Jellyfin over the internet
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Sad that mTLS support is non existent because it solves this problem.
-
I just expose my local machine to the internet, unsecured
This is absolutely unhinged but god damn it, I respect you.
-
Tailscale with self hosted headscale
Any helpful tips or links to tutorials for this method?
-
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
And this is the start of the longest crypto nerd fight I've seen on Lemmy. Well done, people!
-
Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
Indeed a good recommendation. I've not set it up yet but I'm probably going to do so in the near future.
-
I just expose my local machine to the internet, unsecured
wrote last edited by [email protected]Yea same I don’t even care.
It’s an old laptop, I have a backup. Go ahead, fuck it up.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
For now just Tailscale but I'm working on setting up a reverse proxy and SSO through Authentik
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I use mTLS by adding a reverse proxy between Jellyfin and the Inet. This makes it hard to use the app, but works perfect with a browser. If you still want to use the app. There is a solution by using stunnel (termux) between te app and the Inet or better, a wireguard VPN.
-
The onn boxes run android so it's just installed as an app from play store. The users connect with their own tailscale account. My server is shared so they see it. Then they install jellyfin on the device, punch in the hostname of the server given by tailscale and the port and then it connects.
I could not get my reverse proxy to let them use my local domain.. I'm not smart enough and couldn't figure it out but they are only using jellyfin so typing one address was fine.
Thank you for following up.
-
Sad that mTLS support is non existent because it solves this problem.
It would cover all phones, pcs and maybe Android TVs.
The barrier to entry would be having to replace the cert every year since we now made that a thing. Maybe spin up a self-sign shirt server and start issuing people 10 years certs
-
Yea same I don’t even care.
It’s an old laptop, I have a backup. Go ahead, fuck it up.
Do you at least have it on a VLAN?
-
For now just Tailscale but I'm working on setting up a reverse proxy and SSO through Authentik
wrote last edited by [email protected]Even more secure is having a VPS and self hosting Heascale, even better is Wireguard
-
Any helpful tips or links to tutorials for this method?
Easiest method is Docker, but it heavily depends on your network and tech stacks.
-
I don't want to be an asshole but after checking a couple of those out they all appear to be post-authorization vulnerabilities? Like sure if you're just passing out credentials to your jellyfin instance someone could use the device log upload to wreck your container, but shouldn't most people be more worried about vulnerabilities that have surface for unauthorized attackers?
plus, most of the mentioned cve's state "versions before ...". Exposing a service to the internet always has a risk to it, keeping your service up-to-date is mandatory. Running behind a vpn can protect you, sure. But it also has to be practical. I don't get why Jellyfin especially gets this kind of slaming. You'll find similar records for any other software.
-
Couple questions here.
What is a honeypot? I've only heard it in terms of piracy.
Also, what steps can someone take to reinforce this attack layer? You have an infograph or something people can google search their way through?
wrote last edited by [email protected]A honeypot is something that is intentionally left available, to alert you when it gets hit. In practice, they’re just a tool to tell security specialists when they need to start worrying; They wouldn’t be used by the average user at all.
The goal is to build your security like layers, and ideally have all of your services behind the secure walls. Between these layers, you have honeypots. If someone gets through your first layer of security but hits the honeypot, you know someone is sniffing around, or maybe has an exploit for your outer layer that you need to research. If they get through the second layer and hit your second honeypot, you know that someone is specifically targeting you (instead of simply running automated scans) and you need to pay closer attention. Etc…
Reinforcing the attack layer comes in two main forms, which work in tandem: Strengthening the actual layer, and reducing attack vectors. The first is focused on using strong passwords, keeping systems up to date, running something like Fail2Ban for services that are exposed, etc… The goal is for each layer of security to be robust, to reduce the chances of a bot attack actually working. Bots will simply sniff around and automatically throw shit at the wall to see if anything sticks.
The second part is focused on identifying and mitigating attack vectors. Essentially reducing the amount of holes in the wall. It doesn’t matter how strong the wall is if it’s full of holes for your server’s various services. The goal is typically to have each layer be as solid as possible, and grant access to the layers below it. So for instance, running a VPN. The VPN gets you access to the network, without exposing services externally. In order to access your services, they need to get through the VPN first, making the VPN the primary attack vector. So you can focus on ensuring that the VPN is secure, instead of trying to spread your focus amongst a dozen different services. If it’s exposed to the open internet, it is a new potential attack vector; The strength of the wall doesn’t actually matter, if one of those services has an exploit that someone can use to get inside your network.
Home users really only need to worry about things like compromised services, but corporate security specialists also focus on things like someone talking their way past the receptionist and into the server room, USB sticks getting “lost” around the building and plugged into random machines by curious employees, etc… All of these are attack vectors, even if they’re not digital. If you have three or four layers of security in a corporate setting and your third or fourth honeypot gets hit, you potentially have some corporate spy wrist-deep in your server room.
For an easy example, imagine having a default password on a service, and then exposing it to the internet via port forwarding. It doesn’t matter how strong your firewall is anymore. The bot will simply sniff the service’s port, try the default credentials, and now it has control of that service.
The better way to do it would be to reduce your attack vectors at each layer; Require the VPN to access the network via a secure connection, then have a strong password on the service so it can’t easily be compromised.
-
Can "your apps" access it when their device isn't on your home LAN?
That was the problem, I couldn't access anything away from my LAN. I finally figured it out though. I'm using Pangolin to access my services outside of my LAN and by default it adds a SSO option. Once I turned that off, my iPhone app was able to find my server through my domain name just fine. Thanks!
-
That was the problem, I couldn't access anything away from my LAN. I finally figured it out though. I'm using Pangolin to access my services outside of my LAN and by default it adds a SSO option. Once I turned that off, my iPhone app was able to find my server through my domain name just fine. Thanks!
Do note that without that layer you were using Pangolin for, your system might be compromised by a vulnerability in Jellyfin's server or a brute force attack on your Jellyfin admin account.
-
Do note that without that layer you were using Pangolin for, your system might be compromised by a vulnerability in Jellyfin's server or a brute force attack on your Jellyfin admin account.
Understood. I set a strong password and a max login attempt on my account.
If someone does get into my account, wouldn’t they only be able to watch what I have on my server anyway?
-
Understood. I set a strong password and a max login attempt on my account.
If someone does get into my account, wouldn’t they only be able to watch what I have on my server anyway?
if they got in...
You're trusting Jellyfin to not have some form of privilege escalation attack available. I'm not saying they do have one or that anyone's exploiting it in the field, but yeah. Also if your Jellyfin admin account is allowed to download subtitles to content folders, a "just fuck shit up" style vandal-hacker could delete your media probably. If you mount the media read-only that wouldn't be a concern.
-
And this is the start of the longest crypto nerd fight I've seen on Lemmy. Well done, people!
Not so much a fight as an exercise in futility lol
