Practical tips:
| Threat | Kirlif’s Countermeasure |
|--------|------------------------|
| Unauthorized remote access | Enable HTTPS with a free Let’s Encrypt certificate via Caddy. Use the SecureHeaders plugin to enforce HSTS. |
| Brute‑force login | Turn on RemotePlayGuard 2‑FA and limit login attempts to 5 per hour per IP. |
| Metadata leakage | MetaCache stores all data locally; disable external API calls in Settings → Metadata → Internet Sources. |
| Docker container escape | Run the container with a non‑root user (PUID/PGID), read‑only media mounts, and no privileged flag. |
| Open ports | If you only need local streaming, block 8096/8920 on the public interface and tunnel via SSH/VPN. | emby by kirlif
Quick hardening script (run on host):
#!/usr/bin/env bash
# Harden Emby container on Ubuntu/Debian
ufw allow from 192.168.0.0/24 to any port 8096 comment 'Emby local HTTP'
ufw allow from 192.168.0.0/24 to any port 8920 comment 'Emby local HTTPS'
ufw deny 8096
ufw deny 8920
ufw enable
If you are expanding this draft, you might consider adding: Example backup strategy:
|
|
|
|
|
|