Jellyfin's an awesome open source home media server. I'll show you how I use it to organize my movies and TV shows.Part 1 (how I rip media to my computer) he...
My Jellyfin server keeps getting pinged by EMOTET malware lately. Everyone here should be aware if you expose the Jellyfin port to the internet it will get data exfiltration attempts. Use strong passwords.
Oh my. You’re doing it wrong. Exposing the unencrypted connection without the proper security measures is putting yourself at risk. Regardless of how strong you set the password, the connection can still be abused in all manner of ways. If you read the jellyfin documentation, you’d see the developers clearly state you should never do this. You need to put Jellyfin behind server software. Specifically a reverse proxy. I use NGINX. You can setup your connection to be secure this way. You can now also use Cloudflare if you have cache turned off. And if you really wanna go the extra mile, route it behind a VPN. Though this makes it harder for those you share it with or some devices that don’t support VPN.
Please revise your connection. If you need help, feel free to reach out.
Mines behind an NGINX reverse proxy as well. EMOTET is a very advanced malware and can get around those now. My IDS detected data exfiltration to an unknown Brazilian IP, and I have a VPN with an IP tunnel on top of my reverse proxy, as well as everything on port 443. It still found a way.
I have a refurbished server rack system that is running Zeek and also Suricata. I have a managed switch that will duplicate all network traffic to the system that is running those applications and a JBOD setup to store the countless logs. I have scoured through nearly all the CISA documents and alert reports to copy the various Snort rules they mention in each report and also purchased a specific modem to connect with my ISP that provides a service to monitor my traffic that has Minim.
I am a cybersecurity expert and still don’t know what I’m doing most of the time, so this is literally scratching the surface, as well as only detecting threats not really stopping them which requires more knowledge.
This is the biggest downfall of Emby/Jellyfin IMO. It’s a tradeoff from being reliant on Plex’s authentication servers, but requires a lot of technical knowledge to setup correctly (rather than just port forwarding and relying on a strong password).
The employee who got hacked was both using an insecure password (the exploit needs access to an admin account) and his Plex install was 2.5 years out of date.
Sure was! You need to be on top of paid and free and open source software from a security stand point. There’s no shortcut no matter what you think you’re paying for. Your threat model might be better when the service automates a Web proxy for you, but that’s only one facet. You trade problems but should never feel like you can “set and forget”. Sometimes it’s better for you to do it yourself because there’s no lying about responsibilities that way.
I have a refurbished server rack system that is running Zeek and also Suricata. I have a managed switch that will duplicate all network traffic to the system that is running those applications and a JBOD setup to store the countless logs. I have scoured through nearly all the CISA documents and alert reports to copy the various Snort rules they mention in each report and also purchased a specific modem to connect with my ISP that provides a service to monitor my traffic that has Minim.
I am a cybersecurity expert and still don’t know what I’m doing most of the time, so this is literally scratching the surface, as well as only detecting threats not really stopping them which requires more knowledge.
My Jellyfin server keeps getting pinged by EMOTET malware lately. Everyone here should be aware if you expose the Jellyfin port to the internet it will get data exfiltration attempts. Use strong passwords.
Oh my. You’re doing it wrong. Exposing the unencrypted connection without the proper security measures is putting yourself at risk. Regardless of how strong you set the password, the connection can still be abused in all manner of ways. If you read the jellyfin documentation, you’d see the developers clearly state you should never do this. You need to put Jellyfin behind server software. Specifically a reverse proxy. I use NGINX. You can setup your connection to be secure this way. You can now also use Cloudflare if you have cache turned off. And if you really wanna go the extra mile, route it behind a VPN. Though this makes it harder for those you share it with or some devices that don’t support VPN.
Please revise your connection. If you need help, feel free to reach out.
I have nginx setup and acessing through a Cloudflare tunnel but still getting EMOTET issues detected by my IDS.
May I ask what I should look for in the log files to detect this (and so I can configure fail2ban correctly)?
First read this
Then use the following:
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:“[CIS] Emotet C2 Traffic Using Form Data to Send Passwords”; content:“POST”; http_method; content:“Content-Type|3a 20|multipart/form-data|3b 20|boundary=”; http_header; fast_pattern; content:“Content-Disposition|3a 20|form-data|3b 20|name=|22|”; http_client_body; content:!“------WebKitFormBoundary”; http_client_body; content:!“Cookie|3a|”; pcre:“/:?(chrome|firefox|safari|opera|ie|edge) passwords/i”; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)
And the following:
alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-content/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-content/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<17; classtype:http-uri; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; metadata:service http;)
And also this one:
alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-admin/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-admin/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<15; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; classtype:http-uri; metadata:service http;)
Mines behind an NGINX reverse proxy as well. EMOTET is a very advanced malware and can get around those now. My IDS detected data exfiltration to an unknown Brazilian IP, and I have a VPN with an IP tunnel on top of my reverse proxy, as well as everything on port 443. It still found a way.
Don’t expose anything directly to the Internet except a VPN with strong auth.
Get a reverse proxy and strong passwords if you share with your loved ones.
There’s Wireshark for Android. Put your public key on the phone and you’re almost done.
edit: right, Wireguard
You’re thinking of WireGuard. WireGuard is a packet capture software.
I’ve got one, I prefer the VPN method.
Why not use a reverse proxy to keep everything on port 443 behind your own domain or duckdns? /gen
Can you link a good resource for me to set this up myself ? To many similar but different guides and my ADD makes it impossible to reach the goal.
Look up Caddy V2 probably the most dead simple reverse proxy I’ve seen and they have solid documentation
I do this already and also am inside an encrypted Cloudflare tunnel… Still getting EMOTET warnings from my IDS.
How are you detecting/monitoring it. I would like to do the same in my server
I have a refurbished server rack system that is running Zeek and also Suricata. I have a managed switch that will duplicate all network traffic to the system that is running those applications and a JBOD setup to store the countless logs. I have scoured through nearly all the CISA documents and alert reports to copy the various Snort rules they mention in each report and also purchased a specific modem to connect with my ISP that provides a service to monitor my traffic that has Minim.
I am a cybersecurity expert and still don’t know what I’m doing most of the time, so this is literally scratching the surface, as well as only detecting threats not really stopping them which requires more knowledge.
This is the biggest downfall of Emby/Jellyfin IMO. It’s a tradeoff from being reliant on Plex’s authentication servers, but requires a lot of technical knowledge to setup correctly (rather than just port forwarding and relying on a strong password).
Plex was how last pass got hacked. https://www.howtogeek.com/147554/lastpass-data-breach-shows-why-plex-updates-are-important/
You still need to do stuff even if it is plex.
The employee who got hacked was both using an insecure password (the exploit needs access to an admin account) and his Plex install was 2.5 years out of date.
Sure was! You need to be on top of paid and free and open source software from a security stand point. There’s no shortcut no matter what you think you’re paying for. Your threat model might be better when the service automates a Web proxy for you, but that’s only one facet. You trade problems but should never feel like you can “set and forget”. Sometimes it’s better for you to do it yourself because there’s no lying about responsibilities that way.
Use it behind a VPN
Get a reverse proxy. Ping me if you need details. All my stuff is hidden behind port 443.
How can you see that?
deleted by creator
That link doesn’t work :/
I will simply copy/paste here then:
Tailscale works nicely as well
deleted by creator