If you have not already, we suggest setting your Plex username to something else rather than email which is displayed on your posts in forum. You can change the username at https://app.plex.tv/desktop#!/account
Welcome to our forums! Please take a few moments to read through our Community Guidelines (also conveniently linked in the header at the top of each page). There, you'll find guidelines on conduct, tips on getting the help you may be searching for, and more!

Plex Security: How to avoid opening public port ?

Hi Devs,

 

I am considering buying a PlexPass, but I am far from comfortable to open a public Internet port (32400) to my PMS. Is there a way to advance the Plex architecture to avoid the need to have public Internet port open?  It is quite a security risk.

 

Currently the myPlex seems to be hosted at Amazon AWS so opening the port got "only" 50.16.0.0/14 helps a bit.

 

http://www.whois.net/ip-address-lookup/50.18.148.15   [replace the IP address with the IP from where your PMS was contacted]

 

Jylppy

«1

Comments

  • cellochcelloch Posts: 425Members, Plex Pass Plex Pass

    My.plexapp.com, once you log in, redirects you to your server, according to the settings you specified on your server.

    Plex listens on port and 32400 and, for myplex, on an additional port you specify in the settings.

    The way I do it, I have disabled the automatic mapping of the myPlex port, and opened a different public port on my router which is then routed to the 32400 (private) port of the IP address I use for my PMS.

  • tripflextripflex Posts: 92Members, Plex Pass Plex Pass

    There's no way to access your plex server remotely without having a port open, that's just not an option.  Even if you were using a standard browser going to http://myip/ instead of http://myip:32400/ ... when you don't specify a port, the default is used which is port 80.

    If you're that concerned with having an open port you have a couple options.  

    First option would be to block everything with a firewall and just not have remote access.

    Second option would be to block everything with a firewall, but setup a VPN (would require a port to be open as well), and then only allow local access.

    I run a hosting company and have to deal with people trying to exploit our servers everyday...so unfortunately I have to deal with security on a daily basis...you just need to be proactive about it.

    I guess the real question would be, why are you concerned with having that port open?  If you can tell us the REAL answer, we can tell you what your options are.

  • jylppyjylppy Posts: 6Members

    Maybe I have bit too much paranoia here, but I am mostly concerned of worms / automated attacks trying to take advantage of known Plex vulnerabilities. Not that someone would try to hack my system (there is not much to gain).

    Unfortunately my router does not know how to forward ports to another port number so I have to survive by limiting accepted source addresses to AWS IP block.

  • cellochcelloch Posts: 425Members, Plex Pass Plex Pass

    In order to exploit your server through my.plexapp.com, a hacker would also need to know your plex password.

    If you are concerned about this kind of potential exploit, the solution is simply to disable myplex, and to make Plex available remotely by choosing a random port different from 32400.

  • sa2000sa2000 Posts: 28,835Members, Plex Pass, Plex Ninja, Plex Team Member Plex Team Member
    edited August 2013
    Cello wrote on August 1 2013, 8:20 PM: »

    In order to exploit your server through my.plexapp.com, a hacker would also need to know your plex password.

    If you are concerned about this kind of potential exploit, the solution is simply to disable myplex, and to make Plex available remotely by choosing a random port different from 32400.

    Actually I had the same concerns about opening the port and in the end picked a different port number than 32400 externally and routed it to 32400. Presumably hackers just scan all ports until they find one open. But the issue with security i understand is only if the hacker actually managed to compromise the Plex Media Server code as all traffic through that open port goes to the Plex Media Server application. So is that a possibility?

    When I found that Skype already opens ports through the router without asking us the users and the actual fact that the router is bombarded every few seconds with LAN Incoming Data for Skype from the whole world routed to Skype from places we have no connections with - then I thought if Apps like Skype are doing it by default may be it is not an issue for Plex to have just the one port open. For windows PCs, one can block those incoming packets on the ports open by disabling uPnP in Skype Advanced Settings but the Samsung Skype App does not provide equivalent Advanced Settings. So what I am saying for those of us using Skype App on Samsung we already have ports open we can do nothing about - so Plex would probably ok, Does it make sense ?

    Help given free on forums.            Fee-Based Personal Support & Help.        

    _______________________________________________________________________________________

    Plex Support Information              Troubleshooting               FAQs

    Plex Media Server:   Reporting Issues        Plex Web App: Debug Log    Plex Apps: Support pages and Logs    Logs: All Logs

    For list of 3rd party programs and malware / adware crashing Plex Media Server and mswsock.dll on windows, see Repeated crashing of Plex Media Server on Windows
     
  • cellochcelloch Posts: 425Members, Plex Pass Plex Pass
    sa2000 wrote on August 1 2013, 8:32 PM: »

    Actually I had the same concerns about opening the port and in the end picked a different port number than 32400 externally and routed it to 32400. Presumably hackers just scan all ports until they find one open. But the issue with security i understand is only if the hacker actually managed to compromise the Plex Media Server code as all traffic through that open port goes to the Plex Media Server application. So is that a possibility?

