Comment on That's all folks, Plex is starting to charge for sharing
kylian0087@lemmy.dbzer0.com 4 days agoThat is with any piece of software. their will always be some vulnerabilities that are very bad. so by your definition using any piece of software is a concern.
dogs0n@sh.itjust.works 4 days ago
I agree with you, it’s likely this vulnerability is only known because Jellyfin is open source… how many are hiding in Plex’s proprietary source code…
Anyways when has anyone ever been pwnd by this “exploit”, I have seriously never heard of anyone being “hacked” by one of them.
Definitely overblown as far as I am aware… don’t post your instance url all over the internet and you will likely be fine.
Using Plex (is fine, do whatever u want) and giving them your data instead doesn’t really help you (or at least sending your data through them).
dependencyinjection@discuss.tchncs.de 4 days ago
You don’t need to post your IP. Any server admin would tell you that if you have a server exposed to the internet then you’re going to get people / bots knocking and your doors (ports) to see what is open. They could then use something like meta spoilt to find vulnerabilities and gain access to your server.
smiletolerantly@awful.systems 11 hours ago
Which shouldn’t really be an issue since you should only host on 443, which tells bots basically nothing.
Configure your firewall/proxy to only forward for the correct subdomain, and now the bots are back to 0, since knowing the port is useless, and any even mildly competent DNS provider will protect you from bots walking your zone.
Zeoic@lemmy.world 2 days ago
Not to mention bots/people/companies watching torrent peers, looking up SSL certs for the IPs, then attacking anything with jelly in it… Security through obscurity is not security
dogs0n@sh.itjust.works 3 days ago
Hm I don’t remember posting the comment you are replying to, to the one I replied to.
You are right, but I still argue that keeping Jellyfin up to date is fine, there’s no serious bugs (afaik) that will compromise your whole server for instance, so these bots have nothing valuable to exploit here.
When I say don’t post your instance url I was talking about normal people finding it to try streaming from it without auth, I think I was replying to someone else and though this was the same thread.