Why would you expose anything to the internet when you got Tailscale?
Comment on Just created my own zero trust network!
possiblylinux127@lemmy.zip 1 month ago
You didn’t expose it to the internet right?
If you want remote access setup client certs
DieserTypMatthias@lemmy.ml 1 month ago
BaroqueInMind@piefed.social 1 month ago
How?
tux7350@lemmy.world 1 month ago
Ya got three options.
Option A is to create your own certificate that is self-signed. You will then have to load the certificate into any client you want to use. Easier than people realize, just a couple terminal commands. Give this a go if you want to learn how they work.
Option B is to generate a certificate with Let’s Encrypt via an application like certbot. I suggest you use a DNS challenge to create a wildcard certificate.
Option C is to buy a certificate from your DNS provider aka something like cloudflare.
IMO the best is Option B. Takes a bit to figure it out but its free and rotates automatically which I like.
I like helping and fixing stuff, if you’d like to know anything just ask :D
RunningInRVA@lemmy.world 1 month ago
None of these are client certificates btw. These are just ways to have your server use TLS encryption with any client that connects but it offers no authorization. If you want authorization with client certificates you need to implement mTLS (Mutual TLS).
tux7350@lemmy.world 1 month ago
Oooo ya know I actually don’t know about these. I’ve done both A and B for my homelab and C for work.
Any good resources / insight into mTLS? I appreciate the response btw!
possiblylinux127@lemmy.zip 1 month ago
That is for server side certs not client side. I’m talking about Mutual TLS.
Setting up https is not going to stop bots. All it does is prevent man in the middle attacks. You want to limit who and what can access Jellyfin so that you don’t end up being a victim of an automated exploit.
archy@lemmy.world 1 month ago
Kleopatra
possiblylinux127@lemmy.zip 1 month ago
That isn’t mutualTLS
It just is a frontend for gpg. You need OpenSSL for mutual certs.
dataprolet@lemmy.dbzer0.com 1 month ago
What’s wrong with exposing Jellyfin to the internet?
mic_check_one_two@lemmy.dbzer0.com 1 month ago
There are a few security issues with it, but all of the worst known issues require a valid login token. So an attacker would already need to have valid login credentials before they could actually do anything bad. Things like being able to stream video without authentication (but it requires already having a list of the stored media on the server, which means you have been logged in before). Or being able to change other users’ settings (but it requires already being logged in to a valid user).
Dhs92@piefed.social 1 month ago
The bug you mentioned actually just requires the attacker knows your local media paths to generate the hash. The issue is that most people use trash guides to setup *arr which means they probably have the same paths for everything
possiblylinux127@lemmy.zip 1 month ago
You really shouldn’t expose anything directly to the internet. It is a security problem waiting to happen. (Assuming it hasn’t already)
This is how giant botnets form.
dataprolet@lemmy.dbzer0.com 1 month ago
What security problems?
sugar_in_your_tea@sh.itjust.works 1 month ago
Bots randomly attack stuff, and if you leave something insecure, they’ll install a bot net node.
smiletolerantly@awful.systems 1 month ago
Nothing. People fearmonger