Jellyfin over the internet
-
No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it.
No, they aren't. Just to be sure, I just checked it, and out of the over 2k requests made to the Authelia login page in the last 24 hours, none have made it to the login page itself. You don't know jack shit about what's going on in another persons network, so I'm not sure why you're acting like some kind of expert.
wrote last edited by [email protected]Yes they are. The idea that they’re not would be a statistical wonder.
2k requests made to the Authelia login page in the last 24 hours
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
You don't know jack shit about what's going on in another persons network
It’s the internet, not your network. And I’m well aware of how the internet works. What you’re trying to argue here is like arguing that there’s no possible way that I know your part of the earth revolves around the sun. Unless you’re on a different internet from the rest of us, you’re subject to the same behavior. I mean I guess I didn’t ask if you were hosting your server in North Korea but since you’re posting here, I doubt it.
I'm not sure why you're acting like some kind of expert
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
-
Yes they are. The idea that they’re not would be a statistical wonder.
2k requests made to the Authelia login page in the last 24 hours
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
You don't know jack shit about what's going on in another persons network
It’s the internet, not your network. And I’m well aware of how the internet works. What you’re trying to argue here is like arguing that there’s no possible way that I know your part of the earth revolves around the sun. Unless you’re on a different internet from the rest of us, you’re subject to the same behavior. I mean I guess I didn’t ask if you were hosting your server in North Korea but since you’re posting here, I doubt it.
I'm not sure why you're acting like some kind of expert
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Yes they are. The idea that they’re not would be a statistical wonder.
Guess I’m a wonder then. I’ve always thought of myself as pretty wonderful, I’m glad to hear you agree.
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
That’s 2k requests made. None of them were served. Try to keep up.
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Then I guess I should get a career in cybersecurity, because I obviously know more than someone with over a decade of supposed experience. If you were worth whatever your company is paying you in wages, you would know that a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services. Such a rule doesn’t work for a public site, but for a selfhosted setup it’s absolutely an easy option to reduce your bandwidth usage and make your setup far more secure.
-
Yes they are. The idea that they’re not would be a statistical wonder.
Guess I’m a wonder then. I’ve always thought of myself as pretty wonderful, I’m glad to hear you agree.
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
That’s 2k requests made. None of them were served. Try to keep up.
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Then I guess I should get a career in cybersecurity, because I obviously know more than someone with over a decade of supposed experience. If you were worth whatever your company is paying you in wages, you would know that a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services. Such a rule doesn’t work for a public site, but for a selfhosted setup it’s absolutely an easy option to reduce your bandwidth usage and make your setup far more secure.
a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services.
Whoa whoa whoa. What malicious attempts?
You just told me you were the statistical wonder that nobody is bothering attack?
That’s 2k requests made. None of them were served.
So those 2k requests were not you then? They were hostile actors attempting to gain unauthorized access to your services?
Well there we have it folks lmao
-
Cloudflare. No public exposure to the internet.
Are we not worried about their terms of service? I've been using pangolin
-
a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services.
Whoa whoa whoa. What malicious attempts?
You just told me you were the statistical wonder that nobody is bothering attack?
That’s 2k requests made. None of them were served.
So those 2k requests were not you then? They were hostile actors attempting to gain unauthorized access to your services?
Well there we have it folks lmao
Whoa whoa whoa. What malicious attempts?
I said it would block all malicious attempts. I didn't say the people trying to access my services were malicious. Clearly the OP is worried about that. I however, having just the meager experience of, you know, actually fucking running the a Jellyfin server, am not. But I'm also not trying convince people I'm a smug cybersecurity expert with a decade of experience.
-
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..
Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
-
Whoa whoa whoa. What malicious attempts?
I said it would block all malicious attempts. I didn't say the people trying to access my services were malicious. Clearly the OP is worried about that. I however, having just the meager experience of, you know, actually fucking running the a Jellyfin server, am not. But I'm also not trying convince people I'm a smug cybersecurity expert with a decade of experience.
As OP should be. 2k attempts a day at unauthorized access to your services is a pretty clear indicator of that. Seems you’ve mitigated it well enough, why would you suggest that OP not bother doing the same? If you’re so convinced those 2k attempts are not malicious, then go ahead and remove those rules if they’re unnecessary.
Perhaps as someone with only meager experience running a Jellyfin server who can’t even recognize malicious traffic to their server, and zero understanding of the modern internet threat landscape, you shouldn’t be spreading misinformation that’s potentially damaging to new selfhosters?
-
Are we not worried about their terms of service? I've been using pangolin
We are, Batman, we are.
I VPN to my network for it.
-
As OP should be. 2k attempts a day at unauthorized access to your services is a pretty clear indicator of that. Seems you’ve mitigated it well enough, why would you suggest that OP not bother doing the same? If you’re so convinced those 2k attempts are not malicious, then go ahead and remove those rules if they’re unnecessary.
Perhaps as someone with only meager experience running a Jellyfin server who can’t even recognize malicious traffic to their server, and zero understanding of the modern internet threat landscape, you shouldn’t be spreading misinformation that’s potentially damaging to new selfhosters?
If you were any good at reading, you would know that I said those rules protect the Authelia login page. They don't protect the Jellyfin service or its login page at all. The Jellyfin instance is not behind anything except Cloudflare. I stated that in my very first message. Removing those rules would have no effect whatsoever on Jellyfin.
-
If you were any good at reading, you would know that I said those rules protect the Authelia login page. They don't protect the Jellyfin service or its login page at all. The Jellyfin instance is not behind anything except Cloudflare. I stated that in my very first message. Removing those rules would have no effect whatsoever on Jellyfin.
