- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Plex has announced a massive price increase on the service’s Lifetime Plex Pass. On July 1, the lifetime subscription option will go from $249.99 to $749.99, an increase of 200%. The price hike will only apply to new subscribers, with no changes to monthly or annual subscription pricing.
I have a jellyfin server set up that you access like this:
https://my.servername/jellyfin
Username and password is all you need aside from that. Apps for most platforms or access in a web browser.
The sad reality is that Jellyfin’s authentication system is insecure, and there are “anyone can view your content without a valid login” exploits that are not going to be patched. The only way to stop someone would be to include a secondary username+password on your reverse proxy, to prevent attackers from even reaching your Jellyfin login page. Because if you can reach Jellyfin’s login page, you can exploit it without logging in. But that would break basically everything except for web browsers, because none of the various apps have support for more than Jellyfin’s authentication.
I mean, that’s not great, but it’s also not very concerning to me. Like the risk of someone doing that, and the potential harm resulting seems minimal to me.
The problem is that every single person uses the Trash Guide to set up their system. And the guide includes instructions on how to set up your file names.
You’re correct that in isolation the risk is minimal. But nearly every setup is using the trash guide’s suggested naming scheme, which makes guessing it dead simple.
I’m not familiar with the trash guide. I set mine up with swizzin community edition.
Edit: either way though, what is the real risk? Someone streams your media without your permission?
I am outraged that someone would commit piracy on my pirated content!
Honestly, if someone is going through all that trouble then they’ve earned it… and it saves me the effort of needing to create them an account.
You do know that there are security issues with that, right? For example, if someone can guess your media files they can watch them https://github.com/jellyfin/jellyfin/issues/5415
deleted by creator
Thanks for this. There is a lot of apologia in the FOSS community, and Jellyfin fans are some of the worst. I have 100% seen comments along the lines of “lol I’ve had my Jellyfin port forwarded for years and I’ve been fine” as if it’s a valid security audit. The unfortunate fact is that Jellyfin is not secure, and the devs have openly stated that they have no intention of ever fixing these vulnerabilities. Because fixing them would require completely divesting from the Emby fork that the entire project was originally built on.
Jellyfin should never be available externally. And that means anything incapable of running a VPN will be incapable of connecting.
Yup, but all that being said I still run Jellyfin and have no intention of switching to Plex. And while I would like to see them fix these issues, I understand (in part) why they won’t and I’m okay with my tail scale setup. Also the vast majority of issues are very minor, but the ability to watch any media without login is so major that I think it’s worth bringing up every time someone mentions exposing Jellyfin online.
Some of those aren’t great, but I don’t consider any of them critical in terms of risk. I understand that others may feel differently.
Agree, I don’t consider most of them a risk, but I do like to bring this to the attention of people who are exposing Jellyfin to the web so they can make an informed decision.
You should not expose a Jellyfin server to the open internet.
You should not expose a Jellyfin server to the open internet.You should not expose a Jellyfin server to the open internet if you don’t know what you’re doing.
FTFY
Please tell me, oh wise one, how do you fix the glaring security issues that are the reason even Jellyfin Stans admit that you should use a VPN?
Port forward, filter ips, take reasonable precautions on the trust of networks.
It’s not rocket science, as you mentioned in your other vitriol.
I think you don’t understand the nature of the exploit.
Anybody who can see the Jellyfin login page can use the Jellyfin server’s permissions to play media directly from your media library.
Port forwarding doesn’t matter. Jellyfin hosts on port 80/443 which you have to allow for the service to function. Most clients are on dynamic IPs or CGNATs so unless you’re going to manually change the IP filter for every single user every few days, IP filters are not a reasonable solution.
‘Take reasonable precautions on the trust of networks’ doesn’t even make sense. Your Jellyfin server is either available to the Internet or not available to the Internet. If you choose not to trust the Internet (the actual mitigation) then you obtain access to your Jellyfin server through a VPN.
No, I understand the nature of the unencrypted transport. I understand that the credentials are exchanged unencrypted (although the passwd isnt in plaintext, even on jellyfin). I also understand what is on the trusted network, my kid’s subnet.
The mitigations are the following:
Correct, that’s the idea and that’s why the IP is filtered. When my kid’s IP changes, his PC posts a notice to me about it, and I change the the fw rule. This happens once a year on average.
Also correct, it is available to the internet, which from jellyfin’s point of view is one single /32.
There is a body of suggested action to take in the interest of security that is repeated here and in other self-hosted spaces, and what you’re saying is valid and sound advice. I want to acknowledge that I don’t take your comment as wrong, it’s very prudent for someone just getting into managing their own stuff.
However, security is my job, and I do take it seriously. And there are more ways than one to get it done.
I keep my data back ends on encrypted channels, backups on another, and I control very tightly what has access to everything else. The model I use is something like “zero trust”, where I assume the clients even on my own network are malicious. In that context, extending my lan to a single remote lan on a single port isn’t really much different than allowing an iot device I don’t trust on my actual lan; it sees no other hosts but a gateway and whatever my acls allow it to.
So in the end, what can a device do at large on the internet to my jellyfin “network”? Nothing. What can a pwned device do on my kid’s network with jellyfin? It can watch TV and movies, because the api calls from jellyfin clients to jellyfin front end are nondestructive.
What? How is port forwarding adding anything to security? How does blocking IP ranges help prevent attacks on the unsecured backend?