Hi all,
I am running PMS on a Ubuntu box. My PMS is public facing and I am curious to know if you guys have any end point protection for your PMS devices. If so, what are you using? If not, why not?
Thanks
I’m running PMS on MacOS. There are no viruses for OS X right ? 
For years I’m using ESET Antivirus on all machines.
@aaronhaach said:
Hi all,I am running PMS on a Ubuntu box. My PMS is public facing and I am curious to know if you guys have any end point protection for your PMS devices. If so, what are you using? If not, why not?
Thanks
I run my PMS under Windows, arguably the most hacked OS there is. It has no anti-virus or firewall on the computer at all but I do not think it is vulnerable
The server does nothing except run Plex. I do not share my libraries at all. I never connect to the web on my server except for the downloading of updates and of course the automatic logon that Plex does on startup. My server has no Flash, No Java and nothing else that will run scripts on a web page if it were to connect to the web.
My router has a well implemented firewall.
I “think” I am about as safe as I need to be on the server and the other computers in my system are well protected. I just see no reason for more protection if my server cannot be found from outside my network.
Of course I am vulnerable should someone hack Plex and put a flawed/infected version of the server up in place of the real one BUT I do not automatically download and/or install updates and I always check here before installing and nothing could really protect against that.
I run it on Ubuntu as well. The server has sophos on it, but this is used to scan other hosts that run Windows. I do not scan the PMS server mainly because videos are not executed in memory. I record off ATSC so any source of a virus would have to come from other than PMS.
Aside from that the system is allowed to talk outbound but there are no inbound ports open other then SSH. That SSH is secured by key authentication only. And yes I do see a few failed logins on SSH on a fairly frequent basis. So I am more worried about hacking the system than I am infecting it.
@Elijah_Baley You may want to consider that now your Internet-connected refrigerator can get hacked and allow a bad actor to pivot from it to your Plex Server. Perimeter security by itself is not considered sufficient anymore.
Without protection at every endpoint (host), if I can SSH into your HP printer, I can control your whole network. Ugly, but that is what it has evolved into.
@sGarver said:
@Elijah_Baley You may want to consider that now your Internet-connected refrigerator can get hacked and allow a bad actor to pivot from it to your Plex Server. Perimeter security by itself is not considered sufficient anymore.
Without protection at every endpoint (host), if I can SSH into your HP printer, I can control your whole network. Ugly, but that is what it has evolved into.
I do not believe that my server can be hacked. In fact I do not believe that anything on my network can be hacked. Also, even if something could be there is nothing of value or even fun that could be accomplished.
The only way someone could get in would be to already have hacked something external and from that there are much more valuable and/or fun targets than I.
I also do not believe that there are hackers that just go around probing for networks to hack. At least not in rural areas and most of the virus/malware “news” out there is designed to do nothing more than sell/provide products that make computing slower and open up computer for the very “bad actors” they are supposed to protect against.
Have I ever had a malware attempt to install on one of my computers? Yes, when I did something stupid and that cured me of the kind of stupidity that gets one infected. My server does not allow anything incoming unless I specifically allow it and, in spite of what is spouted by those wanting to make money off paranoia say, a network is not generally vulnerable if it has a router with a good firewall. No my fridge is NOT internet connected (that seems just absurd) and neither is my toaster or waffle iron.
I do have an echo and several smart home devices but they run on a different network that my server cannot see. In fact nothing regularly runs on that home control network that contains anything of value to anyone but me.
The last thing is that there is no reason to protect my server more than it is because it simply is not valuable enough to make a good target.
Hackers may be fools and crooks but they are not stupid and the risk/reward for spending the time and energy to hack my server is so small as to make even the most stupid of them look elsewhere for easier, more lucrative and more fun targets.
@Elijah_Baley you are forgetting one very important thing. Most hackers do things like this for reasons most of us don’t understand completely. Some of them do it for money (hacking a bank or something like that) Some do it for exposure.
But some do it just for the challenge. Just for the thrill of doing it. No gain, no rewards, nothing… But the ability to say “I did this.” even if it’s just in their own mind.
You are at some risk if you aren’t running some sort of virus software to protect yourself. Risk of losing your data, your libraries, everything…
It’s your call, but I won’t risk it…
@MikeG6.5 said:
@Elijah_Baley you are forgetting one very important thing. Most hackers do things like this for reasons most of us don’t understand completely. Some of them do it for money (hacking a bank or something like that) Some do it for exposure.But some do it just for the challenge. Just for the thrill of doing it. No gain, no rewards, nothing… But the ability to say “I did this.” even if it’s just in their own mind.
