|
I deployed Jellyfin on Windows, version 10.9.10. Everything was fine after deployment. However, I found an issue: if I put it on the internet, even anonymously without logging in, as long as there is a URL, like the movie poster can be seen.
How can I prevent anonymous access to any images or movie introduction materials on my server? I use HTTP
2024-10-07, 12:46 PM
Someone would need the exact path for the image or intro. I'm sure you've noticed that the links for most things in Jellyfin contain really long strings of random characters. So someone would need to brute force your server to find even one publicly accessible item. Nobody is going to spend the time to do that for a random person on the Internet's Jellyfin server.
At a minimum go to Dashboard > Users, and in each user check "Hide this user from login screens". If you don't hide users the login screen it will display all the users available, removing one barrier for a hypothetical attacker.
Jellyfin 10.10.7 (Docker)
Ubuntu 24.04.2 LTS w/HWE Intel i3 12100 Intel Arc A380 OS drive - SK Hynix P41 1TB Storage 4x WD Red Pro 6TB CMR in RAIDZ1 ![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github){kind=icon}
2024-10-12, 05:24 AM
thanks, i use a scan tool to scan my server then find out this. lookt it can't block anonymous.
2024-10-13, 01:19 AM
(This post was last modified: 2024-10-13, 01:22 AM by TheDreadPirate. Edited 2 times in total.)
Are you using a reverse proxy? Or just Jellyfin with 8096 port forwarding? I haven't been able to get Jellyfin to show me anything without also providing an API key with a reverse proxy in front using https.
Jellyfin 10.10.7 (Docker)
Ubuntu 24.04.2 LTS w/HWE Intel i3 12100 Intel Arc A380 OS drive - SK Hynix P41 1TB Storage 4x WD Red Pro 6TB CMR in RAIDZ1
2024-10-14, 12:17 PM
just Jellyfin with 8096 port forwarding, all the poster image can be seen by anonymous
2024-10-14, 04:26 PM
Ah. Posters. I had it in my head you were talking about the actual media. Reading comprehension fail.
That is the current behavior, yes. It is a known issue that requires a significant rework of how images are served. Here is the github issue that is a sort of "collection of known security issues". https://github.com/jellyfin/jellyfin/issues/5415 Most are relatively minor. The team has addressed more severe security issues when disclosed, such as privilege escalation vulnerabilities, and unauthenticated access to media. Some ways to mitigate risk are the following. 1) Hide user names from the login screen (default behavior now, IIRC) 2) Use a reverse proxy and https instead of directly exposing Jellyfin to the Internet 3) Setup fail2ban for both Jellyfin and your reverse proxy to ban repeated login/access failures
Jellyfin 10.10.7 (Docker)
Ubuntu 24.04.2 LTS w/HWE Intel i3 12100 Intel Arc A380 OS drive - SK Hynix P41 1TB Storage 4x WD Red Pro 6TB CMR in RAIDZ1
|
|
|
|
|
