Hi there, folks. I hope this post is okay here. I’m trying to do my best to follow the rules and also to have done my homework before I come here with questions, but if this is the wrong place to ask my questions, I’d just like to politely ask for directions for the right place to ask. I recently started test driving Jellyfin in a more limited way on my desktop, and I’m impressed. I’m way on board with building out my library and self hosting the majority of my media consumption. I’m looking into buying a NAS, and it’s not going to break the bank, but it’s still a substantial purchase, and I don’t want to waste money by buying the wrong thing for my needs.
I’m looking at getting something like a UGreen DH4300 NAS with four 8 TB hard drives in RAID 5, which ought to be 24 TB of usable space, if I understand correctly. My primary use case is going to be a Jellyfin server for video, though I might try hosting other media libraries and files there like eBooks and such, through Jellyfin or otherwise. Looking at my Blu Ray shelf, I’ve got about 65 Blu Rays already, some of which are combo packs with 4K and 1080p versions, and once I’ve got a server like this set up, I’m very much inclined to build that library out even more. Currently, I have no screen or drive with which to watch 4K movies (I have a regular Blu Ray drive, a 1080p TV, and my PC monitor tops out at 1440p), but if I’m being mindful of future proofing, whenever my current TV dies, I’ll have more reason for accumulating 4K content. I don’t intend for frequent usage of this Jellyfin server to be by anyone besides my wife and me, and I’d be surprised if I ever had 5 simultaneous users.
So here are where my questions come in.
-
Is a NAS like the one above strong enough to drive high quality output to even 5 simultaneous users, rare though that use case might be? Other than my regular gaming desktop, which is quite powerful, I also have a Minisforum EM780 mini PC that could potentially drive a media server if that’s necessary/sufficient?
-
I’ve been reading posts in this community here and there, and I’ve come across a comment or two about security when exposing ports to the outside world. At the risk of being a big dummy, with selective port forwarding, what kind of real risks are there to this? And is there a reasonable way to navigate those risks such that I could regularly access my own Jellyfin server when I’m on the go like I would any third party streaming service? To be clear, this project is still of interest to me even if it’s restricted to my own home network, but it would be a bummer if exposing it to the outside world was particularly ill advised.
-
I’ve seen measurements of things like decibel levels in reviews and words of caution about power draw, but I’m curious for feedback from folks here about real world noise levels and power draw from a NAS like the one above with HDDs. Is the noise easily ignored when it’s in the same room? I have a small apartment, and there are only so many places I could feasibly put one. Is the power draw noticeable on your electric bill such that you’re particularly mindful of when it’s running?
-
Any other tips for this project that I might not know that I don’t know?
Thanks!
You must log in or register to comment.
As for the secure use outside your home, see if you can install TailScale on that NAS. I use it on mine, it’s like having a Wireguard VPN but you don’t have to mess with port forwarding. The only downside is that to connect to your NAS from outside your LAN, you’ll have to be on a device that’s also running TailScale, but if it’s a device you own that’s easy to set up.
I have a much older NAS with not a lot of compute power, but it’s only purpose is to share data. I have a a proxmox server that connects to the NAS through NFS and does the actual transcoding, etc.
I have a really cheap old as the hills desktop with an ancient Quadro gpu in it connected via a decently expensive but also used 10gb Nic to my nas which is running Proxmox and a bunch of containers, but the two interesting ones are a tailscale exit node and Jellyfin. The Jellyfin gets the gpu via pass through, and I get 1080p on tap anywhere in my house with no fuss no muss, and I can use the tailscale app, connect, and act like I’m in my house from anywhere else, including other continents. Noticeable delay on play and pause on media if I’m on the other side of the planet, but that’s it for limitations.
