• Login
  • Register
    • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below
  • Forum
  • Website
  • GitHub
  • Status
  • Translation
  • Features
  • Team
  • Rules
  • Help
  • Feeds
User Links
  • Login
  • Register
    • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below

    Useful Links Forum Website GitHub Status Translation Features Team Rules Help Feeds
    Jellyfin Forum Off Topic Self-hosting & Homelabs Best Security Practices?

     
    • 0 Vote(s) - 0 Average

    Best Security Practices?

    4r5hw45twh
    Offline

    Member
    Posts: 122
    Threads: 29
    Joined: 2024 Mar
    Reputation: 0
    #1
    Yesterday, 03:46 PM (This post was last modified: Yesterday, 03:47 PM by 4r5hw45twh. Edited 1 time in total.)
    Hi there. I have a Cloudflare domain name which points to my server's public IP, which is then managed by NPM (in Docker) to point to whatever local stuff I want accessed from the web (such as Jellyfin, for one example). I use Ubuntu. My NPM setup works in this way: For proxy host, I use the server machine's local IP (192.x.x.x:Port) to point to JF and in JF's docker compose file, I have a port defined in it so that I can access "localhost:Port" on the native machine as well. This will all be in Docker.

    I plan on self-hosting a simple blog page for friends/family/whoever really, but I want to know the best security practices when using Docker for this sort of thing. For now, I would use Ghost as the blog platform. I don't have fail2ban or anything installed on Docker, security-wise, just containers I use, with JF being the one that's publicly accessible from the Internet, and soon-to-be the blog page.

    So, what should I know and what should I do?
    TheDreadPirate
    Offline

    Community Moderator
    Posts: 13,047
    Threads: 10
    Joined: 2023 Jun
    Reputation: 385
    Country:United States
    #2
    Yesterday, 04:50 PM
    Fail2ban, as you mentioned, is a good start. It can read Nginx logs to look for repeat 4XX codes, which is often an indicator of a web crawler or scan bots.

    Another option is to rent a VPS to act as a proxy for all access to your home server, then setup Wireguard to tunnel from the VPS to your home server.

    This one is good practice, in general. Disable SSH login for root, setup PKI keys for SSH and disable password logins entirely (keys only). This has the added benefit of making it easier to setup access for, for example, a friend's server. Just give them your public key. No need to exchange passwords.

    This one is optional, but is what I do. HTTPS and SSH do not use standard ports, except for hosting Matrix because I have use 443. This significantly reduces the number of bots and script kiddies that attempt to poke around since most will not spend the time to ping every port. This has the inconvenience of having to specify ports in the URL but worth it, IMO.
    Jellyfin 10.10.3 (Docker)
    Ubuntu 24.04 LTS 
    Intel i3 12100
    Intel Arc A380
    OS drive - SK Hynix P41 1TB
    Storage
        3x WD Red Pro 6TB CMR in RAIDZ1 (JF Library)
    [Image: GitHub%20Sponsors-grey?logo=github]
    Host-in-the-Shell
    Offline

    Member
    Posts: 161
    Threads: 10
    Joined: 2023 Jun
    Reputation: 13
    #3
    Yesterday, 05:05 PM
    TDP's number 1 and 3 suggestions are all you need for 99% of cases. That said, I'd also consider updating firmware/BIOS of any device that is accessible outside your network, particularly combos/routers/etc.
    Server specs => OS: Debian 12 | GPU: Arc A380 | CPU: Ryzen 5 5600X | 64GB RAM | 56TB
    « Next Oldest | Next Newest »

    Users browsing this thread: 1 Guest(s)


    • View a Printable Version
    • Subscribe to this thread
    Forum Jump:

    Home · Team · Help · Contact
    © Designed by D&D - Powered by MyBB
    L


    Jellyfin

    The Free Software Media System

    Linear Mode
    Threaded Mode