Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
What's wrong with exposing Jellyfin to the internet?
There are a few security issues with it, but all of the worst known issues require a valid login token. So an attacker would already need to have valid login credentials before they could actually do anything bad. Things like being able to stream video without authentication (but it requires already having a list of the stored media on the server, which means you have been logged in before). Or being able to change other users’ settings (but it requires already being logged in to a valid user).
Basically, make sure you use good passwords, and actually trust any other users to do the same.
The bug you mentioned actually just requires the attacker knows your local media paths to generate the hash. The issue is that most people use trash guides to setup *arr which means they probably have the same paths for everything
Nothing. People fearmonger
You really shouldn't expose anything directly to the internet. It is a security problem waiting to happen. (Assuming it hasn't already)
This is how giant botnets form.
What security problems?
Bots randomly attack stuff, and if you leave something insecure, they'll install a bot net node.
Define "insecure".
Default passwords, old insecure versions of apps and system packages, etc. "Just getting it working" usually leaves things insecure, and you usually need to take things a step further to secure your publicly accessible services.
Not just old insecure, but current insecure too. Plenty of stuff runs fully current but still vulnerable code. Put it behind a firewall.
Sure. My point is that self-hosters tend to let services sit without updates for months if not years at a time. That's fine if you don't expose anything to the internet, so keep that surface area as limited as possible.