It would be easiest to just change the client addresses frequently. You should be able to configure that in your addressing system.

Create an ISO and mount that.

But really, it doesn’t matter how you get the file in before you open it. It’s extremely unlikely that it malware could be executed just by putting a file on disk.

Bring up networking manually?

Or just back up your files and reinstall.

Literally everything.

Okay not everything, I’m sure they share some basic libraries like openssl. But the core OS is apples and oranges.

Validate the checksum against the official sources.

Yes, in qbittorrent, bind it to the VPN interface.

WAF and DMZ too.

Yes, scan the potential malware directly (exe, dll files). Not all scanners support extracting archives.

Yeah, I mean writing to a file. Do that in python, don’t wrap a script with more script.

You’re probably right about the process handling being the cause, but I wouldn’t worry about that and just do it right the first time.

“IP is good, actually” shouldn’t be a hot take. Those are the laws that licensing is built on.

Yup. Until you get into stuff like immutable distros, because that’s a whole different animal.

Modify the python script to include the new behavior.

I’ve never created a custom docker container, but I’m pretty sure you should make the entry point python itself, too.

Yes, those are the known vulnerabilities. We don’t know how many unknown vulnerabilities could be discovered in the future.

Unlikely for the rar file itself. The exe seems a little suspicious, so I would scan that file individually. Hard to say without unpacking and examining it.

Firewalls can log dropped packets.

It depends on what you’re trying to do with it. Typically people only use Macs as servers when they’re doing development for Apple products.

Provide them with VPN access. If that’s too much for them, then they don’t get access. Tough. On the scale of security vs convenience, that’s nothing.

If you really really want, you should at least see if you can put a WAF in front, and put the server itself somewhere it doesn’t have access to the rest of your network (a DMZ) so that if and when it gets hacked, it doesn’t compromise the entire network.

Step one is check with the university IT department. Don’t put random unmanageable shit on other people’s networks.

Why a Mac running Linux? I can’t think of a use case for that.

I still don’t recommend putting jellyfin on the Internet. It’s not designed for it. There are some API endpoints you can access without authentication, not to mention potential authentication bypass vulnerabilities.

5 minutes is also probably too frequent. Leases are usually significantly longer. You might hit a rate limit and get blocked.

Then yes. The VPS provider will get it instead.