🚀 Jellyfin Server 10.11.7
We are pleased to announce the latest stable release of Jellyfin, version 10.11.7! This minor release brings several bugfixes to improve your Jellyfin experience. As alway...
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
There is a new story every week in Steve Gibson’s “Security Now” podcast about why you should virtually never open ports. And if you do, you’d better IP restrict. Even, or especially, in commercial products. Cisco has a new CVSS 10.0 every other week just about
I run pretty much all my stuff through NPMplus. Then I have a firewall between my public and private networks in case something does get compromised. But I’ve had Plex exposed (on a non-default port) for literally years and nothing ever happens.
But I think more than copium it’s them understanding their users. It’s advice for people that will figure out how to run Jellyfin but won’t stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it’s good advice.
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I’ve never had my Plex server compromised and it just uses TLS. I do change the default port but that’s it.
That’s kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.
Are you singling out Jellyfin for a particular reason? Or are also going to advise just never opening ports in general?
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
There is a new story every week in Steve Gibson’s “Security Now” podcast about why you should virtually never open ports. And if you do, you’d better IP restrict. Even, or especially, in commercial products. Cisco has a new CVSS 10.0 every other week just about
I run pretty much all my stuff through NPMplus. Then I have a firewall between my public and private networks in case something does get compromised. But I’ve had Plex exposed (on a non-default port) for literally years and nothing ever happens.
Why NPMplus and not the default NPM?
Primarily for the CrowdSec integration (one less thing to set up manually)
https://www.virtualizationhowto.com/2025/09/nginx-proxy-manager-vs-npmplus-which-one-is-better-for-your-home-lab/
Why link the fork of a fork in your original response?
uhhh did i? https://github.com/ZoeyVid/NPMplus is the link I meant to post for npmplus. its a fork of npm.
Definitely.
But I think more than copium it’s them understanding their users. It’s advice for people that will figure out how to run Jellyfin but won’t stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it’s good advice.
that’s fair, does it not have any kind of encryption by default?
Standard TLS, I think, but what else would you need?
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I’ve never had my Plex server compromised and it just uses TLS. I do change the default port but that’s it.
Plex logins go through their login server so you’ll also have login throttling and probably other bot protections.
They also do some SSL shenanigans to get every user a unique, valid public certificate created during setup. https://words.filippo.io/how-plex-is-doing-https-for-all-its-users/
That’s kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.
For the vast majority of users? Yes. They shouldn’t forward ports.
Setup a VPN gateway at Grandma’s house.
Jellyfin is particularly bad compared to other things. You still should avoid exposing stuff to the internet