What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

    • Novi@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      67
      arrow-down
      5
      ·
      5 days ago

      I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.

      • Lucy :3@feddit.org
        link
        fedilink
        English
        arrow-up
        47
        ·
        5 days ago

        fail2ban with endlessh and abuseipdb as actions

        Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.

        • mosiacmango@lemm.ee
          cake
          link
          fedilink
          English
          arrow-up
          26
          ·
          edit-2
          4 days ago

          Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.

          Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.

          • Thaurin@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 days ago

            I have the firewall of my VPS reject any IP range except the ones I’m on frequently, that is mobile, home and work. Sucks when you travel, but otherwise works alright.

            Still exposes ports to some people on the same mobile or home internet service networks…

      • Everyday0764@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 days ago

        i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).

      • Auli@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 days ago

        Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.

          • fuckwit_mcbumcrumble@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            9
            ·
            4 days ago

            In 3 years I haven’t had a single attempted connection that wasn’t me. Once you get to the ephemeral ports nobody is scanning that high.

            I’m not saying run no security or something. Just nobody wants to scan all 65k ports. They’re looking for easy targets.

    • SapphironZA@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 days ago

      Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?

      Maybe leave that behind some VPN access.

      • Dataprolet@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        5 days ago

        Take a look at Nginx Proxy Manager and how to set it up. But you’ll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.

          • Midnight Wolf@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            4 days ago

            This isn’t a guide, but any reverse proxy allows you to limit open ports on your network (router) by using subdomains (thisPart.website.com) to route connections to an internal port.

            So you setup a rev proxy for jellyfin.website.com that points to the port that jf wants to use. So when someone connects to the subdomain, the reverse proxy is hit, and it reads your configuration for that subdomain, and since it’s now connected to your internal network (via the proxy) it is routed to the port, and jf “just works”.

            There’s an ssl cert involved but that’s the basic understanding. Then you can add Some Other Services at whatever.website.com and rinse and repeat. Now you can host multiple services, without exposing the open ports directly, and it’s easy for users as there is nothing “confusing” like port numbers, IP addresses, etc.

            • scoobydoo27@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 days ago

              So I’m another newbie dummy to reverse proxies. I’ve got my jellyfin accessible at jellyfin.mydomain.com but I can only access it through the web. How do I share with other people who want to use the apps? I can’t get my apps to find my instance.

              • pory@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                4 days ago

                Can “your apps” access it when their device isn’t on your home LAN?

                • scoobydoo27@lemmy.zip
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  3 days ago

                  That was the problem, I couldn’t access anything away from my LAN. I finally figured it out though. I’m using Pangolin to access my services outside of my LAN and by default it adds a SSO option. Once I turned that off, my iPhone app was able to find my server through my domain name just fine. Thanks!

                  • pory@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    3 days ago

                    Do note that without that layer you were using Pangolin for, your system might be compromised by a vulnerability in Jellyfin’s server or a brute force attack on your Jellyfin admin account.

      • Ptsf@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 days ago

        Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.

        • cm0002@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 days ago

          It’s beginner level, the hard part is the reverse proxy, once you have a grasp on that just having it on a dedicated box in a segmented portion on your firewall designated as the DMZ is easy. Id even go so far as to say its the bare minimum if you’re even considering exposing to the internet.

          It doesn’t even need to be all that powerful since its just relaying packets as a middleman