I have a Jellyfin instance on my local server which I forward to the public web via a cloudflare tunnel. I’m not sure how secure it is, and I keep getting random requests from all over the world. It’s my first experience maintaining something on a public domain so I may be worrying about something obvious, but some advice would still be appreciated.
My SSL/TLS encryption mode appears to be “Full”.
You must log in or # to comment.
Any time I’ve ever had a server of any kind connected to the net it’s gotten endless ‘doorknob turning’ from bots scanning for stuff. At the very least, bots trying ssh passwords on common accounts.
I don’t have any specific jellyfin advice, but random attempts from all over is pretty usual on the net these days.
Removed by mod
“wHAt aRe yOu 12”
Be less of a cock. Everyone was 12 once.
Not me, I went from 11 to 30 :(
Dude are you thinking for a fraction of second before writing your comment or just typing some random insults for the sake of insulting random people?
Why would he say these days if he were 12? The situation woul’ve been the same for his whole life.
Mean but admining a public endpoint without this even crossing your mind is a good way to out how green you are
It sounds like you made your Jellyfin server public-facing, which is probably not what you want, even though it is supposed to be secured.
I recommend that you setup access through an exclusive and private connection of some kind. E.g: VPN, Tailscale, ZeroTier.
Thanks! No, that’s exactly what I wanted to do :) I was just wondering if it’s okay to have this many random requests, which seems to be fine.
Understood. Any public-facing server will be bombarded by bots. You need to deploy measures to avoid being hacked:
- Firewall: lockdown everything, allow only the strict necessary
- Remote login/SSH: update default username and pasword, only allow remote login using Encryption Key authentification
- (Optional) configure fail2ban to slowdown the attacks
- Keep your server up-to-date: configure auto-update, unattended-update or similare
- Setup and keep regular backups: be ready to nuke your server at anytime, with the confidence you can restart fresh in a short time and low effort
Obviously, there are many other security steps that can be put in place, but firewall and ssh hardening are absolutely mandatory
Thank you, these are great tips!
I‘d only access my jellyfin through a VPN like WireGuard. As a plus, you can route your DNS calls to your DNS server in your home network (like AdGuard) and have always most ads blocked in any app even on iOS.
If I didn’t use wireless android auto I would totally use a VPN at all times but the fact AA refuses to connect with wireless AA with a VPN sucks.
You can exclude AA from VPN, at least with Wireguard.
Yeah I am using unifi I might have to switch my client if I can figure out how to connect to my existing wire guard setup that I have on my dream machine.
😳what?? Why would AA not work with VPN?! What a deal break, lol, I guess I’ll keep my iPhone X in the car for CarPlay after switching to a new (maybe not apple) phone in that case
Wired works but because wireless AA needs to use WiFi the VPN blocks the communication. It only works with VPN providers that allow split tunnels which the one I use does not. I use unifi one click VPN which is subscription free.
Ah, I see, I guess WireGuard would be able to handle this, in that case, since you can choose which IPs go through the tunnel and which not. But honestly, I always plug my phone into the car by cable.
It’s just bots, they scan IP address and open ports looking for vulnerabilities. I remember my first experience with this putting my first game server online for a game I was making, thinking to my self “who the fuck are these people trying to connect to my game? How did they even have it”. It’s nothing to worry about unless you have lack of or poor authentication.
Can you run fail2ban with Cloudflare tunnels?
What about mTLS? Since you are already on Cloudflare, you might consider their client cert feature, which blocks all incoming traffic without the cert. However, you do have to manage it and set it up on all your devices.
