Tried to support the industry by buying a movie a watch a lot. Well, no more. If I need a pihole just to watch a movie I own, that’s ridiculous.
Tried to support the industry by buying a movie a watch a lot. Well, no more. If I need a pihole just to watch a movie I own, that’s ridiculous.
LMFAO. And when I tell people to take care about leaving Jellyfin public with their open API endpoint issues… Yeah Sony WILL abuse your shit… They already do it.
I run a pivpn setup so that nothing is exposed to the internet at all. It’s just too dangerous now. It was bad back in the day, but now I literally have bots trying to join any public facing Minecraft server. It’s so many times worse now than it was a decade ago.
I guess the bots are trying to find servers still vulnerable to the Log4J exploit. Man that was a juicy one 👀
Oh man. I have an open minecraft server for my kids and their friends. Every few weeks I have someone show up to the server leaving notes or interacting with us trying to educate me on whitelisting.
I get more “educators” than i do bots. It’s actually quite annoying. I dont know what accounts these kids login with, you’re not educating me. The server is literally for 6-8 year olds. It’s been wiped 100s of times. I don’t care. Stop. The server is grief resistant anyway. And my ban list is long (and getting at least one longer). /little rant
I mean, it would take seconds for someone to log in and paste bad links in chat/send weird messages so yeah, a server for a 6-8 yr olds is absolutely one I would turn whitelist on for.
I have never had any of my MC servers run without a whitelist, even the one I had publicly listed on planet minecraft back in the day. You should know who has access to your machines on some level.
I used to run servers a decade ago and open was fine. Never had a random join. Crazy to think bots are trying random IPs now, probably would whitelist in that case
You assume that those links would work. Kids machines have DNS whitelists.
I’m not worried.
Can you explain the issues with Jellyfin? Idk about any of this. What are the issues?
https://github.com/jellyfin/jellyfin/issues/5415
The biggest issue is that the video stream endpoint is not auth’d. Meaning that if someone guesses the MD5 hash for a file in your library it will play. Sounds at first glance like it’s unlikely to matter. Except that MD5 is generated based on the file’s filepath. So if you use standard naming conventions on paths that are common (/movies/Big Bucks Bunny(2008)/Big Bucks Bunny.mkv for example being simple and easy), eg defaults for a docker container using *arr suites. Then it’s possible for a precompiled hash list to check for file against your server.
So now add a company like Sony, they can generate all their library as a hash list, hit your server with millions of requests over the course of a couple of hours and map out how much of their content you have on your server. If any of it has never had a physical release (since you’re allowed to backup your own content) you’re completely fucked, and now will have to prove in court that you own ALL the content. And possibly… since it’s open endpoint, it could be argued that you’re even distributing openly (though unlikely argument… but do you really want to chance that?).
Ultimately if your setup is “Standard” you’re asking for a lawsuit.
Answers to “fix” this:
Map your paths in weird folders. instead of /movies/<movie> add in a folder like a GUID, so /eH4i67ZwByjLao3z7nHWKdS5ogysm68x/movies/<movie>. Make sure this occurs INSIDE your docker container if you’re using docker. Will break any precompiled hashes… though possible to hit a collision and still be “found”.
Setup fail2ban or other brute force blocking technology on your reverse proxy.
Use a private network setup… whether VPN, SDN, whatever… tailscale, zerotier, etc… (This will break TVs that don’t have vpn capabilities)
Add another auth in front of Jellyfin. (This breaks ALL Jellyfin apps)
The real answer would be the developers closing the unauth endpoints… But it’s been an issue for over 4 years now… They’re not going to fix it anytime soon as they don’t want to “break compatibility”, which is a pretty dumb excuse IMO.
There’s another issue where you shouldn’t give accounts to people you don’t trust as one user can attack another user AFTER login. So make sure you trust everyone you let have access… they can screw with your profile and do stuff you might not expect.
Interesting. And I assume this is an issue on Windows too?
The endpoint issue exists in all builds. It would just have a different path in windows because paths in windows start with drive letter.