I have a Jellyfin instance on my local server which I forward to the public web via a cloudflare tunnel. I’m not sure how secure it is, and I keep getting random requests from all over the world. It’s my first experience maintaining something on a public domain so I may be worrying about something obvious, but some advice would still be appreciated.
My SSL/TLS encryption mode appears to be “Full”.
Any time I’ve ever had a server of any kind connected to the net it’s gotten endless ‘doorknob turning’ from bots scanning for stuff. At the very least, bots trying ssh passwords on common accounts.
I don’t have any specific jellyfin advice, but random attempts from all over is pretty usual on the net these days.
That will always happen with something exposed to internet. Attackers scan every IP and domain they can looking for vulnerabilities to exploit. There’s software you can put in place to block requests that look like exploit attempts. Cloudfare WAF is one example. But those are mitigations only and not perfectly effective. Beyond that there’s not much you can do. Always make sure anything you expose to the internet is configured securely and kept up to date. If it makes you uncomfortable, reconsider exposing it like that.
bots will start hitting a brand new subdomain on my web server literally seconds after creating it. looking for exploitable scripts like wordpress, usually.
You can avoid these scans by only using wildcards on your DNS entries and SSL certificates.
Both of these are commonly used by bots to find new domains.
Wildcard SSL subjects make sense as the certificate is public. But how does wildcard DNS help? They aren’t public other than the requests coming from the client which don’t use wildcard anyway.
I would not depend on DNS records being private. On the off chance that one of the nameservers messes up, I would prefer if no subdomains are leaked.
But you’re correct, most of the time those leaks happen somewhere else.
Thanks, that helped!
I‘d only access my jellyfin through a VPN like WireGuard. As a plus, you can route your DNS calls to your DNS server in your home network (like AdGuard) and have always most ads blocked in any app even on iOS.
VPN drains my phone battery like crazy, plus eventually I’d like to be able to share my services with some less technical people, and want to keep the barrier to entry low for them, so I’ve been looking at what I’d want in order to be comfortable exposing services publicly.
Services are running on Truenas Scale (k3s).
What I’ve been thinking is:
- Isolate services’ network access to each other and to my local network.
- Reverse proxy in front of all services (probably Caddy)
- Coraza as a WAF
- Crowdsec Caddy module
- Some sort of auth layer in the proxy, like oauth2-proxy (kind of tricky because not every service would work well with this, especially without client support). Probably would start with a 3rd party identity provider rather than rolling my own, especially since 3rd party will probably do a lot more monitoring around logins, patterns, etc.
Thinking of hosting the reverse proxy piece on a VPS. Probably not completely necessary because I don’t think hiding my home IP really buys me much security, but Caddy might be easier to configure on the VPS compared to Truenas (though I guess I could run it in a VM on Truenas).
Each app could run a wireguard sidecar to connect it to the VPS.
Curious what others think about this setup, or if the recommendation is still to keep things behind a VPN.
Obsfucation can help stimey scripts. I saw using a non-standard port mentioned.
You can also setup a reverse proxy to deliver a different, empty site to a different dns entry by default. Use either a completely separate (as opposed to multidomain) cert for each, or a wildcard cert.
Jellyfin also supports using a custom path, instead of delivering at the root. Your reverse proxy would need to be configured accordingly.
What about mTLS? Since you are already on Cloudflare, you might consider their client cert feature, which blocks all incoming traffic without the cert. However, you do have to manage it and set it up on all your devices.
You can reduce doorknob turning dramatically by running on a non-standard port.
Scanners love 80 and 443, and they really love 20, but not so much 4263.
I used to run a landing page on my domain with buttons to either the request system / jellyfin viva la reverse proxy. If you’re paranoid about it, tie nginx to a waf. If you’re extra paranoid, you’ll need some kind of vpn / ip allow-listing