If you have not already, we suggest setting your Plex username to something else rather than email which is displayed on your posts in forum. You can change the username at https://app.plex.tv/desktop#!/account
Welcome to our forums! Please take a few moments to read through our Community Guidelines (also conveniently linked in the header at the top of each page). There, you'll find guidelines on conduct, tips on getting the help you may be searching for, and more!

"friend"/user can still access my PMS and watch content after being deleted?!

seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass

Environment:
OS: Windows 10 Enterprise 64-bit 1709 FCU
CPU: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz (8 CPUs), ~4.0GHz
GPU: Intel HD Graphics 530
Display Memory: 16231 MB
Dedicated Memory: 128 MB
Shared Memory: 16103 MB
RAM: 32GB

PMS:
PMS: Version 1.11.0.4633

Remote Access: Manually specified port
Enable server support for IPv6: ENABLED
LAN Networks: 192.168.1.1/255.255.255.0
Custom server access URLs: https://mydomain.com:32400
IP addresses without auth: 192.168.1.1/255.255.255.0

ISSUE:

So I deleted a user from my "Friends" via the PMS settings -> Users over 30 days ago. But today he was able to watch content from my PMS from an external IP! I checked the following: https://plex.tv/api/users/?X-Plex-Token=TOKEN and his username or email was nowhere to be listed.

How is this possible?

«13

Answers

  • dduke2104dduke2104 Posts: 200Members, Plex Pass Plex Pass

    Have you restarted PMS since removing him from your friends list?

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass

    @dduke2104 said:
    Have you restarted PMS since removing him from your friends list?

    I sincerely hope this is a joke, right?

    "over 30 days ago."

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    What are your security settings on your Plex Server?

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass
    edited December 2017

    @kegobeer-plex

    Security settings? Where do I find such settings?

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    Under network. Do you have secure connections disabled?

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass

    Oh, "network settings". Yeah, kinda posted them in OP, but they look like this:

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    Check the devices that are authorized access - is his computer/Plex app still in there? If so, delete it. Also, you don't need anything in your LAN Networks box, because I assume 192.168.1.x is your local subnet and your Plex Server is in that subnet, so it's considered local by default.

    Since you have a direct link to your Plex Server instead of going through the Plex.tv website, you should change your manual port to something other than the default 32400. Pick something in the 40000-50000 range. Once the port is changed there is no way he will be able to access your Plex server.

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass
    edited December 2017

    @kegobeer-plex said:
    Check the devices that are authorized access - is his computer/Plex app still in there? If so, delete it. Also, you don't need anything in your LAN Networks box, because I assume 192.168.1.x is your local subnet and your Plex Server is in that subnet, so it's considered local by default.

    Since you have a direct link to your Plex Server instead of going through the Plex.tv website, you should change your manual port to something other than the default 32400. Pick something in the 40000-50000 range. Once the port is changed there is no way he will be able to access your Plex server.

    Good suggestions @kegobeer-plex . How do you ID the device that was associated with X user? I have like 30 devices in the list...none of them say what accnt they are associated with. I def don't wanna have to "purge" all the devices in the list. I have more than 20 users.

    Yeah, been meaning to change the default port. - You're saying change the manual port selection in the Remote access section right, or change my direct port number here in the network section....so mydomain.com:48000? Now, would I still want to open 32400 AND the new port on my router?

    This is weird tho right?

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    Here's part of a guide I use when setting up port forwarding:

    Go into your router and create a manual port forward rule for external port 47222 (just an example but don't use 32400), for protocol TCP, that points to your Plex server's IP and internal port 32400.
    Save that and power cycle your router.
    Go into the Plex server remote access settings, tick the box next to manual port, enter 47222, click apply, then disable remote access, shut down and restart the Plex server application, and enable remote access.

    You only have the external port of 47222 open, you do not open an external port for 32400.

    Even if you delete all of the devices, it's not a big deal. Your users still have access, they would just have to sign in again. With his device gone, he can't get access.

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass
    edited December 2017

    @kegobeer-plex DOPE man. Thanks so much for the tips. I'll get started on this.

    Also, in the "devices" menu, I thought this listed only MY devices? I know he was playing from iOS, but I'm not even seeing any iOS devices on this list anywhere?

    One question for pure morbid curiosity...is this by design? Or is there something weird going on? I mean - it just seems crazy to me that even excluding all the port stuff...that someone can play content from your server and the user is not listed on your accounts. Now, if this is purely a "cache" thing / ie. devices like you stated - I could understand that, but a month ago?!

    Funny to me that PLEX "hardened" all this auth stuff but this is even possible.

    Anyway, I'll give it a go.

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    I think when you give someone a direct link to your server (which you've done by having a custom URL that basically bypasses Plex.tv) then they will have access even if you remove them from the access list, since they have a direct link to you. I'll ask about this and get back to you.

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    Since you have a url that gives access to your server, do you also have a reverse proxy set up? That would make any request appear to be local, and since you've given all your local IPs access without auth, your recently kicked friend still has access.

