I have a Jellyfin instance on my local server which I forward to the public web via a cloudflare tunnel. I’m not sure how secure it is, and I keep getting random requests from all over the world. It’s my first experience maintaining something on a public domain so I may be worrying about something obvious, but some advice would still be appreciated.
Any time I’ve ever had a server of any kind connected to the net it’s gotten endless ‘doorknob turning’ from bots scanning for stuff. At the very least, bots trying ssh passwords on common accounts.
I don’t have any specific jellyfin advice, but random attempts from all over is pretty usual on the net these days.
Being up to date is VERY important. There’s a bunch of sites out there that scan the entire internet endlessly and keep information about each IP up to date. For example go here and search your IP.
When a vulnerability is found, attackers will go to sites like these and look for anything to hack. If you don’t update more or less immediately, you’re at huge risk.
Other then that, everyone else is right. Being available to the public means you’re going to have bots scanning you and sending random trash. The only thing you can do is try and block it (fail2ban) or limit it (block certain countries) but at the end of the day its the software that gets the packets (jellyfin) that you need to trust to be secure and discard random junk.
I‘d only access my jellyfin through a VPN like WireGuard. As a plus, you can route your DNS calls to your DNS server in your home network (like AdGuard) and have always most ads blocked in any app even on iOS.
Yeah I am using unifi I might have to switch my client if I can figure out how to connect to my existing wire guard setup that I have on my dream machine.
😳what?? Why would AA not work with VPN?! What a deal break, lol, I guess I’ll keep my iPhone X in the car for CarPlay after switching to a new (maybe not apple) phone in that case
Wired works but because wireless AA needs to use WiFi the VPN blocks the communication. It only works with VPN providers that allow split tunnels which the one I use does not. I use unifi one click VPN which is subscription free.
VPN drains my phone battery like crazy, plus eventually I’d like to be able to share my services with some less technical people, and want to keep the barrier to entry low for them, so I’ve been looking at what I’d want in order to be comfortable exposing services publicly.
Services are running on Truenas Scale (k3s).
What I’ve been thinking is:
Isolate services’ network access to each other and to my local network.
Reverse proxy in front of all services (probably Caddy)
Coraza as a WAF
Crowdsec Caddy module
Some sort of auth layer in the proxy, like oauth2-proxy (kind of tricky because not every service would work well with this, especially without client support). Probably would start with a 3rd party identity provider rather than rolling my own, especially since 3rd party will probably do a lot more monitoring around logins, patterns, etc.
Thinking of hosting the reverse proxy piece on a VPS. Probably not completely necessary because I don’t think hiding my home IP really buys me much security, but Caddy might be easier to configure on the VPS compared to Truenas (though I guess I could run it in a VM on Truenas).
Each app could run a wireguard sidecar to connect it to the VPS.
Curious what others think about this setup, or if the recommendation is still to keep things behind a VPN.
You can reduce doorknob turning dramatically by running on a non-standard port.
Scanners love 80 and 443, and they really love 20, but not so much 4263.
I used to run a landing page on my domain with buttons to either the request system / jellyfin viva la reverse proxy. If you’re paranoid about it, tie nginx to a waf. If you’re extra paranoid, you’ll need some kind of vpn / ip allow-listing
Add comment