Jellyfin over the internet
-
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
-
No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
wrote last edited by [email protected]No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it. They’re actively trying to exploit vulnerabilities that exist in whatever outwardly accessible software you’re exposing is, and in many cases also in software you’re not even using in scattershot fashion. Cloudflare is blocking a lot of the well known CVEs for sure, so you won’t see those hit your server logs. If you look at your Authelia logs you’ll see the login attempts though. If you connect via SSH you’ll see those in your server logs.
You’re mitigating it, sure. But they are absolutely 100% trying to get into your server right now, same as everyone else. There is no consideration to whether you are a self hosted or a Fortune 500 company.
-
What a bunch of B's. Sure your up gets probed it's happening to every ipv4 address all the time. But that is not hacking.
wrote last edited by [email protected]Anything you expose to the internet publicly will be attacked, just about constantly. Brute force attempts, exploit attempts, the whole nine. It is a ubiquitous and fundamental truth I’m afraid. If you think it’s not happening to you, you just don’t know enough about what you’re doing to realize.
You can mitigate it, but you can’t stop it. There’s a reason you’ll hear terms like “attack surface” used when discussing this stuff. There’s no “if” factor when it comes to being attacked. If you have an attack surface, it is being attacked.
-
Anything you expose to the internet publicly will be attacked, just about constantly. Brute force attempts, exploit attempts, the whole nine. It is a ubiquitous and fundamental truth I’m afraid. If you think it’s not happening to you, you just don’t know enough about what you’re doing to realize.
You can mitigate it, but you can’t stop it. There’s a reason you’ll hear terms like “attack surface” used when discussing this stuff. There’s no “if” factor when it comes to being attacked. If you have an attack surface, it is being attacked.
@EncryptKeeper That’s my experience. Zombied home computers are big business. The networks are thousands of computers. I had a hacker zombie my printer(!) maybe via an online fax connection and it/they then proceeded to attack everything else on my network. One older machine succumbed before I could lock everything down.
-
Jellyfin isn't secure and is full of holes.
That said, here's how to host it anyway.
- Wireguard tunnel, be it tailscale, netbird, innernet, whatever
- A vps with a proxy on it, I like Caddy
- A PC at home with Jellyfin running on a port, sure, 8096
If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.
Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.
more...
Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.
More!
Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.
MORE!
SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.
I SAID MORE!
There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.
Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).
show me those “holes” this is just fear mongering
-
So I’m another newbie dummy to reverse proxies. I’ve got my jellyfin accessible at jellyfin.mydomain.com but I can only access it through the web. How do I share with other people who want to use the apps? I can’t get my apps to find my instance.
Can "your apps" access it when their device isn't on your home LAN?
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Cloudflare. No public exposure to the internet.
-
show me those “holes” this is just fear mongering
wrote last edited by [email protected]Here, since you can't use a search engine: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
More, because I've been around this lap before, you'll ask for more and not believe that one, here's another: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
Do what you want. Idgaf about your install, just mine.
-
No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it. They’re actively trying to exploit vulnerabilities that exist in whatever outwardly accessible software you’re exposing is, and in many cases also in software you’re not even using in scattershot fashion. Cloudflare is blocking a lot of the well known CVEs for sure, so you won’t see those hit your server logs. If you look at your Authelia logs you’ll see the login attempts though. If you connect via SSH you’ll see those in your server logs.
You’re mitigating it, sure. But they are absolutely 100% trying to get into your server right now, same as everyone else. There is no consideration to whether you are a self hosted or a Fortune 500 company.
No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it.
No, they aren't. Just to be sure, I just checked it, and out of the over 2k requests made to the Authelia login page in the last 24 hours, none have made it to the login page itself. You don't know jack shit about what's going on in another persons network, so I'm not sure why you're acting like some kind of expert.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
wrote last edited by [email protected]“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking every public IP and only whitelisting IP’s that I’ve verified.
I use GeoBlock for the services I want exposed to the internet however, I should also setup Authelia or something along those lines for further verification.
Reverse proxy is Traefik.
-
Your comment got me looking through the jellyfin github issues. Are the bugs listed for unauthenticated endpoints what you're referencing? It looks like the 7 open mention being able to view information about the jellyfin instance or view the media itself. But this is just what was commented as possible, there could be more possibilities especially if combined with other vulnerabilities.
Now realizing there are parts of Jellyfin that are known to be accessible without authentication, I'm thinking Fail2ban is going to do less but unless there are ways to do injection with the known bugs/a new 0day they will still need to brute force a password to be able to make changes. I'm curious if there is anything I'm overlooking.
unless there are ways to do injection with the known bugs/a new 0day
TBH, that should be enough right here. That is a JUICY target for hacking.
You can tell outside that someone is running JF.
You know what packages are used.
You have full access to the source.
You know what endpoints are exposed and available.
All you need is a whole in ffmpeg, a codec, a scaler, or something in libAV. There are a hundred different projects in there from everyone and their brother. And all somebody with experience needs is one of them to have an exploit in a spot where you can send it a payload through an endpoint that doesn't require authentication.
We need something to gatekeep. Some form of firewall knocking, or VPN. We don't need JF to be as publicly accessible as Netflix; we just need a way for our friends and family to get in, prove they're who they are, and reject all anonymous traffic.
-
No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it.
