2025-08-12, 11:27 AM
(This post was last modified: 2025-08-12, 04:06 PM by leucht. Edited 3 times in total.)
(Will update if I see more unique adresses)
Been hosting my Jellyfin-Instance publicly for a while now and been seeing a potential exploitation attempt since late yesterday. 2 IPs / IP-Ranges have been specifically targeting the active Jellyfin-Instances.
My infrastructure is hosted through Cloudflare (without Proxy since it's against TOS) with Traefik + Crowdsec + GeoIPBlock at the edge. All incoming traffic from outside a certain list countries is blocked.
Since late yesterday I saw multiple german IPs / IP-Ranges first & second continuously looking at 3 different directories of my public facing Jellyfin Server:
System/Info/Public
Users/Me (gets 401)
Branding/Configuration
The crawler seem to check for Instances that have not completed the full setup process or might try to scan for servers running vulnerable versions of Jellyfin.
Please be aware and check your logs regularly if you are hosting publicly facing instances. Better yet put them behind a VPN like Tailscale or Zerotier if you got the chance and keep your server up to date.
Cheers
Been hosting my Jellyfin-Instance publicly for a while now and been seeing a potential exploitation attempt since late yesterday. 2 IPs / IP-Ranges have been specifically targeting the active Jellyfin-Instances.
My infrastructure is hosted through Cloudflare (without Proxy since it's against TOS) with Traefik + Crowdsec + GeoIPBlock at the edge. All incoming traffic from outside a certain list countries is blocked.
Since late yesterday I saw multiple german IPs / IP-Ranges first & second continuously looking at 3 different directories of my public facing Jellyfin Server:
System/Info/Public
Users/Me (gets 401)
Branding/Configuration
The crawler seem to check for Instances that have not completed the full setup process or might try to scan for servers running vulnerable versions of Jellyfin.
Please be aware and check your logs regularly if you are hosting publicly facing instances. Better yet put them behind a VPN like Tailscale or Zerotier if you got the chance and keep your server up to date.
Cheers