    It would have to compromise both my.plexapp.com to obtain your myplex login and password information first.

    Then, once redirected to your ip:port, they would need to attack your machine through the PMS, i.e. it is as you say they would need compromise the PMS.

    sa2000 wrote on August 1 2013, 8:32 PM: »

    When I found that Skype already opens ports through the router without asking us the users and the actual fact that the router is bombarded every few seconds with LAN Incoming Data for Skype from the whole world routed to Skype from places we have no connections with - then I thought if Apps like Skype are doing it by default may be it is not an issue for Plex to have just the one port open. For windows PCs, one can block those incoming packets on the ports open by disabling uPnP in Skype Advanced Settings but the Samsung Skype App does not provide equivalent Advanced Settings. So what I am saying for those of us using Skype App on Samsung we already have ports open we can do nothing about - so Plex would probably ok, Does it make sense ?

    Or you can disable uPNP (or NAT-PMP) on the router itself. In that case you need to open only the specific ports you need. More work (especially when adding machines to the network) but added security.

  • sa2000sa2000 Posts: 28,835Members, Plex Pass, Plex Ninja, Plex Team Member Plex Team Member
    Cello wrote on August 1 2013, 9:11 PM: »

    Or you can disable uPNP (or NAT-PMP) on the router itself. In that case you need to open only the specific ports you need. More work (especially when adding machines to the network) but added security.

    I was not sure what the impact that would have on Plex or any other uPnP device on my network. That would be good if I can do it - but someone needs to hold my hand or spell out what needs to be done. I do not know anything about NAT but managed to stop the double NAT issue I had at the beginning with ISP Modem/Router and my DHCP / Wireless control router.

    Help given free on forums.            Fee-Based Personal Support & Help.        

    _______________________________________________________________________________________

    Plex Support Information              Troubleshooting               FAQs

    Plex Media Server:   Reporting Issues        Plex Web App: Debug Log    Plex Apps: Support pages and Logs    Logs: All Logs

    For list of 3rd party programs and malware / adware crashing Plex Media Server and mswsock.dll on windows, see Repeated crashing of Plex Media Server on Windows
     
  • cellochcelloch Posts: 425Members, Plex Pass Plex Pass
    sa2000 wrote on August 1 2013, 9:17 PM: »

    I was not sure what the impact that would have on Plex or any other uPnP device on my network. That would be good if I can do it - but someone needs to hold my hand or spell out what needs to be done. I do not know anything about NAT but managed to stop the double NAT issue I had at the beginning with ISP Modem/Router and my DHCP / Wireless control router.

    If you stopped the double NAT issue you probably know more than the average user :-). After disabling the protocol on your router, you basically apply the same procedure you followed for Plex to each application you run which requires to be accessible remotely. It can be a pain. Personally, I am not concerned to the point of having to configure different ports/IP for out five computers running in the household.

    Also, in your specific case about Skype (I imagine you were referring to the TV app) I have no idea if it lets you specify the same kind of advanced options you have on your windows PC.

  • sa2000sa2000 Posts: 28,835Members, Plex Pass, Plex Ninja, Plex Team Member Plex Team Member
    Cello wrote on August 1 2013, 9:41 PM: »

    If you stopped the double NAT issue you probably know more than the average user :-). After disabling the protocol on your router, you basically apply the same procedure you followed for Plex to each application you run which requires to be accessible remotely. It can be a pain. Personally, I am not concerned to the point of having to configure different ports/IP for out five computers running in the household.

    Also, in your specific case about Skype (I imagine you were referring to the TV app) I have no idea if it lets you specify the same kind of advanced options you have on your windows PC.

    I will have a look after summer break., Yes it is the Skype TV App that they have not included Advanced Settings for. For all the PCs I disabled uPnP in Advanced Settings for Skype and I do not appear to have lost any Skype functionality - so don;t know what they use it for, Are they using people's machines to hop around the world to speed up their communication.

    I do not need to access any uPnP device from outside  - is uPnP only for remote connections inwards to the network for multimedia traffic?

    it is only Plex that I will use externally through the port I specified. So maybe I do not uPnP enabled at all in the router as Plex would just go through the external port to 32400 within the PMS app.

    Help given free on forums.            Fee-Based Personal Support & Help.        

    _______________________________________________________________________________________

    Plex Support Information              Troubleshooting               FAQs

    Plex Media Server:   Reporting Issues        Plex Web App: Debug Log    Plex Apps: Support pages and Logs    Logs: All Logs

    For list of 3rd party programs and malware / adware crashing Plex Media Server and mswsock.dll on windows, see Repeated crashing of Plex Media Server on Windows
     
  • dpetr00plexdpetr00plex Posts: 3Members, Plex Pass Plex Pass

    I do not see any security enforced by PLEX when connecting remotely.  It looks like Administrative actions are allowed as well.