    Remove the blanket access you've given to all the IPs on your local network, which should remove his access to your Plex server.

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • dduke2104dduke2104 Posts: 200Members, Plex Pass Plex Pass

    @seanvree81 said:

    I sincerely hope this is a joke, right?

    No, it wasn't. I frequently go 30 days without a PMS restart.

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass

    @kegobeer-plex said:
    Since you have a url that gives access to your server, do you also have a reverse proxy set up? That would make any request appear to be local, and since you've given all your local IPs access without auth, your recently kicked friend still has access.

    Remove the blanket access you've given to all the IPs on your local network, which should remove his access to your Plex server.

    @kegobeer-plex .

    Really appreciate your responses brotha.

    Okay a bit confused now. Yes, I do have a reverse proxy set up, so that MAY be how he was accessing...which makes sense. I deleted my PlexPY data, so I can't tell his IP address.

    So, you previously said to remove the "LAN networks" so am I now removing "list of addresses and networks without auth"? So both of those blocks are empty? NOW, because of the new auth "restrictions"..if I remove the local subnet mask from the last box, that means that if PLEX ever goes down (or my WAN), I wouldn't' be able to auth, right, which would make my PMS inaccessible to ME?

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    Just put in single IP addresses, not the whole block. I add my server IP and then just the IPs of my clients, since I've given them DHCP reservations. Example: 192.168.1.50,192.168.1.57

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass
    edited January 1

    @kegobeer-plex said:
    Just put in single IP addresses, not the whole block. I add my server IP and then just the IPs of my clients, since I've given them DHCP reservations. Example: 192.168.1.50,192.168.1.57

    Okay, I understand this is a workaround. But this is a VERY important issue/hole I"m trying to understand. Also, I have 8 devices on my network, some are DHCP, so that's not really a good permanent solution.

    Also, just thinking out loud here ... He was signed in with his PLEX accnt as I saw his username....now, when I sign in without auth, it shows as GUEST. So why wouldn't it show him as guest if he was accessing that way?

    Now, IF he was accessing via reverse proxy, that means he was accessing via the webserver which is the box that PMS is on, which is the IP of 192.158.1.20...So I would have to add that IP to the whitelist, which would then give him access via the reverse proxy...right?

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    If your Plex server resides on the machine that hosts the reverse proxy, then yes.

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass

    @kegobeer-plex said:
    If your Plex server resides on the machine that hosts the reverse proxy, then yes.

    Humm, welp, I'm still confused then, and a bit worried that someone can access my PMS externally.

    Bottom line:

    1 - IF he was signed in with HIS PLEX user accnt (which in this case he was), my server should not show up on his server list in the app on his device.

    2 - If he was accessing via reverse proxy then he should have showed up as GUEST (which in this case he was not).

    Anyway, thanks for the responses @kegobeer-plex . Have a good New Year. LMK if you check into this .

    Thanks,

  • kegobeer-plexkegobeer-plex Posts: 5,875Members, Plex Pass, Plex Ninja Plex Ninja

    He was still logged into his Plex account, so that's what you see. When you tested it, you logged out of your Plex account, correct?

    Bottom line is, if you have your reverse proxy on your Plex server system you might want to consider moving one or the other. And unless you really have a need to have custom certificates, a reverse proxy, URLs, etc, I recommend dropping them and making your guests go through plex.tv to access your server remotely.

    Where are my log files?

    How do I properly name my media files?

    Plex Dance

    NVIDIA SHIELD SMB/NAS Sharing How-To - / - NVIDIA SHIELD Support Documents

    Plex Server: Running on ThinkServer TS140 w/Server 2012 R2 Essentials
    Primary Plex Player: Shield TV, always the latest beta build, always the latest firmware revision

  • seanvree81seanvree81 Posts: 150Members, Plex Pass Plex Pass
    edited January 1

    @kegobeer-plex ,

    Look, i'm not going to get into an argument with you...but all you've done here is provide "work-arounds" Like, NO, I'm not going to remove DHCP from my router. I'm also not going to remove my custom certs and domain name (so that I can access the server when PLEX is down), and I'm definitely NOT going to move my webserver to a VM because PLEX can't figure out authentication. Seriously? No.

    It's really not a complicated process:
    1. User launches PLEX app ->
    2. App authenticates with PLEX.tv (since user is remote) ->
    3. server list is generated (this where my server would drop off his app since I removed him)
    a. If user has settings in the app for direct access and is on same LAN as PMS user is granted access.
    b. If user has settings in the app for direct access and is remote, user would obviously be denied access.

    It boggles my mind that that PLEX "sold-out" their users to FB and Google under the excuse of "hardening" the auth process which can (and does) lead to server owners in a situation where they can't access their own PMS on their own private LAN, but yet a remote user who isn't on the friend access list can access a PMS?! THAT Sir, is the bottom line.

    Cheers.

«13
Sign In or Register to comment.