Jellyfin over the internet
-
I'm currently using CF Tunnels and I'm thinking about this (I have pretty good offers for VPS as low as $4 a month)
Can you comment on bandwidth expectations? My concern is that I also tunnel Nextcloud and my offsite backups and I may exceed the VPS bandwidth restrictions.
BTW I'm testing Pangolin which looks AWESOME so far.
I am using the free Oracle VPS offer until they block me, so far I have no issue. Alzernatively I wanted to check out IONOS, since you dont have a bandwidth limit there.
-
I am using the free Oracle VPS offer until they block me, so far I have no issue. Alzernatively I wanted to check out IONOS, since you dont have a bandwidth limit there.
WOW! That's one hell of a deal. You've convinced me XD I'm installing pangolin Right now. The hell with Cloudflare and their evil ways
-
Not sure what what you mean. Plex has a bubble you can get stuck in. Jellyfin is free and open source
Talking about Synology, if I’m not mistaken you’ll have to buy all from their store now : Synology Hardrive and such
-
I tried really hard to get a named CloudFlare tunnel working with a domain name I registered (I share my personal home videos with a non technical family member in Italy) but couldn't get it working no matter what I tried.
I'm not sure whay the OS you use is, but on linux (debian based) they have a Curl installer that installs their Systemd service preconfigured for your account and the specific tunnel you're using.
Once that is installed, configuration is pretty easy. Inside their ZeroTrust portal, you will find the options to configure ports.
Always point your tunnel to https://localhost:port or http://localhost:port. You can get a TLS cert from lets-encrypt for your first one. New certifications are issued by cloudflare's partners regularly to prevent expiration. I think I have like 3 for my domain now? 1 from Lets-Encrypt and a couple from Google.
This could be totally unrelated, but when I first configured my domain, I used DuckDNS as my DNS registrar so I could do everything over wireguard. That's is still set up and in Cloudflare I still have duckdns included in my DNS registry. Could he worth a shot to set that up and add it to your DNS registry on cloudflare.
-
Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.
Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.
I have the firewall of my VPS reject any IP range except the ones I’m on frequently, that is mobile, home and work. Sucks when you travel, but otherwise works alright.
Still exposes ports to some people on the same mobile or home internet service networks…
-
I used to do all the things mentioned here. Now, I just use Wireguard. If a family member wants to use a service, they need Wireguard. If they don't want to install it, they dont get the service.
Pangolin could be a solution
-
Talking about Synology, if I’m not mistaken you’ll have to buy all from their store now : Synology Hardrive and such
O yea I bought a synology before all of that crap. I still have wd drives in there. I don't plan on any updates to ensure I don't have to deal with that
-
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
-
I used to do all the things mentioned here. Now, I just use Wireguard. If a family member wants to use a service, they need Wireguard. If they don't want to install it, they dont get the service.
Came here to say this. I use wireguard and it simply works.
-
The issue is not encryption, it's the unauthenticated API. People can interact with your server without an account.
Specifically these issues: https://github.com/jellyfin/jellyfin/issues/5415
The big one is that video/audio playing endpoints can be used without authentication. However, you have to guess a UUID. If Jellyfin is using UUIDv4 (fully random), then this shouldn't be an issue; the search space is too big. However, many of the other types of UUIDs could hypothetically be enumerated through brute force. I'm not sure what Jellyfin uses for UUIDs.
-
My go to secure method is just putting it behind Cloudflare so people can’t see my IP, same as every other service. Nobody is gonna bother wasting time hacking into your home server in the hopes that your media library isn’t shit, when they can just pirate any media they want to watch themselves with no effort.
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
wrote last edited by [email protected]If you’re a beginner and you’re looking for the most secure way with least amount of effort, just VPN into your home network using something like WireGuard, or use an off the shelf mesh vpn like Tailscale to connect directly to your JF server. You can give access to your VPN to other people to use. Tailscale would be the easiest to do this with, but if you want to go full self-hosted you can do it with WireGuard if you’re willing to put in a little extra leg work.
What I’ve done in the past is run a reverse proxy on a cloud VPS and tunnel that to the JF server. The cloud VPS acts as a reverse proxy and a web application firewall which blocks common exploits, failed connection attempts etc. you can take it one step beyond that if you want people to authenticate BEFORE they reach your server by using an oauth provider and whatever forward Auth your reverse proxy software supports.
-
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
-
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
What a bunch of B's. Sure your up gets probed it's happening to every ipv4 address all the time. But that is not hacking.
-
I host it publicly accessible behind a proper firewall and reverse proxy setup.
If you are only ever using Jellyfin from your own, wireguard configured phone, then that's great; but there's nothing wrong with hosting Jellyfin publicly.
I think one of these days I need to make a "myth-busting" post about this topic.
Same for me. But according to everyone I should be destroyed.
-
and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.
its not as complicated as it sounds, it's just a wireguard client, and a reverse proxy like on the main server.
it can even be your laptop, without hdmi cables
How would you do this off network?
-
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
-
No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
wrote last edited by [email protected]No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it. They’re actively trying to exploit vulnerabilities that exist in whatever outwardly accessible software you’re exposing is, and in many cases also in software you’re not even using in scattershot fashion. Cloudflare is blocking a lot of the well known CVEs for sure, so you won’t see those hit your server logs. If you look at your Authelia logs you’ll see the login attempts though. If you connect via SSH you’ll see those in your server logs.
You’re mitigating it, sure. But they are absolutely 100% trying to get into your server right now, same as everyone else. There is no consideration to whether you are a self hosted or a Fortune 500 company.
-
What a bunch of B's. Sure your up gets probed it's happening to every ipv4 address all the time. But that is not hacking.
wrote last edited by [email protected]Anything you expose to the internet publicly will be attacked, just about constantly. Brute force attempts, exploit attempts, the whole nine. It is a ubiquitous and fundamental truth I’m afraid. If you think it’s not happening to you, you just don’t know enough about what you’re doing to realize.
You can mitigate it, but you can’t stop it. There’s a reason you’ll hear terms like “attack surface” used when discussing this stuff. There’s no “if” factor when it comes to being attacked. If you have an attack surface, it is being attacked.
-
Anything you expose to the internet publicly will be attacked, just about constantly. Brute force attempts, exploit attempts, the whole nine. It is a ubiquitous and fundamental truth I’m afraid. If you think it’s not happening to you, you just don’t know enough about what you’re doing to realize.
You can mitigate it, but you can’t stop it. There’s a reason you’ll hear terms like “attack surface” used when discussing this stuff. There’s no “if” factor when it comes to being attacked. If you have an attack surface, it is being attacked.
@EncryptKeeper That’s my experience. Zombied home computers are big business. The networks are thousands of computers. I had a hacker zombie my printer(!) maybe via an online fax connection and it/they then proceeded to attack everything else on my network. One older machine succumbed before I could lock everything down.