    Where is the security to prevent someone from maliciously deleting my whole library?

  • sa2000sa2000 Posts: 28,835Members, Plex Pass, Plex Ninja, Plex Team Member Plex Team Member
    dpetr00plex wrote on January 3 2014, 6:28 PM: »

    I do not see any security enforced by PLEX when connecting remotely.  It looks like Administrative actions are allowed as well.

    Where is the security to prevent someone from maliciously deleting my whole library?

    They would not be able to do it without the myPlex username and password.

    Help given free on forums.            Fee-Based Personal Support & Help.        

    _______________________________________________________________________________________

    Plex Support Information              Troubleshooting               FAQs

    Plex Media Server:   Reporting Issues        Plex Web App: Debug Log    Plex Apps: Support pages and Logs    Logs: All Logs

    For list of 3rd party programs and malware / adware crashing Plex Media Server and mswsock.dll on windows, see Repeated crashing of Plex Media Server on Windows
     
  • dpetr00plexdpetr00plex Posts: 3Members, Plex Pass Plex Pass

    Have you verified that?  I just test a second time and was able to edit, delete, etc... from a remote computer without ever having to provide credentials.

  • sa2000sa2000 Posts: 28,835Members, Plex Pass, Plex Ninja, Plex Team Member Plex Team Member
    dpetr00plex wrote on January 3 2014, 8:38 PM: »

    Have you verified that?  I just test a second time and was able to edit, delete, etc... from a remote computer without ever having to provide credentials.

    What route did you take? url?

    May you have opened up your router to everything.

    Last time someone had this I was told the user must have 'Incoming NAT Enabled' on the router.

    If I go to my WAN IP Address and the published port I get challenged for a myPlex signin. This is how it is supposed to work.

    Help given free on forums.            Fee-Based Personal Support & Help.        

    _______________________________________________________________________________________

    Plex Support Information              Troubleshooting               FAQs

    Plex Media Server:   Reporting Issues        Plex Web App: Debug Log    Plex Apps: Support pages and Logs    Logs: All Logs

    For list of 3rd party programs and malware / adware crashing Plex Media Server and mswsock.dll on windows, see Repeated crashing of Plex Media Server on Windows
     
  • dpetr00plexdpetr00plex Posts: 3Members, Plex Pass Plex Pass

    Ok, I was able to get the login prompt by using a different source IP.  The login page loads over an unsecure channel which opens up a realm of security risks.  Based on this, I wouldn't recommend accessing your Plex system remotely via a public network.

    All interactions on the local network remain unauthenticated.  I found the following setting in Settings -> myPlex -> Show Advanced Settings

    Require authentication on local networks

    Populates the allowed networks setting with 127.0.0.1/255.255.255.255. This requires other computers on a local network to authenticate with myPlex before accessing the server.

    Looks like Plex has an "allowed networks" setting which determines when to challenge for authentication.

  • sa2000sa2000 Posts: 28,835Members, Plex Pass, Plex Ninja, Plex Team Member Plex Team Member
    dpetr00plex wrote on January 4 2014, 7:38 PM: »

    Ok, I was able to get the login prompt by using a different source IP.  The login page loads over an unsecure channel which opens up a realm of security risks.  Based on this, I wouldn't recommend accessing your Plex system remotely via a public network.

    All interactions on the local network remain unauthenticated.  I found the following setting in Settings -> myPlex -> Show Advanced Settings

    Require authentication on local networks

    Populates the allowed networks setting with 127.0.0.1/255.255.255.255. This requires other computers on a local network to authenticate with myPlex before accessing the server.

    Looks like Plex has an "allowed networks" setting which determines when to challenge for authentication.

    There are two separate things here.

    1. The normal Remote Access through myPlex or to your WAN IP Address and external port - this needs you to authenticate with the myPlex servers

    2. A. Local Network Authentication: When the option is ticked then every machine other than the Plex Media Server computer needs to authenticate with the myPlex servers.

    2. B. Network Advanced Settings allow you define IP Addresses locally / range that would be permitted to access without Authentication. Everything else would be deemed Remote and would then follow the rules for 1. above

    As you are a PlexPASS member you can look at this thread in the PlexPASS forum which has been discussing security

     https://forums.plex.tv/topic/91538-security-and-plexserver-09818/

    Help given free on forums.            Fee-Based Personal Support & Help.        

