Jellyfin over the internet
Jellyfin over the internet
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
You're viewing a single thread.
Nginx in front of it, open ports for https (and ssh), nothing more. Let's encrypt certificate and you're good to go.
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
fail2ban with endlessh and abuseipdb as actions
Anything that's not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.
Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.
I have the firewall of my VPS reject any IP range except the ones I’m on frequently, that is mobile, home and work. Sucks when you travel, but otherwise works alright.
Still exposes ports to some people on the same mobile or home internet service networks…
They can try all they like, man. They're not gonna guess a username, key and password.
Doesn't take that to leverage an unknown vulnerability in ssh like:
That's why it's common best practice to never expose ssh to raw internet if you can help it; but yes it's not the most risky thing ever either.
If you're going to open something, SSH is far, far more battle-tested than much other software, even popular software. Pragmatically, If someone is sitting on a 0-day for SSH, do you genuinely think they're gonna waste that on you and me? Either they're gonna sell it to cash out as fast as possible, or they'll sit on it while plotting an attack against someone who has real money. It is an unhealthy level of paranoia to suggest that SSH is not secure, or that it's less secure than the hundreds of other solutions to this problem.
Here is my IP address, make me eat my words.
2a05:f6c7:8321::164 | 89.160.150.164Are you giving random strangers legal permission to pentest you? That's bold.
You got balls to post you public addresses like that... I mean I agree with you wholeheartedly and I also have SSH port forwarded on my firewall, but posting your public IP is next-level confidence.
Respect.
Well, having a domain is basically documenting your IP publicly. It's not that risky.
Well, those won’t typically have ssh exposed on them. But we could argue what is more risky to have exposed, ssh or http. Any publicly available server could be vulnerable, it’s just very unlikely these days (with up to date software).
Plot twost, That it's neighbor ip
That is some big dick energy ngl
I linked a relevant vulnerability, but even ignoring that, pragmatically, you feel they'd be targeting specific targets instead of just what they currently do? (That, by the way, is automating the compromise of vulnerable clients in mass scale to power botnets). Any service you open on your device to the internet is inherently risky. Ssh best practices are, and have been since the early days, not to expose it to the internet directly.
You did link a vulnerability! That is true. I didn't claim SSH had a clean track record, I claimed it had a better track record than most other software. That vulnerability is hard to exploit, and generates a lot of noise if you were to try, which nobody has because it's never been found in the wild.
People who sit on 0-days for critical software like SSH don't go out and try to mass-exploit it because it will be found within the day and patched within the week once they start making noise. This is not a quiet exploit. If they're smart, they sell it. If they're ambitious, they build an elaborate multi-chain attack against a specific target. Only 0.14% of devices vulnerable to this exploit are EoL versions of OpenSSH, so once this was patched, it was no longer a useful attack vector.
It would also have been completely negated by fail2ban, which is prominently deployed on internet facing SSH, as it required thousands and thousands of connection attempts to trigger the condition. It could also have been mitigated by not running sshd as root, though I understand that most people don't want to deal with that headache even though it is possible.
There are thousands of independent honeypots that sit quietly and sniff all the mass-attacks and they earn their daily bread by aggregating and reporting this data. If you run a mass exploit, you will be found within the day. Trust me, I burned an IP address by regularly scanning the whole IPv4 space. You are going to end up on blacklists real fuckin' fast and whatever you were doing will be noticed and reported.
If you're going to open something, SSH is a very safe choice. But yes, don't open it if you don't need it. We are discussing how to open a service to the internet safely, though, so we need it.
🤔🤔🤔🤔🤔
Are we living in the same universe? In mine software doesn't get patched all the time, in fact it's usually a lack of patches that lead to any significant system compromise... Which happens time and time again. Also you're on a thread that is advising hobbiests on how to configure and maintain their personal server, not the engineering meeting for a fortune 500. Yes, you can make ssh very secure. Yes, it's very secure even by default. In the same regard, new vulnerabilities/exploits will be found, and it remains best practice not to expose ssh to raw internet unless absolutely necessary and with the considerations required to mitigate risk. Ssh isn't even implemented identically on every device, so you literally cannot talk about it like you are. Idk why you're arguing against the industry standard for best practices decided by people who have far more experience and engineering time than you or I.
it attempts to log in using a list of credentials.
Do you read what you post or do you just google "ssh vulnerability" and post the first result to waste my inbox space?
Software doesn’t get patched all the time,
SSH does, it is one of the codebases with the most eyeballs on it at any given time and patches to it get fast-tracked downstream.
advising hobbiests on how to configure and maintain their personal server, not the engineering meeting for a fortune 500
You don't need to be a genius to enable keys, disable root and install fail2ban.
it remains best practice not to expose ssh to raw internet unless absolutely necessary
This is correct, but we are arguing about a case in which it is necessary to expose something and it's better that it's one of the most secure and battle-tested pieces of software in the world as opposed to some open source hobby *arr stack.
arguing against the industry standard ... more experience and engineering time than you or I.
I work in this industry, ma'am.
Did you know that simply being connected to the internet puts you at risk? Your firewall could have a vulnerability! Your router's admin panel could be misconfiguration and exposed to the internet! The only way to be safe is to unplug your cable and stop replying to me. Also rip out your bluetooth modules and any LEDs in every device you own because they have been demonstrated to be attack vectors. In fact just stop using anything more complicated than a MOSFET.
