icedterminal
link
fedilink
English
781Y

Oh my. You’re doing it wrong. Exposing the unencrypted connection without the proper security measures is putting yourself at risk. Regardless of how strong you set the password, the connection can still be abused in all manner of ways. If you read the jellyfin documentation, you’d see the developers clearly state you should never do this. You need to put Jellyfin behind server software. Specifically a reverse proxy. I use NGINX. You can setup your connection to be secure this way. You can now also use Cloudflare if you have cache turned off. And if you really wanna go the extra mile, route it behind a VPN. Though this makes it harder for those you share it with or some devices that don’t support VPN.

Please revise your connection. If you need help, feel free to reach out.

BaroqueInMind
link
fedilink
13
edit-2
1Y

I have nginx setup and acessing through a Cloudflare tunnel but still getting EMOTET issues detected by my IDS.

pcjones
link
fedilink
English
61Y

May I ask what I should look for in the log files to detect this (and so I can configure fail2ban correctly)?

First read this

Then use the following:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:“[CIS] Emotet C2 Traffic Using Form Data to Send Passwords”; content:“POST”; http_method; content:“Content-Type|3a 20|multipart/form-data|3b 20|boundary=”; http_header; fast_pattern; content:“Content-Disposition|3a 20|form-data|3b 20|name=|22|”; http_client_body; content:!“------WebKitFormBoundary”; http_client_body; content:!“Cookie|3a|”; pcre:“/:?(chrome|firefox|safari|opera|ie|edge) passwords/i”; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)

And the following:

alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-content/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-content/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<17; classtype:http-uri; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; metadata:service http;)

And also this one:

alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-admin/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-admin/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<15; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; classtype:http-uri; metadata:service http;)

icedterminal
link
fedilink
English
11Y

You always will. Welcome to the Internet. The difference is whether or not you’ve taken steps to secure your stuff. You need to understand what this malware is looking for. It’s explicitly looking for unsecured services. Such as WordPress, SQL, etc. There are inexperienced users out there that inadvertently expose themselves. I see this type of probing at work and at home. Don’t overly stress it. My home server has been running for a decade without issues. Just keep it updated and read before you make any changes if you don’t fully understand the implications.

My home based server is behind a pfsense firewall. Runs Arch. Everything is in a non-root docker container. SELinux is enforced. All domains are routed through Cloudflare. Some use Cloudflare Zero Trust.

BaroqueInMind
link
fedilink
2
edit-2
1Y

Mines behind an NGINX reverse proxy as well. EMOTET is a very advanced malware and can get around those now. My IDS detected data exfiltration to an unknown Brazilian IP, and I have a VPN with an IP tunnel on top of my reverse proxy, as well as everything on port 443. It still found a way.

icedterminal
link
fedilink
English
31Y

If it found a way, then your server configuration is inadequate. Are you using old ciphers or protocols? Missing headers? Wrong headers? Something doesn’t add up here.

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
!piracy@lemmy.dbzer0.com
Create a post
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don’t request invites, trade, sell, or self-promote

3. Don’t request or link to specific pirated titles, including DMs

4. Don’t submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

  • 1 user online
  • 75 users / day
  • 286 users / week
  • 790 users / month
  • 3.17K users / 6 months
  • 1 subscriber
  • 3.59K Posts
  • 84.9K Comments
  • Modlog