this post was submitted on 26 Jun 2025
273 points (98.9% liked)

Selfhosted

46676 readers
1112 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
273
Jellyfin over the internet (startrek.website)
submitted 14 hours ago by TribblesBestFriend@startrek.website to c/selfhosted@lemmy.world
165 comments fedilink hide all child comments
 

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

you are viewing a single comment's thread
view the rest of the comments
[–] Novi@sh.itjust.works 41 points 13 hours ago (5 children)

I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.

[–] 30p87@feddit.org 39 points 13 hours ago (1 children)

fail2ban with endlessh and abuseipdb as actions

Anything that's not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.

[–] mosiacmango@lemm.ee 13 points 7 hours ago* (last edited 7 hours ago)

Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.

Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.

[–] oong3Eepa1ae1tahJozoosuu@lemmy.world 9 points 12 hours ago

Sorry, misunderstanding here, I'd never open SSH to the internet, I meant it as "don't block it via your server's firewall."

[–] drkt@scribe.disroot.org 11 points 12 hours ago (2 children)

They can try all they like, man. They're not gonna guess a username, key and password.

[–] anzo@programming.dev 1 points 1 hour ago

Only the failed attempts could be a Denial Of Service and throw you out. So, at least add an ever increasing delay to those. Fail2ban is important.

[–] Ptsf@lemmy.world 12 points 10 hours ago (1 children)

Doesn't take that to leverage an unknown vulnerability in ssh like:

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

That's why it's common best practice to never expose ssh to raw internet if you can help it; but yes it's not the most risky thing ever either.

[–] drkt@scribe.disroot.org 13 points 9 hours ago (3 children)

If you're going to open something, SSH is far, far more battle-tested than much other software, even popular software. Pragmatically, If someone is sitting on a 0-day for SSH, do you genuinely think they're gonna waste that on you and me? Either they're gonna sell it to cash out as fast as possible, or they'll sit on it while plotting an attack against someone who has real money. It is an unhealthy level of paranoia to suggest that SSH is not secure, or that it's less secure than the hundreds of other solutions to this problem.

Here is my IP address, make me eat my words.
2a05:f6c7:8321::164 | 89.160.150.164

[–] teawrecks@sopuli.xyz 3 points 6 hours ago

Are you giving random strangers legal permission to pentest you? That's bold.

[–] pm_me_your_puppies@infosec.pub 5 points 8 hours ago (1 children)

You got balls to post you public addresses like that... I mean I agree with you wholeheartedly and I also have SSH port forwarded on my firewall, but posting your public IP is next-level confidence.

Respect.

[–] gravitas_deficiency@sh.itjust.works 3 points 7 hours ago

That is some big dick energy ngl

[–] Ptsf@lemmy.world 5 points 9 hours ago

I linked a relevant vulnerability, but even ignoring that, pragmatically, you feel they'd be targeting specific targets instead of just what they currently do? (That, by the way, is automating the compromise of vulnerable clients in mass scale to power botnets). Any service you open on your device to the internet is inherently risky. Ssh best practices are, and have been since the early days, not to expose it to the internet directly.

[–] troed@fedia.io 5 points 12 hours ago

So? Pubkey login only and fail2ban to take care of resource abuse.

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com -1 points 12 hours ago (1 children)

Change the port it runs on to be stupid high and they won't bother.

[–] caseyweederman@lemmy.ca 1 points 8 hours ago (1 children)

Yeah hey what's your IP address real quick? No reason

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 6 points 7 hours ago (1 children)

In 3 years I haven't had a single attempted connection that wasn't me. Once you get to the ephemeral ports nobody is scanning that high.

I'm not saying run no security or something. Just nobody wants to scan all 65k ports. They're looking for easy targets.

[–] mic_check_one_two@lemmy.dbzer0.com 5 points 5 hours ago

Just nobody wants to scan all 65k ports.

Shodan has entered the chat.