    _______________________________________________________________________________________

    Plex Support Information              Troubleshooting               FAQs

    Plex Media Server:   Reporting Issues        Plex Web App: Debug Log    Plex Apps: Support pages and Logs    Logs: All Logs

    For list of 3rd party programs and malware / adware crashing Plex Media Server and mswsock.dll on windows, see Repeated crashing of Plex Media Server on Windows
     
  • z9852z9852 Posts: 3Members, Plex Pass Plex Pass
    edited January 2014

    Jylppy there is nothing wrong with paranoia. You want a VPN so only computer with a client setup could access the port from outside. You will still have to expose a port for it but it is considered secure.

    I would recommend OpenVPN a type of SSL VPN. I have used it between window and linux computers but it looks like it is available for mobiles too. For some people this is difficult to set up so read the docs before you start anything. There are a lot of other options out there, this is just one I have used before and liked. Also as the mentioned above you should disable UPNP on your router.

    I work with Cisco gear and about to replace my OpenVPN with an ISR 881 or an ASA 5505. But my reasons for that change is reliability and other features. Most people would need to hire that kind of work done. but worth mentioning if you are really worried about it.

  • dane22dane22 Posts: 10,255Members, Plex Pass, Plex Ninja Plex Ninja

    Mods: Shouldn't this thread be moved to the general fora, instead of been located here in the devs/general?

    I hate bugs - Tommy Lee Jones, MIB
    Join me in developing: epg-dk, str2utf-8, remidx, ExportTools, WebTools
    Support the Samsung Client:Donate
    Guides I use: Media Naming Guide, Local subtitles, Log-Files, QNAP FAQ, The Plex Dance

    NO Support via PM, unless called by me

  • laardilaardi Posts: 4Members, Plex Pass
    I already considered getting PlexPass and then this. I am not suggesting that it is a huge risk, but I do have to rely on yet another HTTP service. Or am I mistaken and HTTPS is supported? Presumably hackers could access my entire LAN via such a hole and would compromise a lot more. VPN is an option for streaming, but won't help much with myPlex.

    The comments about a hacker needing to know my credentials are unfortunately wrong, if they utilize a vulnerability on software or even OS level, which is the kind of hacking I worry about.

    Wouldn't it be possible for the local server to initiate the request to Plex servers, opposite of the current way, in which case no open ports would be needed on server side? I'm sure client connections wouldn't work we'll outside the network like this, but I would like see something of the sorts as a more secure option.
  • sa2000sa2000 Posts: 28,835Members, Plex Pass, Plex Ninja, Plex Team Member Plex Team Member
    laardi wrote on January 28 2014, 12:28 AM: »

    I already considered getting PlexPass and then this. I am not suggesting that it is a huge risk, but I do have to rely on yet another HTTP service. Or am I mistaken and HTTPS is supported? Presumably hackers could access my entire LAN via such a hole and would compromise a lot more. VPN is an option for streaming, but won't help much with myPlex.

    The comments about a hacker needing to know my credentials are unfortunately wrong, if they utilize a vulnerability on software or even OS level, which is the kind of hacking I worry about.

    Wouldn't it be possible for the local server to initiate the request to Plex servers, opposite of the current way, in which case no open ports would be needed on server side? I'm sure client connections wouldn't work we'll outside the network like this, but I would like see something of the sorts as a more secure option.

    The open port is for incoming requests to the Plex Media Server. 

    The Port Forward is to one specific local IP Address for one specific application on the machine with that IP Address and that is listening on the internal LAN port that the open external port is forwarded to

    So it is not the whole LAN that is open - unless you so something non standard on the router and open everything

    If you install Skype and look at router logs you will see they open up ports and worse still loads of incoming traffic from all over the world enters your network all the time - even from locations you have no Skype users in within your contact list. You switch off uPnP within Skype and that stops those but Skype on Smart TV does not allow you to do that. I am just mentioning skype because ports do get opened by applications and in this case without even consulting you

    Help given free on forums.            Fee-Based Personal Support & Help.        

    _______________________________________________________________________________________

    Plex Support Information              Troubleshooting               FAQs

    Plex Media Server:   Reporting Issues        Plex Web App: Debug Log    Plex Apps: Support pages and Logs    Logs: All Logs

    For list of 3rd party programs and malware / adware crashing Plex Media Server and mswsock.dll on windows, see Repeated crashing of Plex Media Server on Windows
     
  • OrionshockOrionshock Posts: 3,328Members, Plex Pass, Plex Ninja Plex Ninja
    laardi wrote on January 28 2014, 12:28 AM: »

    I already considered getting PlexPass and then this. I am not suggesting that it is a huge risk, but I do have to rely on yet another HTTP service. Or am I mistaken and HTTPS is supported? 

    HTTPS is being developed and has limited support currently. Good news is the New plex.tv site and forums are now all in HTTPS by default :)

    "The Vast Majority of problems come from misguided expectations and poor planning." 
    "If you're going to do something, do it right and do it right the first time." -- Unknown.

    Occam's Razor Murphy's Law Hanlon's Razor

«1
Sign In or Register to comment.