An open port is a door to the service. The service needs a vulnerability and then an attacker can abuse that. Oftentimes multiple vulnerabilities are used in an attack. Attacks can become public years after they were found. Just because nothing is public doesn’t mean that it’s not there. What can an attacker gain if he enters your server?
https://app.opencve.io/cve/?product=jellyfin&vendor=jellyfin
If you want to know what happend to people who opened their ports in the past, look in the lemmy and reddit selfhosted subs for the posts about it. I am not aware of a single post in the last x years about someome complaining that his jellyfin media library was encrypted and she shall pay a sum x for the encryption keys.
So then if I’m evaluating a worst case for what I plan to use this NAS for, it would be that an attacker gains access to movies that I have on my shelf, CDs that I have on my shelf, books that I’d have the right to redownload as long as the place I bought them from is still in business, and my own save files for DRM-free video games that Heroic Games Launcher currently tells me not to rely on them for syncing back to GOG.com. At which point, if some attacker found a vulnerability and locked my NAS from me, they’d have caused me an annoyance in that I’d have to reformat those drives and re-rip that media. With no sensitive information intended to be on this thing, it seems pretty low risk, right?
That’s one risk. Someone could use it for a bot net or other attacks. Or he could try to escape the device and hack into other devices on the LAN. But also, it depends on the reward that a hacker can get. Is the expected reward worth the work to hack into your server?
I’m not saying it’s low risk because then you could/would blame me if something happens.
You’re a stranger on the internet. Even if I was so petty as to blame you, I’d have a hard time tracking you down, haha.
Backup and yolo 😎
I’m no security expert and my biggest concern with self-hosting is making a configuration error in the OS or some app, or missing a critical update that allows someone access to my personal data. In order to reduce the attack surface and management requirements my network can only be accessed through Wireguard. The random open WG ports do not respond to unauthenticated packets, so someone would have to have access to my configurations to be able to get past my firewall, at least in the absence of some yet unknown vulnerability. Of course that won’t prevent mistakes being made on PCs (especially Windows) but it’s one less thing to worry about.
Wireguard clients on our PCs and phones make connecting and accessing media and files a breeze. There are no third parties involved so enshittification by some company’s security breach or sudden monthly fee isn’t going to happen.
I have a Bosgame mini-PC that is completely inaudible unless you get close to it. Power draw is <15 watts under light load meaning that even with the high electricity rates where I live it costs less than $3.50 a month to operate. I’ve avoided hard drives because I don’t want to listen to them whine, so no comment there. Two simultaneous 1080p Jellyfin streams increase CPU utilization by less than a percent and it still is under 5% with a couple of other Docker containers running.
Good luck setting everything up to your liking.
Thanks! I feel pretty good about the power draw based on what you wrote, even though HDDs are going to add to that, and that’s good to hear about the mini PC running Jellyfin, which gives me some hope for the on-board server in a NAS like the one I’m eyeing. And even if that doesn’t work out, I’ve got my own mini PC that I should be able to leave in place most of the time.
Q2 uses vpn. That way you’re not exposing jellyfin. I have wireguard on my router
Sorry, but the SEO on “Q2” is pretty bad. What are you referring to? And what are the actual risks of a port being exposed to the outside world via an off-the-shelf router? Surely they can always hit my IP, and if this port is only exposed for Jellyfin, it would be just as vulnerable as any other port that calls out, right? I ask that knowing that it must be wrong, but I don’t understand how.
There is always risk with exposing something to the Internet or untrusted people. You need to take steps to mitigate the risk. Make sure you patch make sure you only expose as little as possible use https/tls have good, automated, tested backups to media that gets disconnected! having access logs enabled Isolate and separate from any private/internal stuff as much as possible. Separate hardware separate VLANs separate VMshttps://www.reddit.com/r/selfhosted/comments/yc2wmd/is_it_dangerous_to_open_http_ports_to_the_world/
That’s why my reply to use vpn. Wireguard is silent, so it won’t respond without valid key and Jellyfin is not directly exposed to the whole world as it is behind VPN.
Short for question #2
Oh, sorry, haha. There’s a lot of jargon thrown around in a place like this, and I thought this was one I missed.
No worries, sorry for using shortand. I was on phone and I always misclick with soft keyboard, so I tend to use shorthand there.
