this post was submitted on 29 Jan 2024
100 points (97.2% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54500 readers
998 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 

I have a Jellyfin instance on my local server which I forward to the public web via a cloudflare tunnel. I'm not sure how secure it is, and I keep getting random requests from all over the world. It's my first experience maintaining something on a public domain so I may be worrying about something obvious, but some advice would still be appreciated.

My SSL/TLS encryption mode appears to be "Full".

all 31 comments
sorted by: hot top controversial new old
[–] [email protected] 89 points 9 months ago (1 children)

Any time I've ever had a server of any kind connected to the net it's gotten endless 'doorknob turning' from bots scanning for stuff. At the very least, bots trying ssh passwords on common accounts.

I don't have any specific jellyfin advice, but random attempts from all over is pretty usual on the net these days.

[–] [email protected] 66 points 9 months ago* (last edited 9 months ago) (3 children)

That will always happen with something exposed to internet. Attackers scan every IP and domain they can looking for vulnerabilities to exploit. There's software you can put in place to block requests that look like exploit attempts. Cloudfare WAF is one example. But those are mitigations only and not perfectly effective. Beyond that there's not much you can do. Always make sure anything you expose to the internet is configured securely and kept up to date. If it makes you uncomfortable, reconsider exposing it like that.

[–] [email protected] 13 points 9 months ago* (last edited 9 months ago) (1 children)

bots will start hitting a brand new subdomain on my web server literally seconds after creating it. looking for exploitable scripts like wordpress, usually.

[–] [email protected] 5 points 9 months ago (1 children)

You can avoid these scans by only using wildcards on your DNS entries and SSL certificates.

Both of these are commonly used by bots to find new domains.

[–] [email protected] 3 points 9 months ago (1 children)

Wildcard SSL subjects make sense as the certificate is public. But how does wildcard DNS help? They aren't public other than the requests coming from the client which don't use wildcard anyway.

[–] [email protected] 1 points 9 months ago

I would not depend on DNS records being private. On the off chance that one of the nameservers messes up, I would prefer if no subdomains are leaked.

But you're correct, most of the time those leaks happen somewhere else.

[–] [email protected] 8 points 9 months ago

Thanks, that helped!

[–] [email protected] 6 points 9 months ago

Fail2ban works if they don't have infinite IP addresses

[–] [email protected] 26 points 9 months ago (1 children)

It sounds like you made your Jellyfin server public-facing, which is probably not what you want, even though it is supposed to be secured.

I recommend that you setup access through an exclusive and private connection of some kind. E.g: VPN, Tailscale, ZeroTier.

[–] [email protected] 16 points 9 months ago (1 children)

Thanks! No, that's exactly what I wanted to do :) I was just wondering if it's okay to have this many random requests, which seems to be fine.

[–] [email protected] 14 points 9 months ago (1 children)

Understood. Any public-facing server will be bombarded by bots. You need to deploy measures to avoid being hacked:

  1. Firewall: lockdown everything, allow only the strict necessary
  2. Remote login/SSH: update default username and pasword, only allow remote login using Encryption Key authentification
  3. (Optional) configure fail2ban to slowdown the attacks
  4. Keep your server up-to-date: configure auto-update, unattended-update or similare
  5. Setup and keep regular backups: be ready to nuke your server at anytime, with the confidence you can restart fresh in a short time and low effort

Obviously, there are many other security steps that can be put in place, but firewall and ssh hardening are absolutely mandatory

[–] [email protected] 2 points 9 months ago (1 children)

Thank you, these are great tips!

[–] [email protected] 7 points 9 months ago

Being up to date is VERY important. There's a bunch of sites out there that scan the entire internet endlessly and keep information about each IP up to date. For example go here and search your IP.

https://search.censys.io/

When a vulnerability is found, attackers will go to sites like these and look for anything to hack. If you don't update more or less immediately, you're at huge risk.

Other then that, everyone else is right. Being available to the public means you're going to have bots scanning you and sending random trash. The only thing you can do is try and block it (fail2ban) or limit it (block certain countries) but at the end of the day its the software that gets the packets (jellyfin) that you need to trust to be secure and discard random junk.

