Comment on Using Fail2ban to protect exposed services
cyberwolfie@lemmy.ml 3 weeks ago
What kinds of things are you planning to expose? What I expose I hide behind a reverse proxy with IP whitelists. Whatever I don’t need access to on the go I don’t expose.
paequ2@lemmy.today 3 weeks ago
Primarily Jellyfin and Immich.
Do all your clients have fixed IPs? I have some clients that are phones or laptops, but I would imagine those change as people drive around to different cities or connect to different coffee shop WiFi.
cyberwolfie@lemmy.ml 3 weeks ago
It depends on what service - some, like Jellyfin, are accessed only from home IPs which are static (for music through Jellyfin I use offline mode to prevent too much mobile traffic), so I can add those specific IPs in the whitelist. Otger services I need to access from elsewhere, and I can add entire subnets (i.e. for my phone carrier network or VPN servers). Those change once in a while and that is annoying. Other services I want publically available.
Jellyfin especially still has some unsecured endpoints where it would be wise to take some.extra precautions. I think the risk some people seem to think this poses is a little overblown (i.e. rights holders finding your instance and reverse mapping your entire library and suing you to oblivion), but better not risk it.