wondering if anyone has noticed this before. I have seen a few users connecting to my plex server with Roku devices and streaming without being in my friends list. As far as I know this should not be allowed. The strange thing is, if I don’t catch them in the act, the device does not get logged by the server. Their username also shows up blank while they stream. I know it’s not someone in my list because I have no friends with a Roku player.
I’ve attached a few images of my recent devices and streams running to show this. I can see on my network monitors that the bandwidth is actually being consumed and streamed as well.
Authenticated access on local network is turned on
no stray devices connected to wifi or wired network
guest access is disabled
plex server is port forwarded via standard ports
Change your password and be certain to check the ‘Disconnect’ box as you do this. It will log out Everything, including your server because it generates all new tokens.
Next, I would change your Roku password just for peace of mind.
Delete all old (more than a day or two) devices from your Devices list and continue to monitor.
Edit: NOTE: I always require my full email address when signing in anywhere. (additional security)
But I don’t have a roku device at all, that’s what I was saying… I have no reason to see a roku on my network or devices at all. I’ve tried this, and they show up again within a few weeks. I also require email address when signing in. My settings match yours.
I suggest you write to the folks at Plex (use the contact form) and see about switching your Plex Pass to a different account.
Somehow someone might have access to your machine (trojan virus, etc).
In the interim, while waiting for them to get back to you, using an entirely different machine / computer / tablet, go prepare for an ‘account change’. Whatever you create will be used solely for Plex.
Also, I suggest you change your external port mapping in Setting - Server - Network. Pick something really odd.
Also confirm you do not have SSH enabled on your router.
In essence, go take all the ‘Lock this place down until I know otherwise’ steps.
It’s a FreeNAS server. So chances are high, it was created using that horrible ‘Plex plugin’ for FreeNAS which disables all authentication per default.
@astralus find the Preferences.xml in the Plex jail on your server.
Shut down Plex Server
edit the Preferences.xml
seek for the keyword disableRemoteSecurity and either delete it or set its value to 0
save the file
start up Plex server
Go and warn everyone who uses FreeNAS and FreeBSD to not use that horrible ‘Plex Plugin’ anymore.
(this was not created by Plex Inc, btw.)
Thanks @OttoKerner and @ChuckPa. I’ve already locked down my router, freenas, jails, settings in that preferences.xml as well. I’m an IT infrastructure guy by profession so I am pretty paranoid about my home network. I was originally using the plex plugin, but I upgraded it with a git script to go to the official plex pass version.
I will double check those configs again to make sure I don’t have security disabled anywhere. I can see allow unauthenticated connections off in the GUI.
Thanks Again.
P.S. @OttoKerner I see they released an official Plex version for FreeBSD. Should I just kill the old server all together and start clean there? Just wondering if you’ve had any experience with it.
@astralus said:
I will double check those configs again to make sure I don’t have security disabled anywhere. I can see allow unauthenticated connections off in the GUI.
The critical setting doesn’t show up in the GUI, as far as I know.
P.S. @OttoKerner I see they released an official Plex version for FreeBSD. Should I just kill the old server all together and start clean there? Just wondering if you’ve had any experience with it.
I cannot advise further, I have no experience with FreeNAS myself. I only know that there was once this pre-made Plugin which just keeps on giving FreeNAS users security nightmares.
