this post was submitted on 26 Jun 2025
481 points (97.8% liked)

Selfhosted

52479 readers
2046 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

you are viewing a single comment's thread
view the rest of the comments
[–] makeitwonderful@lemmy.sdf.org 18 points 4 months ago (1 children)

It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.

If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.

Blocking IP segments based on geography of countries you don't expect connections from adds the cost of a VPN for malicious actors in those areas.

Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.

[–] douglasg14b@lemmy.world 9 points 3 months ago (1 children)

Fail2ban isn't going to help you when jellyfin has vulnerable endpoints that need no authentication at all.

[–] makeitwonderful@lemmy.sdf.org 4 points 3 months ago (1 children)

Your comment got me looking through the jellyfin github issues. Are the bugs listed for unauthenticated endpoints what you're referencing? It looks like the 7 open mention being able to view information about the jellyfin instance or view the media itself. But this is just what was commented as possible, there could be more possibilities especially if combined with other vulnerabilities.

Now realizing there are parts of Jellyfin that are known to be accessible without authentication, I'm thinking Fail2ban is going to do less but unless there are ways to do injection with the known bugs/a new 0day they will still need to brute force a password to be able to make changes. I'm curious if there is anything I'm overlooking.

[–] rumba@lemmy.zip 0 points 3 months ago

unless there are ways to do injection with the known bugs/a new 0day

TBH, that should be enough right here. That is a JUICY target for hacking.

You can tell outside that someone is running JF.

You know what packages are used.

You have full access to the source.

You know what endpoints are exposed and available.

All you need is a whole in ffmpeg, a codec, a scaler, or something in libAV. There are a hundred different projects in there from everyone and their brother. And all somebody with experience needs is one of them to have an exploit in a spot where you can send it a payload through an endpoint that doesn't require authentication.

We need something to gatekeep. Some form of firewall knocking, or VPN. We don't need JF to be as publicly accessible as Netflix; we just need a way for our friends and family to get in, prove they're who they are, and reject all anonymous traffic.