+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Any security issues with remote access? Caddy + Dynamic DNS (/t-any-security-issues-with-remote-access-caddy-dynamic-dns)
Any security issues with remote access? Caddy + Dynamic DNS - c2h6 - 2024-04-17
Hey guys,
I've been using Jellyfin for a year or so, and finally mustered up the courage to figure out remote hosting. I have it working now using a combination of DuckDNS (to resolve my dynamic DNS) + Caddy (reverse proxy).
The thing is, I'm just a trained monkey following guides online. I know how everything works conceptually, but that's about it. I actually tried nginx for reverse proxy first but couldn't get the configuration right, and ended up following another guide that used Caddy - that's how clueless I am about networking.
My jellyfin server is running off my main computer, and I'm worried about any potential security risks in exposing my computer to the Internet. Here's my configuration:
- I have multiple users for Jellyfin but all of them don't have delete access (and are all password-protected). The only account with delete access is my Jellyfin admin account, and I disabled remote access for that account
- Currently only have Jellyfin but I hope to figure out nextcloud some time in future (I just need to learn how to configure Caddy to different ports based on subdomains/URLs)
- Router only has ports 80, 443 and another port (used by a torrent client) open. I've also changed the password to access my router's settings.
Given the above, what's the worst that a bad actor could do? I'm hoping that if I set everything right, the only possible security issue (barring an exploit in the Jellyfin software) is that someone guesses one of my users' passwords and gets to watch my media library?
Thanks!
RE: Any security issues with remote access? Caddy + Dynamic DNS - TheDreadPirate - 2024-04-17
No hacker with any skill is going to bother going after us small fries. Only low effort script kiddies looking for unpatched Windows 7/XP machines.
As long as you have Caddy in front of Jellyfin, use https with legit certs, keep everything up-to-date, and hide user names from the login screen you should be safe. If there is a hypothetical zero day someone could use to hack into your server, this hypothetical hacker is going to reserve that resource for mega corps and government agencies and not risk it on some dude running a Jellyfin server.
One thing that a lot of people overlook are proper file folder permissions, mainly on Linux. Users have a tendency to just "777" everything instead of learning Linux permissions.
RE: Any security issues with remote access? Caddy + Dynamic DNS - c2h6 - 2024-04-18
Thanks! Yeah I figured a random guy's media server isn't really valuable - i don't have anything super illegal to hide so nobody's targeting me, but I don't want to run the risk of accidentally exposing my data drives and having my personal data/photos leaked, or having my computer used as part of some botnet.
Regarding "use https with legit certs" - I read that Caddy uses https by default, is this true? Is there anything I can do to verify this - if i can access my own server remotely using https://my.dns.com (as opposed to http://), does that mean i've got the certs working correctly?
RE: Any security issues with remote access? Caddy + Dynamic DNS - TheDreadPirate - 2024-04-18
I don't use caddy (Nginx), but if you've enabled https it should automatically get legit certs from Let's Encrypt.