Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Meh. If someone hacks my server and watches TV then idc, have at it. They earned it
EDIT: the downvotes are warranted but they change nothing
Sure… If someone managed to stream some of my media… They probably earned it… But then they exploit a vulnerability to perform arbitrary code execution, and leverage that to hack everything else on my network…
https://app.opencve.io/cve/CVE-2023-30626
I’m learning a lot of this as I go and have not exposed any services to the internet yet, but would VLANs not contain the damage to a limited portion of the network? Because that’s the plan I’m working toward. Not just for Jellyfin but a handful of other services.
That… might work. Do you have a different physical server for each service though?
The issue is once someone is in, then they can try to jailbreak and move laterally to get to other things. Other devices, into the file system.
Jellyfin might not be your concern, but are there other files on that server? Or services? Secrets passwords etc? If anything else is on that vlan, what security flaws might be there that an attacker could use?
There is no personal information on anything in that proposed VLAN currently, and in the future, the most personal stuff it will include is a chat program to replace Discord. In all, I’m assuming I can run the reverse proxy and most services (not even a dozen) on a mini PC, and then somewhere between 1-4 on a NAS. Two devices total on this VLAN, unless I learn of something that would change this plan.
If Jellyfin gets compromised, you risk everything else on the same server getting compromised, as well as everything that server can reach.
VLANs can certainly reduce what is at risk, but wouldn’t the machine running the Jellyfin client be reachable from the Jellyfin server? And if they manage to move laterally to the client machine, what could they then reach from there?
Again, still learning, but my understanding is that that’s what VLAN rules can protect against.
That depends a lot on what you do with them…
VLANs work on a layer where devices can either reach each other or they cannot.
Let’s say you have your main desktop computer in the “main” VLAN, and your Jellyfin server in the “jellyfin” VLAN, and a third server for your home-assistant in the “home-assistant” VLAN, and finally some IOT devices in the “iot” VLAN.
You connect the VLANs as follows:
Remember that all connected VLANs much be bidirectional.
Now someone compromises your Jellyfin. They now control and has access to everything on the Jellyfin server, but they also have network reachability to your main computer, because your “main” and “home-assistant” VLANs are connected. They can now try to exploit your main computer.
If they are successful in exploiting your main computer, then they can use your main computer to jump to the home-assistant server because again, these two VLANs are connected. And you likely have the credentials for accessing home-assistant available on your main computer somewhere.
Now they are on your home-assistant server, and they can now start trying to exploit your IOT devices.
If VLANs are connected, they don’t care which direction the traffic flows.
If you want to control traffic flow directions you need a firewall. A firewall can sit between VLANs and block traffic coming from one to other, but not the other to the one.
I’ve got a firewall. I also have two managed switches to route the VLANs that I’ll be setting up in the coming days. I’ve got a handful of guides I’ve visited and will be revisiting in order to do it the way I want, which I believe will be a reasonable level of security. Acknowledging that you were just trying to be a friendly neighbor, does this plan still hold up to your wisdom thus far?
Remote code execution is a concern. Your server and your network as a whole (including other VLANs) are susceptible to attack if Jellyfin is compromised. If Jellyfin is running on the host, it would be trivial to hack your server (and anything else running/connected to it). If Jellyfin is in a Docker/Podman containers, it doesnt prevent attacks against the host (sandbox escape, kernel privilege escalation, etc), or against your network over some ports. Even if the server is on it’s own VLAN, a vulnerability or weakness in your router could still lead to a compromise, meaning that any devices that is in any way connected to your router (including personal devices) could be attacked.
There is a lot of depth to this topic of course. And at some point you just calculate your risks and weigh your options. There is no such thing as perfect security of course.
Didn’t down vote, and I get what you’re saying to a certain extent. I’m not touting my server as hack-proof in the least, but it would take some work. My concern wouldn’t be someone hacking in and listening to my personal music collection I’ve been working on for decades…it goes all the way back to 1937.
I would be more concerned that my compromised server was used as a zombie attack on some other server. The first VPS server got ransacked and used over-nite to (unsuccessfully) DDoS another business site.I got a ton of nasty grams for that boner. I didn’t loose anything but time.
Bitcoin miners are easy to spot. I’ve never really understood why someone would hack into a small server and deploy a nefarious miner. On a huge corporate server farm, sure. But not some small selfhost VPS somebody found on lowendbox.
Because they’re not mining on just one, they’re mining on thousands.
I understand economy of scale, but how much could you actually mine over nite on a little droplet before junior sysadmin notices that there is an influx of nasty grams in his in box and his little 4 banger VPS is maxed out on resources.
Long enough to make it worth it. Most people aren’t paying that much attention.