You can address the 2fa by putting it behind something like authelia, but still, the project needs to step it up
Comment on Plex has paywalled my server!
rumba@lemmy.zip 4 weeks ago
It’s pretty rare that a company starts taking away free features and doesn’t end up fucking payers in the end.
The biggest bar to Jellyfin is TV clients, the second biggest is security.
TV clients can be fixed with a one-time purchase of a $20 android TV stick. If viewing your familys ARR content isn’t worth $20 you probably don’t need to do it anyway.
Security for remote streaming is a harder thing to handle. Most people are capable of port forwarding, But just hanging a smallish public project out there in the open is always a dicey proposition. It honestly needs real fail2ban, probably SSL, 2FA and password complexity requirements.
We could probably make a jellyfin helper container to handle some of this. Walk people through Let’s Encrypt, dynDNS, port forwarding tests, add fail2ban with a firewall, maybe even slap suricata in it.
We need to convince the project to add 2FA and password complexity requirements.
I don’t know guys what do you think is it crazy? does it make sense? Would anybody actually use it?
kuhli@lemmy.dbzer0.com 4 weeks ago
rumba@lemmy.zip 4 weeks ago
Authelia is super easy, if the clients can handle it
ipkpjersi@lemmy.ml 4 weeks ago
I thought that you can still access media directly via the URL without any authentication, how would authelia change that?
kuhli@lemmy.dbzer0.com 4 weeks ago
Yes! You just have to set up your reverse proxy to send everything through it and it’ll block the unauthenticated access.
The downside is that apps stop working since they don’t have a way to authenticate with authelia. I’ve installed it as a PWA on my phone and use an old laptop with the TV interface on my TV, but it’s not perfect
ipkpjersi@lemmy.ml 4 weeks ago
Are you sure that works? I’m pretty sure they mentioned that reverse proxies are an unsupported (and not working) use case with Jellyfin, but I might have to look into authelia some time then.
Taldan@lemmy.world 4 weeks ago
probably SSL
*TLS
SSL has been deprecated for a decade at this point
rumba@lemmy.zip 4 weeks ago
Would you consider this a particularly constructive comment?
lightnsfw@reddthat.com 4 weeks ago
What’s wrong with it?
JackbyDev@programming.dev 4 weeks ago
SSL or the comment? The comment is annoying because people use TLS and SLL interchangeably in colloquial speak.
rumba@lemmy.zip 4 weeks ago
The term SSL has been colloquially used for the last decade, and it would be difficult, if not impossible, to confuse the two and issue the wrong type of security at this point. Are there even packages that old available to Docker?
We’re having an informal discussion here about how to make Jellyfin security less daunting to the average user. Taldan is apparently knowledgeable about the situation and could lend a conceptual hand to the process, but I suspect they chose instead to nitpick terminology that’s still used in common parlance. Since I have some doubts, but don’t wish to assume, I asked a simple question.
ipkpjersi@lemmy.ml 4 weeks ago
Security for remote streaming is a harder thing to handle. Most people are capable of port forwarding, But just hanging a smallish public project out there in the open is always a dicey proposition. It honestly needs real fail2ban, probably SSL, 2FA and password complexity requirements.
Yeah.
It’s tough because I get they’re an open-source project, and they’re volunteers, but at the same time, security is something that should be the highest priority.
rumba@lemmy.zip 4 weeks ago
That’s what I do myself but in a lot of cases VPN is beyond the grasp of the grasp of the friends and family that are being shared with.
Tailscale is somewhat approachable for this, there are a number of streaming devices that support TS clients. But then tailscale will eventually enshittify their free offering. Wrapping headscale into this will add yet another layer of complication. VPN is far more secure but I think it makes it unapproachably complicated for many.
haui_lemmy@lemmy.giftedmc.com 4 weeks ago
I think you make a hugely important point and I would definitely use it and I might even be able to help making it.
rumba@lemmy.zip 4 weeks ago
Current Idea:
Whitelisted?
- user: bob.com:9901 -> jellyfin
Not Whitelisted?
- user: bob.com:9901 -> 404
Whitelisted or Not whitelisted?