You are at some risk if you aren’t running some sort of virus software to protect yourself. Risk of losing your data, your libraries, everything…
It’s your call, but I won’t risk it…
It is your decision to place as much protection as you want on your systems but I do not see any real risk to my server at the level of protection I have. If I could afford it, but I cannot, I would offer a substantial reward to anyone that could hack into my server or into any computer on my network. I do protect the computers that go out onto the internet but my server is not exposed in any way that hackers can both find and take advantage of so there is no reason to over protect it.
At times I am a belt and suspenders type of guy but, in this case, it just is not needed at all. It would be like wearing a condom and practicing total abstention at the same time.
On Windows 10 Pro, which is my current PMS, I use Norton. On my headless Debian ownCloud server, I don’t run anything at the moment.
They are both behind a Sophos UTM 9.x virtual firewall (Awesome firewall free for home use BTW). Only NAT ports needed are open from outside in.
I also keep the OSes updated fairly often. No issues for 3 years so far (knock on wood)…
As absurd as they may sound… Smart refrigerator - Wikipedia they do exist. 
The hackers use automated scripts to hunt for vulnerable networks and devices. The goal is not only to access information but to also create bots to use for spamming and/or distributed denial of service attacks (DDoS). The DynDNS attack was done by IoT devices. “Initial reports indicate that the attack was part of a genre of DDoS that infects Internet of Things devices (think webcams, DVRs, routers, etc.) all over the world with malware.” – Friday's East Coast Internet Outage Is a Major DDOS Attack | WIRED
Fun fact the last for major ddos attacks where from IoT devices. and as for AV, if you run Windows use AV and FW; both Windows 8 and 10 have very good AV/FW built in so no external needed.
My plex run Ubuntu, I do not use AV, but i have a FW that is both strict and very rude.
@willieb1172 said:
On Windows 10 Pro, which is my current PMS, I use Norton. On my headless Debian ownCloud server, I don’t run anything at the moment.They are both behind a Sophos UTM 9.x virtual firewall (Awesome firewall free for home use BTW). Only NAT ports needed are open from outside in.
I also keep the OSes updated fairly often. No issues for 3 years so far (knock on wood)…
Do you run that on a VM or do you have a dedicated machine running Sophos?
@Night said:
Fun fact the last for major ddos attacks where from IoT devices. and as for AV, if you run Windows use AV and FW; both Windows 8 and 10 have very good AV/FW built in so no external needed.My plex run Ubuntu, I do not use AV, but i have a FW that is both strict and very rude.
Interesting, which firewall are you using?
@aaronhaach said:
@Night said:
Fun fact the last for major ddos attacks where from IoT devices. and as for AV, if you run Windows use AV and FW; both Windows 8 and 10 have very good AV/FW built in so no external needed.My plex run Ubuntu, I do not use AV, but i have a FW that is both strict and very rude.
Interesting, which firewall are you using?
CSF with some modifications to fail2ban, does not ban single IP but an /24 and some other security on some ports where only able to use them from given IP ranges. amoung other things
On our network, clients are responsible for running their own AV on themselves and any files they access across the network. Only one computer has Windows and it is an embedded, single-task system not used for general things and certainly not web browsing. It does run AV. The Plex server runs in a jail on FreeBSD, and as such is not vulnerable to anything that AV software would detect. Everything is behind a strong firewall and only accessible from the outside via VPN.
So no, I do not have need to run AV software on my Plex server or NAS. Then again, I learned long ago Windows sucks as a server OS. Someone opting to run their PMS on Windows might have a different need.
I’m on Windows and do use an AV suite…and have IPS/AV-scanning at the gateway. Some may think that their server is not really a target…but in the age of ransomware, I wouldn’t bet on that. Many of us have 10s of TB of media that has been collected over years. If it were to all be encrypted by ransomware, I think many of us would feel compelled to pay for the keys.
You have all made me a bit nervous now. I think I had better get some protection in place ASAP.
@DFury said:
I’m on Windows and do use an AV suite…and have IPS/AV-scanning at the gateway. Some may think that their server is not really a target…but in the age of ransomware, I wouldn’t bet on that. Many of us have 10s of TB of media that has been collected over years. If it were to all be encrypted by ransomware, I think many of us would feel compelled to pay for the keys.
How is ransomware on a rogue Windows client going to encrypt my FreeBSD Plex server if there are no writeable SMB drive shares exposed?
Many risks can be mitigated by sensible basic network/server design. Kicking security to the side and making your network a free-for-all for the sake of convenience is rarely wise and almost always ends poorly somewhere down the line.