People like you in this industry are legitimately the reason botnets and significant compromise still exists. "You don't need to be a genius to do all this additional config to make this thing I'm referring to as secure, secure." Do you even read your own writings before you hit post? Also your final argument is so slathered in whataboutism I can't even. Yes, any internet connectivity is going to be less secure than an air gap, but when you're advising implementations you should keep security posture and best practices in mind. What you're speaking on is more complex than any one person's understanding of it due to significant layers of abstraction. Exhibit a? Ssh is not a codebase. It's a network protocol. The codebase is literally different depending on implementation.
I remember that one. Those are pretty rare and usually involve a specific configuration that is often not the default, though, right? When such a vulnerability is found, is it rightly so major news.
"This race condition affects sshd in its default configuration." direct quote from the linked article, paragraph like... 3. I linked it so people could read, not speculate.
Ah, now I remember. It took a quick configuration change to mitigate this. Still, I’d call this very rare.
I’m going side with @drkt@scribe.disroot.org on this one.
Agreed, but best practices are meant to deal with the very rare. They didn't put the vulnerabilities in the software due to negligence or malice, it's just an ever evolving arms race with cracks that show up due to layer upon layer of abstraction. Again I'm not saying to never expose ssh to the net, quite the opposite, but as a best practice you should never do it unless you fully understand the risk and are prepared to deal with any potential consequences. That's just a core tenant of understanding security posture.
Sure, don’t open ports you don’t need. I said in a different here that I reject all expect IP ranges I’m in for home, mobile and work. That works for me. That blocks the vast majority of the world.
I agree with the other guy that I’m not a target for these vulnerabilities. They are rare and hard to exploit, and valuable. But the basic advice you give is good, obviously.
Don’t expose what you don’t need to expose. Still I have Immich and all of my photos on there. Good luck scamming me with threats of sending them to my family and work. 😀
I've always disliked IT discussions for reasons like this. Everyone who comments seems to think that the mitigations, security considerations, and security compromises (IE, not caring if your images are leaked online) they've made are common knowledge... But, this is a forum advising people on how to configure their home severs for hobbiest use. Best practices should be the mantra, "just raw dog ssh on the internet with your 443/80 port mapping and you're g2g" [sic] shouldn't be an acceptable answer to you. If they'd stated that there are security considerations, but they like to implement them and expose ssh to the net for management purposes I'd have nothing to say, but to just advise people who lack that extra experience, without helping them understand why you're okay doing what you're doing and what you've done to solve for specific issues that the default configuration does not seems unhelpful at best.
Only the failed attempts could be a Denial Of Service and throw you out. So, at least add an ever increasing delay to those. Fail2ban is important.
i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
Sorry, misunderstanding here, I'd never open SSH to the internet, I meant it as "don't block it via your server's firewall."
So? Pubkey login only and fail2ban to take care of resource abuse.
Change the port it runs on to be stupid high and they won't bother.
Yeah hey what's your IP address real quick? No reason
In 3 years I haven't had a single attempted connection that wasn't me. Once you get to the ephemeral ports nobody is scanning that high.
I'm not saying run no security or something. Just nobody wants to scan all 65k ports. They're looking for easy targets.
Just nobody wants to scan all 65k ports.
Shodan has entered the chat.
Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
Maybe leave that behind some VPN access.
I agree, but SSH is more secure than Jellyfin. it shouldn't be exposed like that, others in the comments already pointed out why
Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
Take a look at Nginx Proxy Manager and how to set it up. But you'll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
I’ve look a little on it, didn’t understand most of it. I’m looking for a comprehensive beginner guide before going foward
This isn't a guide, but any reverse proxy allows you to limit open ports on your network (router) by using subdomains (thisPart.website.com) to route connections to an internal port.
So you setup a rev proxy for jellyfin.website.com that points to the port that jf wants to use. So when someone connects to the subdomain, the reverse proxy is hit, and it reads your configuration for that subdomain, and since it's now connected to your internal network (via the proxy) it is routed to the port, and jf "just works".
There's an ssl cert involved but that's the basic understanding. Then you can add Some Other Services at whatever.website.com and rinse and repeat. Now you can host multiple services, without exposing the open ports directly, and it's easy for users as there is nothing "confusing" like port numbers, IP addresses, etc.
So I’m another newbie dummy to reverse proxies. I’ve got my jellyfin accessible at jellyfin.mydomain.com but I can only access it through the web. How do I share with other people who want to use the apps? I can’t get my apps to find my instance.
Can "your apps" access it when their device isn't on your home LAN?
That was the problem, I couldn't access anything away from my LAN. I finally figured it out though. I'm using Pangolin to access my services outside of my LAN and by default it adds a SSO option. Once I turned that off, my iPhone app was able to find my server through my domain name just fine. Thanks!
Do note that without that layer you were using Pangolin for, your system might be compromised by a vulnerability in Jellyfin's server or a brute force attack on your Jellyfin admin account.
Understood. I set a strong password and a max login attempt on my account.
If someone does get into my account, wouldn’t they only be able to watch what I have on my server anyway?
if they got in...
You're trusting Jellyfin to not have some form of privilege escalation attack available. I'm not saying they do have one or that anyone's exploiting it in the field, but yeah. Also if your Jellyfin admin account is allowed to download subtitles to content folders, a "just fuck shit up" style vandal-hacker could delete your media probably. If you mount the media read-only that wouldn't be a concern.
Also run the reverse proxy on a dedicated box for it in the DMZ
Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.
In a perfect world, yes. But not as a beginner, I guess?
It's beginner level, the hard part is the reverse proxy, once you have a grasp on that just having it on a dedicated box in a segmented portion on your firewall designated as the DMZ is easy. Id even go so far as to say its the bare minimum if you're even considering exposing to the internet.
It doesn't even need to be all that powerful since its just relaying packets as a middleman