- user: bob.com/whitelist -> nginx/python, authelia, fail2ban, traefik whitelist modifier
chortle_tortle@mander.xyz 4 weeks ago
What are my realistic security concerns with a jellyfin server that I let friends and family watch while trying to minimize the troubleshooting and steps they need to take to get started?
rumba@lemmy.zip 4 weeks ago
realistic security concerns
If you’re running a binary installation of Jellyfin on your server and exposing it to the public internet, you can face significant risks:
-
Remote execution vulnerabilities might allow attackers to exploit bugs to run malicious code on your server.
-
Buffer overflows. Poorly handled data can let attackers manipulate memory, Bypass logins, touch things in the host that aren’t meant to be twiddled with
-
Network exposure. If compromised, the server could become a launchpad for attacks on your network.
There might not be any vulnerabilities at this moment, but they might come in a future release. And we might not even know they exist. It’s a small team of volunteers, and they’ll do their best. This is just what is reasonably possible when installing the server as an application on your OS and exposing it to the Internet.
You can minimize risk with a safer setup, as someone else in the comments here mentioned (and I think they even linked to their setup)
Using a Docker container version of the app significantly reduces your attack surface. This isolates the app from your host system. If they get in, they only get into the container and whatever that container is allowed to do.
Mount your media files as read-only to prevent accidental modifications or potential malicious changes. Now that container can’t do any real harm do your data.
Avoid making the container privileged. A privileged container can interact with the host system in risky ways.
Use reasonable unique usernames and passwords. If the container does manage to get compromised, they will likely be able to read usernames and passwords stored in the container.
Regularly update your container – Ensures you have the latest security patches.
Short of some massive Docker vulnerability, (which is on you to keep updated) the worst case should be public enumeration of your media, exposure of your JF users/passwords, and denial of service. Which IMO isn’t very serious.
For even tighter access control, don’t whitelist the entire world.
Whitelist specific IP addresses. Have users visit WhatIsMyIP to get their IP, then configure port forwarding to allow only trusted addresses. This allows the clients at their houses in without any serious hinderance, but would block them from accessing your media when they’re not at their house.
If they’re accessing you through a phone or PC, setup headscale or tailscale or any VPN and allow them to get to you through VPN
chortle_tortle@mander.xyz 4 weeks ago
Amazing info, thank you for the response!
-
MintyFresh@lemmy.world 4 weeks ago
I would be very interested in an answer to this as well. Also any how to guides that would be useful for a guy whose technical high-water mark was getting mint set up on my laptop.
JessieGearGirl@lemmy.world 4 weeks ago
As someone who is … lazy and took advantage of some Amazon Black Friday Fire TV stick deals, and who doesn’t want to drop the $200 for a Shield:
Any Android sticks/players you might recommend?
XannyDevito@lemmy.dbzer0.com 4 weeks ago
The Onn dongles from Walmart are probably the cheapest. The firestick should work fine and there are also Chromecasts from Google.
rumba@lemmy.zip 4 weeks ago
Basic functionality, I’ve heard good things about the crappy Walmart ONN branded ones.
I know there are Alibaba options, But I’m awfully afraid of a lot of those have worst security issues than opening up jellyfin.
pory@lemmy.world 4 weeks ago
+1 for Walmart Onn, very easy to debloat and degoogle, supports SmartTubeNext, S0undTV (Twitch), Jellyfin, Plex, whatever else you want.
JessieGearGirl@lemmy.world 4 weeks ago
Thanks- was hoping there was something out there that’s a bit less tied into some large Amazon-y or Google-y type anything
For all their lack of privacy, the Fire Sticks perform pretty well
rollerbang@lemmy.world 4 weeks ago
I access my stuff via VPN. As for sharing with others, I simply don’t do that. VPN is still an option though. Or temporary client whitelisting, etc.
rumba@lemmy.zip 4 weeks ago
Now that’s an interesting thought.
A web page with Authelia, login and a firewall.
If you’re not logged in, All you get is a login page. If you are logged in, It passes you straight through to jellyfin.
So any device and client would be able to access it without issue once a phone or computer on the network had logged in just once.
The web page modifies the HA proxy ACL and forces a reload.
EncryptKeeper@lemmy.world 4 weeks ago
This will work fine over the web, but won’t work with clients.
rumba@lemmy.zip 4 weeks ago
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don’t put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don’t have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
N0x0n@lemmy.ml 4 weeks ago
Yeaaah ! Most people anyway have some kind of VPN installed on their device… Just slap in a wireguard VPN config to tunnel your traffic home… bOOm jellyfin everywhere and 99% secure !