I have been running a large server 24/7 for about a month and a half now. It is only for myself and the fam, no one else has access to it at all.
I’m trying to learn about selfhosting and whatnot, but it’s…a lot. Is there anything I need to do specifically besides configuring it correctly in order to protect it and myself. I hear people talking about putting stuff in dockers, putting things behind a reverse proxy, a VPN, etc.
I do currently have it running behind ProtonVPN but that’s it. Do I need to be doing more?
Thanks in advance for any help!
I expose mine, have crowdsec and Authelia in front and it’s been fine so far, don’t expose things like ssh to the internet and change the port for it and you’ll probably be fine.
Don’t expose it over the Internet, local network access only, is the easiest but also limits you to accessing it only at home.
You could use something like tail scale or setup your own wireguard server to keep it still local-ish but still allow trusted people access.
Reverse proxy with auth of some kind if you plan to expose it to the Internet.
Reverse proxy/SOCKS5 works well in my experience.
I have a little computer on my network which runs my VPN - then on that computer I have ssh listening on a non-standard port that my VPN’s dyndns links up to a human readable hostname with a different port.
If I want to watch stuff off-network I just have to ssh -D to that hostname and port and then configure a browser to use the connection as a SOCKS5 proxy, then jellyfin and anything else I’m hosting works as if locally through that browser.
The ssh is key based as well, not password based - haven’t had any incidents in doing it this way.
Can you restrict Jellyfin itself to local network?
It is by default, you need to open ports on your router in order for it to receive traffic from outside your home network. And then configure those ports to forward to your jellyfin server.
Thanks!
yw!
Thanks for clarifying. No, it is only meant to be used as a centralized entertainment system here in my home. None of us care about taking said media with us when we leave the house.
Is the server exposed to the internet at all? ie, Did you open a port on your firewall to allow inbound connections? If not, then nothing should be exposed to the internet and you should have no problem. Proton is also a vpn not a firewall and really doesn’t offer much protection against attacks. It basically just muddies the water on the origin of your Internet traffic.
I did not do any configuration with the ports whatsoever. It’s just one of my PCs connected to a NAS, which in turn streams television shows, movies, documentaries, and music throughout my home. No one else has physical access to the serup, and as far as I know, no one else has remote access to it either.
I don’t expose mine directly. When I stayed in Mexico for a month, I connected to it via Tailscale.
Thanks for the answer! We don’t care about taking the media with us when we leave every day. It is just meant to be a centralized home entertainment distribution system. If it ever does get to the point where we want remote access to it, I will look into Tailscale. Thanks again!
Yeah, I think the only thing I would worry about at that point is a firewall with restrictive rules. Don’t expose internal ports without proper MFA in place.
Hobbyist (not a security expert here) but using a VPN that’s trusted should be fine. Your security hinges on proton’s reputation but from what I know they’re pretty good. If I’m wrong please correct me in the comments and I will edit this comment.
I’ve used the services of at least 9 or 10 VPNs over the years and I have not once been as satisfied with any of them as I am with Proton.
For only external vpns mullvad is pretty good. Also, tailscale is free and their node-based system is really good.
As an all-in-one solution proton is pretty much as good as it gets from what I’ve seen. One of my friends swears by it as well.
It really does seem that the only step up in security is deploying a wireguard or ovpn server yourself, which is a little more complex. Not arch Linux levels of complexity, but intermediate tinkerer levels of complexity.
I stopped doing it because maintaining that shit and debugging it everytime it breaks just sucks. Tailscale is easier. Still not happy with the amount of trust I put into tailscale though.