[–] [email protected] 22 points 9 months ago (1 children)

I‘d only access my jellyfin through a VPN like WireGuard. As a plus, you can route your DNS calls to your DNS server in your home network (like AdGuard) and have always most ads blocked in any app even on iOS.

[–] [email protected] 4 points 9 months ago (2 children)

If I didn't use wireless android auto I would totally use a VPN at all times but the fact AA refuses to connect with wireless AA with a VPN sucks.

[–] [email protected] 4 points 9 months ago (1 children)

You can exclude AA from VPN, at least with Wireguard.

[–] [email protected] 1 points 9 months ago

Yeah I am using unifi I might have to switch my client if I can figure out how to connect to my existing wire guard setup that I have on my dream machine.

[–] [email protected] 1 points 9 months ago (1 children)

😳what?? Why would AA not work with VPN?! What a deal break, lol, I guess I’ll keep my iPhone X in the car for CarPlay after switching to a new (maybe not apple) phone in that case

[–] [email protected] 3 points 9 months ago (1 children)

Wired works but because wireless AA needs to use WiFi the VPN blocks the communication. It only works with VPN providers that allow split tunnels which the one I use does not. I use unifi one click VPN which is subscription free.

[–] [email protected] 2 points 9 months ago

Ah, I see, I guess WireGuard would be able to handle this, in that case, since you can choose which IPs go through the tunnel and which not. But honestly, I always plug my phone into the car by cable.

[–] [email protected] 14 points 9 months ago

It's just bots, they scan IP address and open ports looking for vulnerabilities. I remember my first experience with this putting my first game server online for a game I was making, thinking to my self "who the fuck are these people trying to connect to my game? How did they even have it". It's nothing to worry about unless you have lack of or poor authentication.

[–] [email protected] 8 points 9 months ago

VPN drains my phone battery like crazy, plus eventually I'd like to be able to share my services with some less technical people, and want to keep the barrier to entry low for them, so I've been looking at what I'd want in order to be comfortable exposing services publicly.

Services are running on Truenas Scale (k3s).

What I've been thinking is:

  1. Isolate services' network access to each other and to my local network.
  2. Reverse proxy in front of all services (probably Caddy)
  3. Coraza as a WAF
  4. Crowdsec Caddy module
  5. Some sort of auth layer in the proxy, like oauth2-proxy (kind of tricky because not every service would work well with this, especially without client support). Probably would start with a 3rd party identity provider rather than rolling my own, especially since 3rd party will probably do a lot more monitoring around logins, patterns, etc.

Thinking of hosting the reverse proxy piece on a VPS. Probably not completely necessary because I don't think hiding my home IP really buys me much security, but Caddy might be easier to configure on the VPS compared to Truenas (though I guess I could run it in a VM on Truenas).

Each app could run a wireguard sidecar to connect it to the VPS.

Curious what others think about this setup, or if the recommendation is still to keep things behind a VPN.

[–] [email protected] 6 points 9 months ago

Can you run fail2ban with Cloudflare tunnels?

[–] [email protected] 3 points 9 months ago

Obsfucation can help stimey scripts. I saw using a non-standard port mentioned.

You can also setup a reverse proxy to deliver a different, empty site to a different dns entry by default. Use either a completely separate (as opposed to multidomain) cert for each, or a wildcard cert.

Jellyfin also supports using a custom path, instead of delivering at the root. Your reverse proxy would need to be configured accordingly.

[–] [email protected] 2 points 9 months ago

What about mTLS? Since you are already on Cloudflare, you might consider their client cert feature, which blocks all incoming traffic without the cert. However, you do have to manage it and set it up on all your devices.

[–] [email protected] 2 points 9 months ago

You can reduce doorknob turning dramatically by running on a non-standard port.

Scanners love 80 and 443, and they really love 20, but not so much 4263.

I used to run a landing page on my domain with buttons to either the request system / jellyfin viva la reverse proxy. If you’re paranoid about it, tie nginx to a waf. If you’re extra paranoid, you’ll need some kind of vpn / ip allow-listing