What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I linked a relevant vulnerability, but even ignoring that, pragmatically, you feel they’d be targeting specific targets instead of just what they currently do? (That, by the way, is automating the compromise of vulnerable clients in mass scale to power botnets). Any service you open on your device to the internet is inherently risky. Ssh best practices are, and have been since the early days, not to expose it to the internet directly.
You did link a vulnerability! That is true. I didn’t claim SSH had a clean track record, I claimed it had a better track record than most other software. That vulnerability is hard to exploit, and generates a lot of noise if you were to try, which nobody has because it’s never been found in the wild.
People who sit on 0-days for critical software like SSH don’t go out and try to mass-exploit it because it will be found within the day and patched within the week once they start making noise. This is not a quiet exploit. If they’re smart, they sell it. If they’re ambitious, they build an elaborate multi-chain attack against a specific target. Only 0.14% of devices vulnerable to this exploit are EoL versions of OpenSSH, so once this was patched, it was no longer a useful attack vector.
It would also have been completely negated by fail2ban, which is prominently deployed on internet facing SSH, as it required thousands and thousands of connection attempts to trigger the condition. It could also have been mitigated by not running sshd as root, though I understand that most people don’t want to deal with that headache even though it is possible.
There are thousands of independent honeypots that sit quietly and sniff all the mass-attacks and they earn their daily bread by aggregating and reporting this data. If you run a mass exploit, you will be found within the day. Trust me, I burned an IP address by regularly scanning the whole IPv4 space. You are going to end up on blacklists real fuckin’ fast and whatever you were doing will be noticed and reported.
If you’re going to open something, SSH is a very safe choice. But yes, don’t open it if you don’t need it. We are discussing how to open a service to the internet safely, though, so we need it.
🤔🤔🤔🤔🤔
https://arstechnica.com/information-technology/2022/02/after-lying-low-ssh-botnet-mushrooms-and-is-harder-than-ever-to-take-down/
Are we living in the same universe? In mine software doesn’t get patched all the time, in fact it’s usually a lack of patches that lead to any significant system compromise… Which happens time and time again. Also you’re on a thread that is advising hobbiests on how to configure and maintain their personal server, not the engineering meeting for a fortune 500. Yes, you can make ssh very secure. Yes, it’s very secure even by default. In the same regard, new vulnerabilities/exploits will be found, and it remains best practice not to expose ssh to raw internet unless absolutely necessary and with the considerations required to mitigate risk. Ssh isn’t even implemented identically on every device, so you literally cannot talk about it like you are. Idk why you’re arguing against the industry standard for best practices decided by people who have far more experience and engineering time than you or I.
Do you read what you post or do you just google “ssh vulnerability” and post the first result to waste my inbox space?
SSH does, it is one of the codebases with the most eyeballs on it at any given time and patches to it get fast-tracked downstream.
You don’t need to be a genius to enable keys, disable root and install fail2ban.
This is correct, but we are arguing about a case in which it is necessary to expose something and it’s better that it’s one of the most secure and battle-tested pieces of software in the world as opposed to some open source hobby *arr stack.
I work in this industry, ma’am.
Did you know that simply being connected to the internet puts you at risk? Your firewall could have a vulnerability! Your router’s admin panel could be misconfiguration and exposed to the internet! The only way to be safe is to unplug your cable and stop replying to me. Also rip out your bluetooth modules and any LEDs in every device you own because they have been demonstrated to be attack vectors. In fact just stop using anything more complicated than a MOSFET.
People like you in this industry are legitimately the reason botnets and significant compromise still exists. “You don’t need to be a genius to do all this additional config to make this thing I’m referring to as secure, secure.” Do you even read your own writings before you hit post? Also your final argument is so slathered in whataboutism I can’t even. Yes, any internet connectivity is going to be less secure than an air gap, but when you’re advising implementations you should keep security posture and best practices in mind. What you’re speaking on is more complex than any one person’s understanding of it due to significant layers of abstraction. Exhibit a? Ssh is not a codebase. It’s a network protocol. The codebase is literally different depending on implementation.