What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

  • Novi@sh.itjust.worksEnglish
    594·
    23 hours ago

    I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.

    • Everyday0764@lemmy.zipEnglish
      1·
      47 minutes ago

      i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).

    • Lucy :3@feddit.orgEnglish
      441·
      23 hours ago

      fail2ban with endlessh and abuseipdb as actions

      Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.

      • mosiacmango@lemm.eeEnglish
        22·
        16 hours ago

        Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.

        Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.

        • Thaurin@lemmy.worldEnglish
          1·
          1 hour ago

          I have the firewall of my VPS reject any IP range except the ones I’m on frequently, that is mobile, home and work. Sucks when you travel, but otherwise works alright.

          Still exposes ports to some people on the same mobile or home internet service networks…

    • drkt@scribe.disroot.orgEnglish
      154·
      22 hours ago

      They can try all they like, man. They’re not gonna guess a username, key and password.

      • adr1an@programming.devEnglish
        41·
        11 hours ago

        Only the failed attempts could be a Denial Of Service and throw you out. So, at least add an ever increasing delay to those. Fail2ban is important.

        • Thaurin@lemmy.worldEnglish
          1·
          1 hour ago

          I remember that one. Those are pretty rare and usually involve a specific configuration that is often not the default, though, right? When such a vulnerability is found, is it rightly so major news.

        • drkt@scribe.disroot.orgEnglish
          233·
          19 hours ago

          If you’re going to open something, SSH is far, far more battle-tested than much other software, even popular software. Pragmatically, If someone is sitting on a 0-day for SSH, do you genuinely think they’re gonna waste that on you and me? Either they’re gonna sell it to cash out as fast as possible, or they’ll sit on it while plotting an attack against someone who has real money. It is an unhealthy level of paranoia to suggest that SSH is not secure, or that it’s less secure than the hundreds of other solutions to this problem.

          Here is my IP address, make me eat my words.
          2a05:f6c7:8321::164 | 89.160.150.164

          • pm_me_your_puppies@infosec.pubEnglish
            8·
            17 hours ago

            You got balls to post you public addresses like that… I mean I agree with you wholeheartedly and I also have SSH port forwarded on my firewall, but posting your public IP is next-level confidence.

            Respect.

          • Ptsf@lemmy.worldEnglish
            61·
            19 hours ago

            I linked a relevant vulnerability, but even ignoring that, pragmatically, you feel they’d be targeting specific targets instead of just what they currently do? (That, by the way, is automating the compromise of vulnerable clients in mass scale to power botnets). Any service you open on your device to the internet is inherently risky. Ssh best practices are, and have been since the early days, not to expose it to the internet directly.

            • drkt@scribe.disroot.orgEnglish
              5·
              7 hours ago

              You did link a vulnerability! That is true. I didn’t claim SSH had a clean track record, I claimed it had a better track record than most other software. That vulnerability is hard to exploit, and generates a lot of noise if you were to try, which nobody has because it’s never been found in the wild.

              People who sit on 0-days for critical software like SSH don’t go out and try to mass-exploit it because it will be found within the day and patched within the week once they start making noise. This is not a quiet exploit. If they’re smart, they sell it. If they’re ambitious, they build an elaborate multi-chain attack against a specific target. Only 0.14% of devices vulnerable to this exploit are EoL versions of OpenSSH, so once this was patched, it was no longer a useful attack vector.

              It would also have been completely negated by fail2ban, which is prominently deployed on internet facing SSH, as it required thousands and thousands of connection attempts to trigger the condition. It could also have been mitigated by not running sshd as root, though I understand that most people don’t want to deal with that headache even though it is possible.

              There are thousands of independent honeypots that sit quietly and sniff all the mass-attacks and they earn their daily bread by aggregating and reporting this data. If you run a mass exploit, you will be found within the day. Trust me, I burned an IP address by regularly scanning the whole IPv4 space. You are going to end up on blacklists real fuckin’ fast and whatever you were doing will be noticed and reported.

              If you’re going to open something, SSH is a very safe choice. But yes, don’t open it if you don’t need it. We are discussing how to open a service to the internet safely, though, so we need it.