deddit.petersanchez.com

Help setting up fail2ban for jellyfin both in separate docker containers?
from basic_user@lemmy.world to selfhosted@lemmy.world on 21 Apr 16:39
https://lemmy.world/post/28525094

Hi,

I’ve been trying to set up fail2ban for jellyfin both running in docker from compose and I’m doing something wrong.

Can someone tell me what path in the docker compose file you use for jellyfin logs and what path you use in the jail.d and the filter in filter.d?

Thanks

PS. Sorry for low detail, but I’m on phone and don’t have my current conf readily available. Will provide if necessary.

#selfhosted

threaded - newest

MaggiWuerze@feddit.org on 21 Apr 16:46 next collapse

If you plan to use fail2ban, I assume you want to make your Jellyfin accessible from the public internet. Please be aware, that large parts of the Jellyfin Backend are not properly authenticated and allow unauthorized, potential mapping of your library and even unauthorized streams.

github.com/jellyfin/jellyfin/issues/5415

CompactFlax@discuss.tchncs.de on 21 Apr 17:08 next collapse

Thanks for sharing; I was unaware. Just closed off that network hole.

basic_user@lemmy.world on 21 Apr 17:14 next collapse

Thank you. I did see this list before. My jellyfin instance is not exposed to the net atm., but I’m thinking of exposing it in intervals and would like to have fail2ban working when/if I do.

MaggiWuerze@feddit.org on 23 Apr 08:57 collapse

I’m just not sure if fail2ban can mitigate the unaouthorized api access or other issues

Vendetta9076@sh.itjust.works on 22 Apr 02:00 next collapse

Would putting jellyfin behind authentik or googleSSO protect me? Trying to figure out how to replace plex for my extended family since theyre charging for external connections now

Appoxo@lemmy.dbzer0.com on 22 Apr 13:57 collapse

Just be aware that putting Jellyfin behind a Reverse Proxy that redirects to external auth services, breaks client support that is not in a browser.
Thus you either white-/blacklist specific server access paths or set up accounts that may relay the loging credentials.
Maybe something like LDAP may work but I can’t say how well it works as I havent used that.

_cryptagion@lemmy.dbzer0.com on 23 Apr 16:15 collapse

It works as advertised.

Zeoic@lemmy.world on 23 Apr 02:19 next collapse

Wow, I tested out jellyfin every 6 months for the last few years to see if it was ready to replace plex yet, and I had no idea about such huge security issues. There should really be a big ass warning about making jellyfin publicly accessible in the app and in setup guides…

MaggiWuerze@feddit.org on 23 Apr 09:02 collapse

The main issue for me is the way they react to it. Not only is there no warning about this, but they also refuse to fix it because it would break client support and they prefer backwards compatibility over security

N0x0n@lemmy.ml on 23 Apr 10:17 collapse

The solution here is to use a wireguard (or similar technology) server and use it on all your devices. People already use VPNs for everything, so adding this layer isn’t that much of a hassle !

MaggiWuerze@feddit.org on 23 Apr 11:59 collapse

That depends entirely on your target audience as well as the devices you want to use it on. Smart TVs don’t really support VPNs and my parents would not know how to even activate that let alone set it up on their end. I have a lot of non tech savvy users, so Plex is just way more convenient and accessible.

skoell13@feddit.org on 21 Apr 18:25 next collapse

I set up fail2ban together with Caddy which runs as a reverse proxy in front of Jellyfin. I’ve written down my setup and maybe this will help you codeberg.org/skjalli/jellyfin-vps-setup

Xanza@lemm.ee on 24 Apr 18:02 collapse

Excellent setup. It’s the one I use as well.

just_another_person@lemmy.world on 21 Apr 19:23 next collapse

Why? Fail2ban is best placed on the host closest to a network entrypoint. Unless you’re intentionally avoiding a bridged network, this isn’t going to do much for your security unless the containers are directly addressed by an attached interface and an open service.

I won’t go into a whole diatribe, but you should be running containers as single-process instances of applications. You only cause issues by cramming other process to run inside a container.

What are you using it to block, exactly?

basic_user@lemmy.world on 21 Apr 20:31 collapse

Oh I can see how my title could be misunderstood - what I meant is that both jellyfin and fail2ban are running in (separate) docker containers. Not both services crammed.into one.

just_another_person@lemmy.world on 21 Apr 20:34 next collapse

But what are you trying to use fail2ban for?

basic_user@lemmy.world on 22 Apr 04:53 collapse

To prevent brute force login attempts into my jellyfin service.

Xanza@lemm.ee on 24 Apr 18:06 collapse

These people seem…pretty stupid tbh. Maybe they don’t understand what fail2ban is, or what it does, but you should absolutely use fail2ban. Security is objectively better by just having it enabled than not for any service, not just jellyfin.

InvertedParallax@lemm.ee on 21 Apr 21:36 collapse

That’s worse.

Fail2ban isn’t an application like jellyfin, it’s a security framework that should be built in to the gateway router.

3aqn5k6ryk@lemmy.world on 22 Apr 02:42 next collapse

Are you using nginx proxy manager as reverse proxy? SWAG has one built in. I’d use that instead.

Xanza@lemm.ee on 24 Apr 18:02 collapse

I wouldn’t setup fail2ban in a container. Install it on the host system.