It’s over man. You’ve made it very clear you have no idea what you’re talking about, how any of this works, or even what’s going on with your own selfhosted services. Back peddling away from your own arguments and trying to sweep up the beans you’ve already spilled isn’t going to help your case.
Maybe stick to your day job, I just don’t think that cybersecurity career is in the cards for you.
-
Here, since you can't use a search engine: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
More, because I've been around this lap before, you'll ask for more and not believe that one, here's another: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
Do what you want. Idgaf about your install, just mine.
I don't want to be an asshole but after checking a couple of those out they all appear to be post-authorization vulnerabilities? Like sure if you're just passing out credentials to your jellyfin instance someone could use the device log upload to wreck your container, but shouldn't most people be more worried about vulnerabilities that have surface for unauthorized attackers?
-
It’s over man. You’ve made it very clear you have no idea what you’re talking about, how any of this works, or even what’s going on with your own selfhosted services. Back peddling away from your own arguments and trying to sweep up the beans you’ve already spilled isn’t going to help your case.
Maybe stick to your day job, I just don’t think that cybersecurity career is in the cards for you.
Yeah, some random nobody trying to convince people they're a cybersecurity expert is gonna be what shuts me up.
I very clearly laid out my setup, and how you were wrong. If you can't even read well enough to understand that, let alone form som kind of actual argument backed up by reality, that isn't my problem to deal with.
I would say stick to your own day job, but if this is actually your day job then maybe check out whether your local Burger King has openings, you'll do less harm there.
-
We are, Batman, we are.
I VPN to my network for it.
wrote last edited by [email protected]I expose jellyfin and keycloak to the internet with pangolin, jellyfin user only has read access. Using the sso
jellyfin listens to my keycloak which has Google as an identity provider(admin disabled), restricting access to my users, but letting people use their google identity. Learned my family doesn't use anything that isn't sso head-to-toe.It's what we do in the shadows that makes us heroes, kalpol.
-
Anything you expose to the internet publicly will be attacked, just about constantly. Brute force attempts, exploit attempts, the whole nine. It is a ubiquitous and fundamental truth I’m afraid. If you think it’s not happening to you, you just don’t know enough about what you’re doing to realize.
You can mitigate it, but you can’t stop it. There’s a reason you’ll hear terms like “attack surface” used when discussing this stuff. There’s no “if” factor when it comes to being attacked. If you have an attack surface, it is being attacked.
Yup, the sad reality is that you don’t need to worry about the attacks you expect; You need to worry about the ones you don’t know anything about. Honeypots exist specifically to alert you that something has been breached.
-
Yeah, some random nobody trying to convince people they're a cybersecurity expert is gonna be what shuts me up.
I very clearly laid out my setup, and how you were wrong. If you can't even read well enough to understand that, let alone form som kind of actual argument backed up by reality, that isn't my problem to deal with.
I would say stick to your own day job, but if this is actually your day job then maybe check out whether your local Burger King has openings, you'll do less harm there.
wrote last edited by [email protected]You’ve argued from a position of weakness against a well known and accepted truth, and have provided zero proof to back up your outlandish claim. On the contrary you’ve admitted to the existence of unwanted access attempts to your services, as well as your usage of mitigations to the same problem you insist doesn’t exist.
It’s over man. You’re certified expert yapper but that’s not going to convince me or anyone else here that you know what you’re talking about. It’s a wrap.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Tailscale with self hosted headscale
-
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..
This is the biggest weakness of Jellyfin. Native OIDC support would really be a no brainer at this point.
-
You’ve argued from a position of weakness against a well known and accepted truth, and have provided zero proof to back up your outlandish claim. On the contrary you’ve admitted to the existence of unwanted access attempts to your services, as well as your usage of mitigations to the same problem you insist doesn’t exist.
It’s over man. You’re certified expert yapper but that’s not going to convince me or anyone else here that you know what you’re talking about. It’s a wrap.
It’s over man. You’re certified expert yapper but that’s not going to convince me or anyone else here that you know what you’re talking about.
Is this Reddit? When were we supposed to be seeking the validation of random strangers on the net, especially ones who brag about their bona fides like it's a CoD lobby? You keep saying it's over, but for some reason you keep coming back here to try to get the last word. If I'm in a position of weakness, why is it you're the one trying so hard? You're in a dick measuring contest against yourself. I'm getting second-hand embarrassment.
-
I was just trying to get a setup like this going yesterday. I used standard Wiregaurd and got that working between the VPS and home server, but I was trying to set up Caddy as a reverse proxy to direct the incoming traffic through the WG VPN to my services. I wasnt able to figure it out yesterday. Everyone online says Caddy is so simple, but I'm such a noob I just have no idea what it's doing or how to troubleshoot.
You should try pangolin. It uses Traefik instead of Caddy under the hood but it automates approximately 80 % of setup. It's what I use for my setup.
-
I don't want to be an asshole but after checking a couple of those out they all appear to be post-authorization vulnerabilities? Like sure if you're just passing out credentials to your jellyfin instance someone could use the device log upload to wreck your container, but shouldn't most people be more worried about vulnerabilities that have surface for unauthorized attackers?
A while back there was a situation where outsiders could get the name of the contents of your Jellyfin server, which would incriminate anyone. I believe it's patched now, but I don't think Jellyfin is winning any security awards. It's a selfhosted media server. I have no frame of reference for knowing whether or not any of my information was overkill and I'm sure there are even some out there that would say I didn't go far enough, even.
