Comment on Plex has paywalled my server!
rumba@lemmy.zip 6 days agoMy primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there’s an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user’s private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That’s how LastPass got nuked I hear.
skoell13@feddit.org 5 days ago
I get you and I know that there can be security issues (especially in Jellyfin) that might give you access. This is the reason I only mount the media and config folders, and nothing else into the docker container. The media folders are mounted as read only and don’t contain sensitive information. For the config folder I created a separate user. Plus I block non-German IP addresses which already blocks quite some bots. If your friends have fixed IP addresses you could also just whitelist them and block everything else.
You could also probably sniff the network and define more strict rules on ‘allowed’ requests in fail2ban but this is bridle because requests might change with different versions.
rumba@lemmy.zip 5 days ago
They actually do a small login f2b effort right in JF, but it appears to be quite limited.
The container is more secure by default, and if people set up their docker well it reduces the dangers substantially. A lot of people don’t go docker though.
skoell13@feddit.org 5 days ago
Yeah the link I posted does everything via docker and explains what should be mounted and how.
rumba@lemmy.zip 5 days ago
That’s awesome and thank you for sharing that