Anecdotal security risks of exposing JF to internet

[ploni]

I normally access JF only through Tailscale but I am considering exposing it to the internet, perhaps using Tailscale funnel. I have seen many discussions of whether this is safe and I have also seen the list of potential security issues on GitHub (unauthenticated play being possibly allowed etc). I have also seen JF statements that exposure to internet should be done with caution. I am curious about how common issues (being hacked) are in practice. Googling ‘Jellyfin hacked’ brings up almost nothing. Is there any anecdotal or other data?

[mikul]

Private servers aren't attractive targets, so they're unlikely to be attacked. Assuring that accounts are required on Jellyfin further reduces avenues of attack especially if you avoid common account names (e.g. admin). If Jellyfin had a vulnerability, it could be exploited, but this can be mitigated with the proper permissions being set on the server: don't run with admin privileges, limited access to the hard drive, etc. If your server supports it you can limit access geographically although there are obvious ways around this.

Tailscale or reverse proxy access is always recommended, however prior to implementing this, I had a few services open to the internet for years and never had a single failed login attempt that I didn't cause.

[TheDreadPirate]

Definitely going to echo Mikul's sentiment that private servers are NOT attractive targets. There is little/no money in it for hackers. The most unsolicited activity you will get on your server are low effort script kiddies looking for unpatched Windows 7 hosts.

The statements The Jellyfin Project makes about exposing Jellyfin directly to the Internet, without a reverse proxy, is less about Jellyfin being insecure and more about there being no effort made to make Jellyfin secure. Does that make sense? This is why we recommend having a reverse proxy in front of Jellyfin since Nginx/Apache/Caddy/etc. ARE hardened and significant effort has been made to make them secure.

Keep your OS up to date, keep your reverse proxy up to date. You shouldn't have a problem.

[ploni]

Thanks mikul and TheDreadPirate - that's reassuring

[abpjf]

My public JF server is totally drop-trou on the interwebs, plain http. I basically don't care who can "break into" it (as in, not my authorized users) since it's on a segregated machine on a separate network from my personal network. What can they do? Delete media? Eh, got nightly backups of everything in the unlikely event that occurs. Lift my users' data? Eh, I create their (admittedly both as ridiculous as possible) usernames and passwords, so who cares what malefactors do with that? Take down the server altogether? Meh, can easily spool up the duplicate in essentially no time.

TLDR - it's simply not important enough for / to me to waste my time implementing the "secure" measures.