Crowdsec with a central LAPI server. You should install it on the servers themselves to monitor the application logs directly. Then every bouncer(firewall, router, edge device) connected to the LAPI will all block the same IPs. I got sick of repeat offenders and upped the ban time to 1 year in hours.
No worries. Better than reading that someone got hacked because they left Jellyfin wide open
You could even run a travel router, mini PC or Raspberry Pi, run the VPN on it, connect the Roku to it over the onboard WiFi adapter. On the PC/Pi you’d force all the traffic from the Roku towards Jellyfin over the tunnel. You could even define the Jellyfin in DNS (/etc/hosts) so the internet will never even know you’re running Jellyfin. Something like https://raspap.com/ or even a openwrt travel router from the likes of GL.iNet would work.
Do not. I repeat do not expose Jellyfin to the internet. It has too many security issues to be direct accessible from the internet.
I use Jellyfin and only access it over WireGuard. I have a mesh setup between the routers at a few family members houses.
If you have absolutely no other way then to expose it to the internet you need to make sure that you whitelist only the approved IPs in your VPS firewall and block everything else.
https://www.recompile.se/mandos
I use this to get wireguard in intramfs. I just skip the dropbear related stuff. https://github.com/r-pufky/wireguard-initramfs
I use LUKS on my systems. I use mandos and wireguard in intramfs to connect to a mandos server to unlock LUKS during boot.
Nope. I’ll stick with OPNsense which is open source.
Thats unfortunate. I simply shared my experience. Been a customer for over 5 years so maybe they’ve changed their on boarding of new customers and the emails that are sent out.
No upselling. Yes they might have something in the order process. Like when ordering a VPS you can add windows os or some control panel type software. I didn’t pay anything extra and my domains all have private whois details when lookups are done. The one thing they did offer in the order process for domain transfer was something to do with anycast DNS, but it was just a box on the page and wasn’t in your face or annoying.
No annoying emails either. I only get emails from them related to services I purchased from them which include changes to whois contacts(also usually get a email from CIRA for my .ca domains), bill PDF being ready for download, or additional IP is available and ready for use etc.
Canuck here. I’ve been moving all my domains from porkbun over to OVH. I still use desec.io for the DNS since they’re based in Germany and like to keep it separate from the registrar.
If OVH plays its cards right they’re going to be getting a lot more business from those looking to dump GCS, AWS, and Azure.
I’ve been thinking about going this route. What size subnet are you banning? /24?
Only thing stopping me is I selfhost email and don’t want to ban say a whole subnet from Microsoft/Azure and end up blocking the outgoing servers for O365. I’m sure I can dig around and look at the prefixes to see which are used for which of their services just haven’t had the time yet.