+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: [Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server (/t-help-needed-how-to-prevent-anonymous-access-to-resources-poster-on-jellyfin-server)
[Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server - nikoinfo - 2024-10-07
I deployed Jellyfin on Windows, version 10.9.10. Everything was fine after deployment. However, I found an issue: if I put it on the internet, even anonymously without logging in, as long as there is a URL, like the movie poster can be seen.
How can I prevent anonymous access to any images or movie introduction materials on my server?
I use HTTP
RE: [Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server - TheDreadPirate - 2024-10-07
Someone would need the exact path for the image or intro. I'm sure you've noticed that the links for most things in Jellyfin contain really long strings of random characters. So someone would need to brute force your server to find even one publicly accessible item. Nobody is going to spend the time to do that for a random person on the Internet's Jellyfin server.
At a minimum go to Dashboard > Users, and in each user check "Hide this user from login screens". If you don't hide users the login screen it will display all the users available, removing one barrier for a hypothetical attacker.
RE: [Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server - nikoinfo - 2024-10-12
thanks, i use a scan tool to scan my server then find out this. lookt it can't block anonymous.
RE: [Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server - TheDreadPirate - 2024-10-13
Are you using a reverse proxy? Or just Jellyfin with 8096 port forwarding? I haven't been able to get Jellyfin to show me anything without also providing an API key with a reverse proxy in front using https.
RE: [Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server - nikoinfo - 2024-10-14
just Jellyfin with 8096 port forwarding, all the poster image can be seen by anonymous
RE: [Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server - TheDreadPirate - 2024-10-14
Ah. Posters. I had it in my head you were talking about the actual media. Reading comprehension fail.
That is the current behavior, yes. It is a known issue that requires a significant rework of how images are served.
Here is the github issue that is a sort of "collection of known security issues".
https://github.com/jellyfin/jellyfin/issues/5415
Most are relatively minor. The team has addressed more severe security issues when disclosed, such as privilege escalation vulnerabilities, and unauthenticated access to media.
Some ways to mitigate risk are the following.
1) Hide user names from the login screen (default behavior now, IIRC)
2) Use a reverse proxy and https instead of directly exposing Jellyfin to the Internet
3) Setup fail2ban for both Jellyfin and your reverse proxy to ban repeated login/access failures
RE: [Help Needed] How to prevent anonymous access to resources(poster) on Jellyfin server - nikoinfo - 2024-10-15
thanks