Login

wenzelja · 2025-01-02, 06:54 PM

So my Jellyfin server is an Intel 12th Gen i7-12700 desktop computer running WIndows 11 with 16 GB RAM, and UHD770 integrated graphics. I have Jellyfin running with a DuckDNS domain for my dDNS, and Caddy as a service for my reverse proxy. I also occasionally connect to the computer remotely via Windows Remote Desktop Connection, so there are a few ports exposed (80, 443, 2019, and 3389 that I recall).

What's my next steps for better security, or am I at a "good enough" stage? Also, I would need Windows-specific steps for any recommendations.

TheDreadPirate · 2025-01-02, 07:02 PM

IMO, RDP should not be on the default port. I learned that lesson the hard way, luckily without an actual compromise.

You could go one step further and have http and https on non-standard ports as well.

Using non-standard ports doesn't make you "safe", but it reduces the number of attempts due to most attempts being from low-effort script kiddies looking for unpatched systems.

wenzelja · 2025-01-02, 08:13 PM

(2025-01-02, 07:02 PM)TheDreadPirate Wrote: IMO, RDP should not be on the default port. I learned that lesson the hard way, luckily without an actual compromise.

You could go one step further and have http and https on non-standard ports as well.

Using non-standard ports doesn't make you "safe", but it reduces the number of attempts due to most attempts being from low-effort script kiddies looking for unpatched systems.

How would I move RDP to a non-standard port? In Settings\System\Remote Desktop, the port is listed but doesn't allow me to change it.

TheDreadPirate · 2025-01-02, 08:14 PM

On most routers it allows you to provide an external and internal port. You'd change the external port to something else, but leave the internal port on 3389.

wenzelja

(2025-01-02, 08:14 PM)TheDreadPirate Wrote: On most routers it allows you to provide an external and internal port. You'd change the external port to something else, but leave the internal port on 3389.

So I looked at my router under port forwarding and there is an option checked to make external and internal ports the same. So, do I just assign random port numbers to correspond with the internal ports, in order of the string of internal ports, I suppose?

TheDreadPirate · 2025-01-03, 02:09 PM

The external port would be a random ephemeral port (49152-65535), the internal port would be 3389.

wenzelja

(2025-01-03, 02:09 PM)TheDreadPirate Wrote: The external port would be a random ephemeral port (49152-65535), the internal port would be 3389.

Given the screenshot of my router port forwarding page above, would I just in-tick the “use same port range for internal port” check box and then in the external port field replace 3389 with one of the ports you suggested?

TheDreadPirate · 2025-01-04, 06:25 PM

Yes. You'd need to uncheck that so that you make the external port different from the internal port.

Wanni · 2025-01-06, 04:49 PM

I would not expose RDP directly at all. Better to use rdp over ssh. Using "putty" as the ssh client and after connecting rdp to your server.
You will find plenty of guides on how to do this - just google.

Login

Username/Email:
Password:


Or login with a social network below

Login

Username/Email:
Password:


Or login with a social network below

Increasing security for my Home server