What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.
If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.
Blocking IP segments based on geography of countries you don’t expect connections from adds the cost of a VPN for malicious actors in those areas.
Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.
Fail2ban isn’t going to help you when jellyfin has vulnerable endpoints that need no authentication at all.
Your comment got me looking through the jellyfin github issues. Are the bugs listed for unauthenticated endpoints what you’re referencing? It looks like the 7 open mention being able to view information about the jellyfin instance or view the media itself. But this is just what was commented as possible, there could be more possibilities especially if combined with other vulnerabilities.
Now realizing there are parts of Jellyfin that are known to be accessible without authentication, I’m thinking Fail2ban is going to do less but unless there are ways to do injection with the known bugs/a new 0day they will still need to brute force a password to be able to make changes. I’m curious if there is anything I’m overlooking.
TBH, that should be enough right here. That is a JUICY target for hacking.
You can tell outside that someone is running JF.
You know what packages are used.
You have full access to the source.
You know what endpoints are exposed and available.
All you need is a whole in ffmpeg, a codec, a scaler, or something in libAV. There are a hundred different projects in there from everyone and their brother. And all somebody with experience needs is one of them to have an exploit in a spot where you can send it a payload through an endpoint that doesn’t require authentication.
We need something to gatekeep. Some form of firewall knocking, or VPN. We don’t need JF to be as publicly accessible as Netflix; we just need a way for our friends and family to get in, prove they’re who they are, and reject all anonymous traffic.