Just created my own zero trust network!
from HurlingDurling@lemmy.world to selfhosted@lemmy.world on 18 Jul 17:55
https://lemmy.world/post/33149242
from HurlingDurling@lemmy.world to selfhosted@lemmy.world on 18 Jul 17:55
https://lemmy.world/post/33149242
No awards are needed, just wanted to share my excitement that while my Jellyfin server still keeps loosing my entire library every 24 hours at least now it has a domain and ssl cert!
That is all. Happy Friday everyone
threaded - newest
Lol.
Still got the library issue, eh? Gonna have to just turn off services/apps/processes until you find the culprit.
lol, yeah. Gitea is next on the list, but I don’t have much more I’m afraid, Immich and Nextcloud are critical apps for me, so if it isn’t gitea or minecraft, then I might just setup a new server out of an old laptop to be my Jellyfin server and migrate my library there.
Are you losing your library on reboot?
Not even on reboot, it just get’s deleted somehow, been happening for the past couple of months and I haven’t been able to figure out why yet. I posted all about it here (lemmy.world/post/32756942) if you are interested in reading about it.
Do you have the media cleanup plugin installed for Jellyfin? I wonder if you change the PUID and/or GUID if you couldn’t make sure Jellyfin wasn’t the source of the deletion.
I don’t have that plugin from what I can tell, and I did not install it manually either. What should I try changing the PUID and GUID to?
I would think the Jellyfin logs would say if it deleted something. But I have to say, I cannot fully understand GUID and PUID in all cases. But you can try to subtract 1 digit from PUID (100 to 99) and then try to delete a show or movie within Jellyfin’s interface. If it won’t do it, then you’ve got the permissions at least where it can’t delete things. It is possible to not view things as well, so it might take some research or trial and error and make sure you write down where it is now. But, it will remove one factor at least.
Finally caught it! It was Jellyfin stupid ass deleting my media!
<img alt="" src="https://lemmy.world/pictrs/image/230506c6-31f6-4bfc-bbc7-2edeb8dc03a7.png">
Fuck yeah! One issue down, 9,374 to go!
Wtf why?
Apparently is a known bug 🙃
Link to bug?
Maybe this
Although it looks like the nasty docker bug link in that thread is fixed.
So maybe ro mounts can mitigate the problem.
Jesus that is not a small bug lol
Any de dupe tasks running and removing them since it sees them in a backup?
There where no tasks running outside whatever is setup out of the box when installing jellyfin. I have recently discovered that jellyfin can delete your media if it thinks the media has been removed…
Wierdest logic by the devs.
Can you spin up a VM or a docker image?
I’ve done this when services misbehave, and just migrate the DB over (Syncthing in particular).
I may try that at some point but work keeps me pretty busy so it may take me a few weeks before I can try.
Curious to how syncthing misbehaved. Care to elaborate?
a domain and cert doesn’t equal zero trust network.
Right. Zero trust means at the very least you need to add AuthN and AuthZ to every endpoint with no exceptions for internal IP addresses.
I do also have a zero trust network. Zero friends= zero trust
You didn’t expose it to the internet right?
If you want remote access setup client certs
How?
Kleopatra
That isn’t mutualTLS
It just is a frontend for gpg. You need OpenSSL for mutual certs.
Ya got three options.
Option A is to create your own certificate that is self-signed. You will then have to load the certificate into any client you want to use. Easier than people realize, just a couple terminal commands. Give this a go if you want to learn how they work.
Option B is to generate a certificate with Let’s Encrypt via an application like certbot. I suggest you use a DNS challenge to create a wildcard certificate.
Option C is to buy a certificate from your DNS provider aka something like cloudflare.
IMO the best is Option B. Takes a bit to figure it out but its free and rotates automatically which I like.
I like helping and fixing stuff, if you’d like to know anything just ask :D
None of these are client certificates btw. These are just ways to have your server use TLS encryption with any client that connects but it offers no authorization. If you want authorization with client certificates you need to implement mTLS (Mutual TLS).
Oooo ya know I actually don’t know about these. I’ve done both A and B for my homelab and C for work.
Any good resources / insight into mTLS? I appreciate the response btw!
Google?
Well ya know this is a forum and I was trying to engage in a friendly conversation to learn about something you brought up.
But yeah I know how to fucking Google lol
Yes it’s a forum. But just because I corrected your error doesn’t mean I am obligated to do a whole fucking write up for you or go to google myself for you. Grow up.
Then why reply at all? Zero effort is to avoid commenting, maximum effort is trying to answer, “Google?” is wasted effort
Not really. This person should learn to do their own research. They apparently need it.
Who pissed in your cornflakes?
tux7350
I get the impression you’re the type of person who encounters assholes everywhere you go.
www.youtube.com/watch?v=YhuWay9XJyw
You really should not expose stuff to the internet willy nilly. If you must you need to have extensive monitoring and security controls plus you should understand the application at a deep level.
Ahhh interesting video! I appreciate the post. I see the mTLS is more about authenticating who the client is outside the application.
Don’t worry, Im not just exposing thing willy nilly 🤣 For client-side authentication I use Authentik combined with 2FA, Duo, and fail2ban. Authentik provides identity management through LDAP to jellyfin and any sign in request goes to MFA and you get a Duo notification to approve. You can do other MFA, i just havent set it up.
Ive got a lot of family who use my server. Asking them to install a TSL cert on every machine would be impossible. My method also monitors all sign in requests. Setting up Authentik was a hugggeee game changer for me.
Nor is it authentication.
.
That is for server side certs not client side. I’m talking about Mutual TLS.
Setting up https is not going to stop bots. All it does is prevent man in the middle attacks. You want to limit who and what can access Jellyfin so that you don’t end up being a victim of an automated exploit.
What’s wrong with exposing Jellyfin to the internet?
There are a few security issues with it, but all of the worst known issues require a valid login token. So an attacker would already need to have valid login credentials before they could actually do anything bad. Things like being able to stream video without authentication (but it requires already having a list of the stored media on the server, which means you have been logged in before). Or being able to change other users’ settings (but it requires already being logged in to a valid user).
Basically, make sure you use good passwords, and actually trust any other users to do the same.
The bug you mentioned actually just requires the attacker knows your local media paths to generate the hash. The issue is that most people use trash guides to setup *arr which means they probably have the same paths for everything
You really shouldn’t expose anything directly to the internet. It is a security problem waiting to happen. (Assuming it hasn’t already)
This is how giant botnets form.
What security problems?
Bots randomly attack stuff, and if you leave something insecure, they’ll install a bot net node.
Define “insecure”.
Default passwords, old insecure versions of apps and system packages, etc. “Just getting it working” usually leaves things insecure, and you usually need to take things a step further to secure your publicly accessible services.
Not just old insecure, but current insecure too. Plenty of stuff runs fully current but still vulnerable code. Put it behind a firewall.
Sure. My point is that self-hosters tend to let services sit without updates for months if not years at a time. That’s fine if you don’t expose anything to the internet, so keep that surface area as limited as possible.
Nothing. People fearmonger
Why would you expose anything to the internet when you have Tailscale?
I don’t trust my self with this kind of responsibility.
What did you use for zero trust?
Why do you want to know? Huh?