2025-04-07, 12:27 AM
That specific warning is nothing to worry about.
The dangers of exposing your server to the Internet are simultaneously exaggerated but also very real.
Keep your server up-to-date, keep caddy up-to-date, keep jellyfin up-to-date, hide users from the Jellyfin login screen (default), use good password hygiene. 99.9999% of attacks are no longer effective.
The most common thing you will encounter are low effort script kiddies looking for unpatched Windows 7 systems and the like. Or unpatched systems in general using known, often very old, vulnerabilities. Which is completely mitigated by updating as soon as possible.
For the rest, you can take the additional step of setting up fail2ban to scan your Jellyfin logs for failed login attempts and then IP ban once they reach a threshold.
https://jellyfin.org/docs/general/networking/fail2ban/
A lot of other software, not just Jellyfin, can make use of fail2ban and there are often fail2ban config examples out there on the Internet for a lot of the software you might be self-hosting.
Another thing you could do is have Caddy run on another port other than port 443. Since you are using DNS challenges for your certs you don't need to use port 443. Regardless if you are using DNS challenges or not since Caddy can do TLS challenges you just straight up don't need to open port 80. Since a lot of script kiddies only scan common service ports, running on a random port significantly reduces the number of attempts that even reach your server. Though this has the annoyance that all clients need to append your URL with the port number.
FWIW, I have NEVER had rando's attempting to log in to Jellyfin while running on a random port.
Again, take security seriously. But also don't worry too much.
The dangers of exposing your server to the Internet are simultaneously exaggerated but also very real.
Keep your server up-to-date, keep caddy up-to-date, keep jellyfin up-to-date, hide users from the Jellyfin login screen (default), use good password hygiene. 99.9999% of attacks are no longer effective.
The most common thing you will encounter are low effort script kiddies looking for unpatched Windows 7 systems and the like. Or unpatched systems in general using known, often very old, vulnerabilities. Which is completely mitigated by updating as soon as possible.
For the rest, you can take the additional step of setting up fail2ban to scan your Jellyfin logs for failed login attempts and then IP ban once they reach a threshold.
https://jellyfin.org/docs/general/networking/fail2ban/
A lot of other software, not just Jellyfin, can make use of fail2ban and there are often fail2ban config examples out there on the Internet for a lot of the software you might be self-hosting.
Another thing you could do is have Caddy run on another port other than port 443. Since you are using DNS challenges for your certs you don't need to use port 443. Regardless if you are using DNS challenges or not since Caddy can do TLS challenges you just straight up don't need to open port 80. Since a lot of script kiddies only scan common service ports, running on a random port significantly reduces the number of attempts that even reach your server. Though this has the annoyance that all clients need to append your URL with the port number.
FWIW, I have NEVER had rando's attempting to log in to Jellyfin while running on a random port.
Again, take security seriously. But also don't worry too much.
Jellyfin 10.10.7 (Docker)
Ubuntu 24.04.2 LTS w/HWE
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
4x WD Red Pro 6TB CMR in RAIDZ1
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github)
Ubuntu 24.04.2 LTS w/HWE
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
4x WD Red Pro 6TB CMR in RAIDZ1