021 Posted June 6, 2021 If it wasn't in the logs then not a client connection. Was this a one time event after the update? The server will get busy after the update for library scans and data refresh but that's an inbound load and your iftop capture looks very much like a streaming client.
Veygr 0 Posted June 9, 2021 Author Posted June 9, 2021 I turned off DLNA and everything was back to normal. This only happens when emby is enabled and DLNA is enabled. Without this there is no traffic. This directly points to a bug in emby.
Luke 42078 Posted June 9, 2021 Posted June 9, 2021 We'd have to look at the server log but most likely you have devices on your network that are communicating with the server's dlna functions.
Veygr 0 Posted June 15, 2021 Author Posted June 15, 2021 Emby does not generate any logs. /var/lib/emby/logs has no new entries DLNA disabled and immediate drop in outbound transfer to zero
Luke 42078 Posted June 15, 2021 Posted June 15, 2021 Did you look at where the traffic is coming from?
Veygr 0 Posted June 16, 2021 Author Posted June 16, 2021 History of banned IP addresses. I see traffic only on iftop. Netstat is empty 193.187.79.46 80.209.228.232 47.93.198.77 221.181.185.223 81.69.99.179 202.51.74.221 188.225.254.239 122.114.237.5 123.31.27.102 221.181.185.153 190.64.213.156 222.186.42.137 182.61.22.46 222.255.148.167 73.39.72.175 39.101.202.220 178.62.182.246 143.110.239.97 148.63.215.173 36.110.202.226 159.89.199.80 203.172.76.4 61.177.173.28 139.59.103.208 221.181.185.220 107.11.40.78 121.5.103.226 42.192.141.94 180.76.103.164 103.4.217.13 103.4.217.138 107.172.82.134 47.32.74.120 156.34.95.157 45.139.101.34 146.66.149.2 161.202.39.225 35.208.80.47 113.65.10.219 114.37.39.79 45.124.171.156 209.54.1.172 108.248.17.232 2.30.219.162 73.88.38.51 35.196.244.138
Q-Droid 989 Posted June 16, 2021 Posted June 16, 2021 Does the remote IP change? You should be able to see something in "netstat -an" and grep for the remote IP you see in iftop. Running "netstat -anp" as root would show the local process involved. If you find it then make note of the ports involved which can tell you more about the service used. If it doesn't show in Emby logs or netstat you might have other layers obscuring things. A connection like this isn't invisible to the system.
Veygr 0 Posted June 16, 2021 Author Posted June 16, 2021 netstat -anp | grep 103.1.212.123 empty result
Q-Droid 989 Posted June 16, 2021 Posted June 16, 2021 Looks like another IP from a VPN. Have you tried disabling remote access?
XcOM9876 9 Posted June 17, 2021 Posted June 17, 2021 Looks very suspect, quick check and they are all over the place but most look like they are either routing points for traffic or VPN exit points, are you exposing the default port for Emby? maybe your public IP has been identified and made to some sort of hit list, my FTP server ended up on a hit list once, ended up changing the port number to non standard to stop the constant attacks.
Veygr 0 Posted June 24, 2021 Author Posted June 24, 2021 I found this on router udp 192.168.1.50:37170 24.196.184.19:32684 UNREPLIED udp 24.196.184.19:41947 192.168.1.50:1900 UNREPLIED udp 24.196.184.19:14465 192.168.1.50:1900 UNREPLIED udp 192.168.1.50:37170 24.196.184.19:14465 UNREPLIED udp 24.196.184.19:32684 192.168.1.50:1900 UNREPLIED udp 192.168.1.50:37170 24.196.184.19:58666 UNREPLIED udp 24.196.184.19:58666 192.168.1.50:1900 UNREPLIED udp 192.168.1.50:37170 24.196.184.19:41947 UNREPLIED udp 192.168.1.50:37170 77.77.77.19:36898 UNREPLIED udp 192.168.1.50:37170 77.77.77.19:56459 UNREPLIED udp 192.168.1.50:37170 77.77.77.19:23612 UNREPLIED udp 77.77.77.19:23612 192.168.1.50:1900 UNREPLIED udp 77.77.77.19:19982 192.168.1.50:1900 UNREPLIED udp 192.168.1.50:37170 77.77.77.19:19982 UNREPLIED udp 77.77.77.19:36898 192.168.1.50:1900 UNREPLIED udp 77.77.77.19:56459 192.168.1.50:1900 UNREPLIED Disabling remote access does not change anything. Still i have remote access. The solution for me is disabled DLNA. If no one else sees similar activity, there is no point in looking any further. This could be for my server configuration or anything else
Q-Droid 989 Posted June 24, 2021 Posted June 24, 2021 Well, this isn't a fix but more of a general comment and suggestion. From what you've shared it looks like your firewall or router are too permissive. There is no reason for DLNA to be open to the internet unless you've allowed it. If you are behind a NAT router it shouldn't be reachable unless, again, explicitly allowed. If your server has a real public IP then your firewall rules or router should only allow access to specific chosen services. If DLNA was open then other unexpected things could be as well. I would look into scanning and locking down the access to your server.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now