And again - if you put those behind a fail2ban; and you 404 5x in an hour, which is likely - you’ve solved that issue. Had my jellyfin instance publicly available for 2 years on its own VM with passthrough GPU, and haven’t had any issues. People poke around quite often, and get blackholed via the firewall for 30d.

It wouldn’t stop a dedicated attacker, but I doubt anyone’s threat model here is that intense. Most compromised servers happen from automated attacks probing for vulnerabilities in order to get RCE; not probing for what movies you have – Because having movies on a media server doesn’t prove that you didn’t rip them all off of blu-ray…it just means you have movies.

You’re not going to have 100% privacy when you put up ANY service on your network. Everything leaves a trace somehow; but I’m starting to think half of you are Chinese spies or something with the amount of paranoia people here show sometimes. :P

Yeah, this whole thread feels like a “but I can’t do that, work around it for me”

Do. And make sure your logs are piped through fail2ban.

All of these “vulnerabilities”, require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.

The rest of them require a user be authenticated, but allows horizontal information gathering. These are not RCEs or anything serious. The ones which allowed cross-user information editing have been fixed.

If your “FIRST STEP” is to choose an OS: Fuck that.

You should never have to change your OS just to use this crap. It’s all written in Python. It should work on every OS available. Your first step is installing the prerequisites.

If you’re using something like Continue for local coding tasks, CodeQwen is awesome, and you’ll generally want a context window of 120k or so because for coding, you want all the code context - or else the LLM starts spitting out repetitious stuff, or can’t ingest all of your context so it’ll rewrite stuff that’s already there.

Sorry, but chalk this up to lesson learned. It’s almost always been this way. Domain squatters will do this all the time. In fact, some domain registrars will use you searching their site for an ‘available’ domain, and if you don’t buy it up right away – will buy it and hike the price and sit on it for years in order to lock it down, knowing you wanted it.

btw, Namecheap says Sunglocto dot com is like $10 - so just register a .com. Not through that Epik piece of shit that you used before. Legit, use Namecheap; they’ve never done me wrong and have been my registrar for more than a decade now.