Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Meh. If someone hacks my server and watches TV then idc, have at it. They earned it
EDIT: the downvotes are warranted but they change nothing
Remote code execution is a concern. Your server and your network as a whole (including other VLANs) are susceptible to attack if Jellyfin is compromised. If Jellyfin is running on the host, it would be trivial to hack your server (and anything else running/connected to it). If Jellyfin is in a Docker/Podman containers, it doesnt prevent attacks against the host (sandbox escape, kernel privilege escalation, etc), or against your network over some ports. Even if the server is on it’s own VLAN, a vulnerability or weakness in your router could still lead to a compromise, meaning that any devices that is in any way connected to your router (including personal devices) could be attacked.
There is a lot of depth to this topic of course. And at some point you just calculate your risks and weigh your options. There is no such thing as perfect security of course.
Sure… If someone managed to stream some of my media… They probably earned it… But then they exploit a vulnerability to perform arbitrary code execution, and leverage that to hack everything else on my network…
https://app.opencve.io/cve/CVE-2023-30626
I’m learning a lot of this as I go and have not exposed any services to the internet yet, but would VLANs not contain the damage to a limited portion of the network? Because that’s the plan I’m working toward. Not just for Jellyfin but a handful of other services.
That… might work. Do you have a different physical server for each service though?
The issue is once someone is in, then they can try to jailbreak and move laterally to get to other things. Other devices, into the file system.
Jellyfin might not be your concern, but are there other files on that server? Or services? Secrets passwords etc? If anything else is on that vlan, what security flaws might be there that an attacker could use?
There is no personal information on anything in that proposed VLAN currently, and in the future, the most personal stuff it will include is a chat program to replace Discord. In all, I’m assuming I can run the reverse proxy and most services (not even a dozen) on a mini PC, and then somewhere between 1-4 on a NAS. Two devices total on this VLAN, unless I learn of something that would change this plan.
Didn’t down vote, and I get what you’re saying to a certain extent. I’m not touting my server as hack-proof in the least, but it would take some work. My concern wouldn’t be someone hacking in and listening to my personal music collection I’ve been working on for decades…it goes all the way back to 1937.
I would be more concerned that my compromised server was used as a zombie attack on some other server. The first VPS server got ransacked and used over-nite to (unsuccessfully) DDoS another business site.I got a ton of nasty grams for that boner. I didn’t loose anything but time.
Bitcoin miners are easy to spot. I’ve never really understood why someone would hack into a small server and deploy a nefarious miner. On a huge corporate server farm, sure. But not some small selfhost VPS somebody found on lowendbox.
Because they’re not mining on just one, they’re mining on thousands.