No, they aren't. Just to be sure, I just checked it, and out of the over 2k requests made to the Authelia login page in the last 24 hours, none have made it to the login page itself. You don't know jack shit about what's going on in another persons network, so I'm not sure why you're acting like some kind of expert.
wrote last edited by [email protected]Yes they are. The idea that they’re not would be a statistical wonder.
2k requests made to the Authelia login page in the last 24 hours
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
You don't know jack shit about what's going on in another persons network
It’s the internet, not your network. And I’m well aware of how the internet works. What you’re trying to argue here is like arguing that there’s no possible way that I know your part of the earth revolves around the sun. Unless you’re on a different internet from the rest of us, you’re subject to the same behavior. I mean I guess I didn’t ask if you were hosting your server in North Korea but since you’re posting here, I doubt it.
I'm not sure why you're acting like some kind of expert
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
-
Yes they are. The idea that they’re not would be a statistical wonder.
2k requests made to the Authelia login page in the last 24 hours
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
You don't know jack shit about what's going on in another persons network
It’s the internet, not your network. And I’m well aware of how the internet works. What you’re trying to argue here is like arguing that there’s no possible way that I know your part of the earth revolves around the sun. Unless you’re on a different internet from the rest of us, you’re subject to the same behavior. I mean I guess I didn’t ask if you were hosting your server in North Korea but since you’re posting here, I doubt it.
I'm not sure why you're acting like some kind of expert
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Yes they are. The idea that they’re not would be a statistical wonder.
Guess I’m a wonder then. I’ve always thought of myself as pretty wonderful, I’m glad to hear you agree.
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
That’s 2k requests made. None of them were served. Try to keep up.
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Then I guess I should get a career in cybersecurity, because I obviously know more than someone with over a decade of supposed experience. If you were worth whatever your company is paying you in wages, you would know that a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services. Such a rule doesn’t work for a public site, but for a selfhosted setup it’s absolutely an easy option to reduce your bandwidth usage and make your setup far more secure.
-
Yes they are. The idea that they’re not would be a statistical wonder.
Guess I’m a wonder then. I’ve always thought of myself as pretty wonderful, I’m glad to hear you agree.
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
That’s 2k requests made. None of them were served. Try to keep up.
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Then I guess I should get a career in cybersecurity, because I obviously know more than someone with over a decade of supposed experience. If you were worth whatever your company is paying you in wages, you would know that a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services. Such a rule doesn’t work for a public site, but for a selfhosted setup it’s absolutely an easy option to reduce your bandwidth usage and make your setup far more secure.
a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services.
Whoa whoa whoa. What malicious attempts?
You just told me you were the statistical wonder that nobody is bothering attack?
That’s 2k requests made. None of them were served.
So those 2k requests were not you then? They were hostile actors attempting to gain unauthorized access to your services?
Well there we have it folks lmao
-
Cloudflare. No public exposure to the internet.
Are we not worried about their terms of service? I've been using pangolin
-
a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services.
Whoa whoa whoa. What malicious attempts?
You just told me you were the statistical wonder that nobody is bothering attack?
That’s 2k requests made. None of them were served.
So those 2k requests were not you then? They were hostile actors attempting to gain unauthorized access to your services?
Well there we have it folks lmao
Whoa whoa whoa. What malicious attempts?
I said it would block all malicious attempts. I didn't say the people trying to access my services were malicious. Clearly the OP is worried about that. I however, having just the meager experience of, you know, actually fucking running the a Jellyfin server, am not. But I'm also not trying convince people I'm a smug cybersecurity expert with a decade of experience.
-
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..
Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
-
Whoa whoa whoa. What malicious attempts?
I said it would block all malicious attempts. I didn't say the people trying to access my services were malicious. Clearly the OP is worried about that. I however, having just the meager experience of, you know, actually fucking running the a Jellyfin server, am not. But I'm also not trying convince people I'm a smug cybersecurity expert with a decade of experience.
As OP should be. 2k attempts a day at unauthorized access to your services is a pretty clear indicator of that. Seems you’ve mitigated it well enough, why would you suggest that OP not bother doing the same? If you’re so convinced those 2k attempts are not malicious, then go ahead and remove those rules if they’re unnecessary.
Perhaps as someone with only meager experience running a Jellyfin server who can’t even recognize malicious traffic to their server, and zero understanding of the modern internet threat landscape, you shouldn’t be spreading misinformation that’s potentially damaging to new selfhosters?
-
Are we not worried about their terms of service? I've been using pangolin
We are, Batman, we are.
I VPN to my network for it.
-
As OP should be. 2k attempts a day at unauthorized access to your services is a pretty clear indicator of that. Seems you’ve mitigated it well enough, why would you suggest that OP not bother doing the same? If you’re so convinced those 2k attempts are not malicious, then go ahead and remove those rules if they’re unnecessary.
Perhaps as someone with only meager experience running a Jellyfin server who can’t even recognize malicious traffic to their server, and zero understanding of the modern internet threat landscape, you shouldn’t be spreading misinformation that’s potentially damaging to new selfhosters?
If you were any good at reading, you would know that I said those rules protect the Authelia login page. They don't protect the Jellyfin service or its login page at all. The Jellyfin instance is not behind anything except Cloudflare. I stated that in my very first message. Removing those rules would have no effect whatsoever on Jellyfin.
