Hi all,
its come to my attention by a friendly user of our forum who did some of their own security research and found a large number of public facing insecure stash environments. if you havent already you should secure them. If you think they’re secure, check to make sure.
The user in question didnt want any credit so they asked me to send along the info. they wrote this for you.
It has been found that some users have public-facing StashApp instances without any type of authentication. This not only puts your data at risk—allowing anyone to change and delete data—but it also opens the door for bad actors to do potentially harmful activities.
How to Check if You Are Affected
- Find Your Public IP Address and Try to Access Your StashApp/XBVR URL
- Visit WhatIsMyIP.com or a similar website to find out your public IP address.
- Using your mobile device (with mobile data) or another Wi-Fi, open a web browser and enter your public IP address followed by your port, the default being
:9999
(e.g.,http://your-public-ip-address:9999
). - If you can access your StashApp/XBVR instance without any login prompt, your instance is exposed.
- Check Your Router’s Port Forwarding Rules:
- Log into your router’s administration page and check if you have any port forwarding rules that expose your StashApp/XBVR instance to the internet.
If You Are Affected:
- Do Not Just Port Forward Anything into Your Home Network!
- Directly exposing services like StashApp/XBVR to the internet is dangerous without proper security measures. Its best to avoid forwarding ports all together.
- Use Authentication
- In your stash instance navigate to Settings → Security and add credentials.
- Use a VPN to Connect Back Home When On the Go:
- A secure way to access your home network services while away from home is to use a VPN. One of the easiest to set up and use is Tailscale.
Tailscale Basic Usage
- Sign in to Tailscale
- Tailscale is free for up to three users and 100 devices. That should be sufficient for most. Use an identity provider of your choice.
- Install Tailscale on your desired devices
- Follow the instrucitons to install Tailscale on your StashApp/XBVR server / VM / LXC and your desired devices like your phone or laptop.
- Access your instance
- When connected to you Tailscale VPN use the provided MagicDNS address with the correct port or Tailscale IP Adress to connect to your instance (e.g., ‘stashapp.tail5fjc36.ts.net:9999’)
Note that this is just the quickest installation option. For more convience further configuration is recommended.
Stay safe out there fellow self-hosters!