Wow, I tested out jellyfin every 6 months for the last few years to see if it was ready to replace plex yet, and I had no idea about such huge security issues. There should really be a big ass warning about making jellyfin publicly accessible in the app and in setup guides…
Comment on Help setting up fail2ban for jellyfin both in docker?
MaggiWuerze@feddit.org 11 months ago
If you plan to use fail2ban, I assume you want to make your Jellyfin accessible from the public internet. Please be aware, that large parts of the Jellyfin Backend are not properly authenticated and allow unauthorized access that allows mapping of you library and even unauthorized streams.
Zeoic@lemmy.world 11 months ago
MaggiWuerze@feddit.org 11 months ago
The main issue for me is, the way they react to it. Not only is there no warning about this, but they also refuse to fix it because it would break client support and prefer backwards compatibility over security
Vendetta9076@sh.itjust.works 11 months ago
Would putting jellyfin behind authentik or googleSSO protect me? Trying to figure out how to replace plex for my extended family since theyre charging for external connections now
Appoxo@lemmy.dbzer0.com 11 months ago
Just be aware that putting Jellyfin behind a Reverse Proxy that redirects to external auth services, breaks client support that is not in a browser.
Thus you either white-/blacklist specific server access paths or set up accounts that may relay the loging credentials.
Maybe something like LDAP may work but I can’t say how well it works as I havent used that._cryptagion@lemmy.dbzer0.com 11 months ago
It works as advertised.
basic_user@lemmy.world 11 months ago
Thank you. I did see this list before. My jellyfin instance is not exposed to the net atm., but I’m thinking of exposing it in intervals and would like to have fail2ban working when/if I do.
MaggiWuerze@feddit.org 11 months ago
I’m just not sure if fail2ban can mitigate the unaouthorized api access or other issues
CompactFlax@discuss.tchncs.de 11 months ago
Thanks for sharing; I was unaware. Just closed off that network hole.
N0x0n@lemmy.ml 11 months ago
The solution here is to use a wireguard (or similar technology) server and use it on all your devices. People already use VPNs for everything, so adding this layer isn’t that much of a hassle !
MaggiWuerze@feddit.org 11 months ago
That depends entirely on your target audience as well as the devices you want to use it on. Smart TVs don’t really support VPNs and my parents would not know how to even activate that let alone set it up on their end. I have a lot of non tech savvy users, so Plex is just way more convenient and accessible.