I’ve commented in a couple of other posts, but wanted to capture the issue I’m having to see if folks had any recommendations for me.
I’m running Plex (1.12.3.4973) on my QNAP NAS. I always update when there’s a new version. I use it mainly on my LAN (via Tivo) but have several external users that I allow. The first symptom that tipped me off was seeing “local” users watching shows when I knew there was nobody home to watch anything. These “My Home” users (Normal, Kids, Audlt) are used on my Tivos on the LAN. When I saw this happening I just kept killing the stream until they have up.
I now see streaming coming from “Friends” users. I suspected there were problems here because one of these users has a new baby and were watching fairly late at night, and the other had reported that he could not get this Roku 3 to work, so I asked when I saw his user had watched something. Both of these folks confirmed these shows were not watched by them.
I want/need off site streams to be allowed, but I want them to only be the legitimate user. Do folks believe these users passwords are simply too ease and were cracked, or is there some other weakness?
I just forced the server to accept only secure connections to see if that helps, but I suspect not. I have FTTH, 1G down 250M up.
Also of note, I have several (about 8) external/offsite users, and I have only noted 2 of them that are being abused. Most of the rest show very little usage. all of which I can account for (I use PlexPy/Tautulli) to track usage).
Settings - Server - Network - ‘Show Advanced’
do you have anything in the input fields
‘LAN Networks’
‘Custom server access URLs’
‘List of IP addresses and networks that are allowed without auth’
and if yes, what?
Have you set up Tautulli ? Recommended. It will show you the IP address and a better readable list of all accesses.
Side note: if you watch ‘Status’ - ‘Now Playing’ in the web app, this has a bug which sometimes shows wrong information, if the browser was open for some time. When in doubt, always Refresh the ‘web site’ in the web browser.
On Settings, No, No, No-no entries on any of these fields.
Yes, I have PlexPy/Tautulli, and the IP addresses are for a nearby city, but not the one that my friend lives in. The example yesterday was a PlexPY notification that the user started playing a movie, then another one 2 hours later when they finished. I confirmed today with the actual user that did not, in fact, watch a movie last night.
IP addresses are rarely localizable so accurately. Take the location in the “nearby city” with a big fistful of salt.
Do at least change your own plex password.
https://app.plex.tv/desktop#!/account
And tick this checkbox:
Afterwards, you will have to re-link all clients to your account again, but this way you can ensure that it is not some stolen device or a web browser you left open somewhere on a foreign machine, logged in to your
plex.tv account.
Convince your sharee to do the same.
I’ve already asked my users to reset their passwords. My Plex account is protected by 20 digit random string that is unique to this account, so I’m pretty sure it wasn’t compromised (I use a password manager so even I don’t know what it is).
But that doesn’t really answer the question, should I assume these passwords were brute-forced? Or is it more likely they’re not really logging in, but exploiting some other vulnerability in the sub-systems? Can I enforce a password-complexity rule on folks that have access to my system somehow? Can I refuse connections from ip address ranges somehow? I really, really want to shut this down, but short of deactivating these accounts, I don’t see how I can get control of this situation. Maybe I could set my router to only allow incoming connections on the Plex port for certain address ranges…
The two most recent incidents are actually coming from Road Runner Central, in Colorado (a long way from me in Ohio).
98.102.76.125 and 65.27.140.191.
So, I’ve started to block these ranges on the Firewall, but it looks like all of the old Time Warner IP addresses that Spectrum has now are listed as being in Colorado, which makes it much harder to detect this issue.
Have you posted screenshots or log files of plex before?
Under some circumstance your X-Plex-Token can be gleaned from there, which is as good as your password.
I have not.
One of the users has now admitted that he shared his credentials, but the other is steadfastly insisting he did not, nor did he watch any content, so I’m not sure what to think. There are nearly a dozen Tautulli events for his account over the weekend, the DNS lookup is to a local Road Runner host (cpe-65-27-140-191.cinci.res.rr.com). He claims a very secure password. I guess I’ll block that IP range for now and keep an eye on it.
Maybe the sharee used public/shared computers to access his plex account?
Supposedly not, but I’m continuing to investigate. I have blocked the suspect IP address in my firewall and restricted the user account in question (that shouldn’t be used at all until my friend upgrades his Roku) to TV Y-13 or something to annoy them if they do get in, and to see if they can somehow jump to a different userID.
I haven’t seen any activity since I blocked the IP at the Firewall, so perhaps they’re not very clever. If I get through the weekend without recurrence I might disable the rule to see what they do next (with the Plex rating limit in place)…
