+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Off Topic (https://forum.jellyfin.org/f-off-topic)
+--- Forum: Self-hosting & Homelabs (https://forum.jellyfin.org/f-self-hosting-homelabs)
+--- Thread: Increasing security for my Home server (/t-increasing-security-for-my-home-server)
Increasing security for my Home server - wenzelja - 2025-01-02
So my Jellyfin server is an Intel 12th Gen i7-12700 desktop computer running WIndows 11 with 16 GB RAM, and UHD770 integrated graphics. I have Jellyfin running with a DuckDNS domain for my dDNS, and Caddy as a service for my reverse proxy. I also occasionally connect to the computer remotely via Windows Remote Desktop Connection, so there are a few ports exposed (80, 443, 2019, and 3389 that I recall).
What's my next steps for better security, or am I at a "good enough" stage? Also, I would need Windows-specific steps for any recommendations.
RE: Increasing security for my Home server - TheDreadPirate - 2025-01-02
IMO, RDP should not be on the default port. I learned that lesson the hard way, luckily without an actual compromise.
You could go one step further and have http and https on non-standard ports as well.
Using non-standard ports doesn't make you "safe", but it reduces the number of attempts due to most attempts being from low-effort script kiddies looking for unpatched systems.
RE: Increasing security for my Home server - wenzelja - 2025-01-02
(2025-01-02, 07:02 PM)TheDreadPirate Wrote: IMO, RDP should not be on the default port. I learned that lesson the hard way, luckily without an actual compromise.
You could go one step further and have http and https on non-standard ports as well.
Using non-standard ports doesn't make you "safe", but it reduces the number of attempts due to most attempts being from low-effort script kiddies looking for unpatched systems.
How would I move RDP to a non-standard port? In Settings\System\Remote Desktop, the port is listed but doesn't allow me to change it.
RE: Increasing security for my Home server - TheDreadPirate - 2025-01-02
On most routers it allows you to provide an external and internal port. You'd change the external port to something else, but leave the internal port on 3389.
RE: Increasing security for my Home server - wenzelja - 2025-01-02
(2025-01-02, 08:14 PM)TheDreadPirate Wrote: On most routers it allows you to provide an external and internal port. You'd change the external port to something else, but leave the internal port on 3389.
So I looked at my router under port forwarding and there is an option checked to make external and internal ports the same. So, do I just assign random port numbers to correspond with the internal ports, in order of the string of internal ports, I suppose?
RE: Increasing security for my Home server - TheDreadPirate - 2025-01-03
The external port would be a random ephemeral port (49152-65535), the internal port would be 3389.
RE: Increasing security for my Home server - wenzelja - 2025-01-04
(2025-01-03, 02:09 PM)TheDreadPirate Wrote: The external port would be a random ephemeral port (49152-65535), the internal port would be 3389.
Given the screenshot of my router port forwarding page above, would I just in-tick the “use same port range for internal port” check box and then in the external port field replace 3389 with one of the ports you suggested?
RE: Increasing security for my Home server - TheDreadPirate - 2025-01-04
Yes. You'd need to uncheck that so that you make the external port different from the internal port.
RE: Increasing security for my Home server - Wanni - 2025-01-06
I would not expose RDP directly at all. Better to use rdp over ssh. Using "putty" as the ssh client and after connecting rdp to your server.
You will find plenty of guides on how to do this - just google.