I recently stood up a Plex server on a cloud hosted server. It runs Ubuntu.
I exposed port 32400 to allow remote access.
I noticed that when browsing to 32400 anyone with a Plex account can login and use my server resources, even accounts which have not been invited to my Plex server as guests. This does not feel right to me. Should anyone with a Plex account be able to login to my server?
…I am not understanding your question. Every single person either logged into your account directly or invited as their own user account will be using your server (and it’s CPU and bandwidth) and it’s content. No one can do that unless you gave them the login information or sent them an invitation.
This isn’t true. Anyone can login to my Plex server as long as they have a Plex account. They won’t have access to my content but I am being forced to consume my computer power to serve them the webgui.
Furthermore if a vulnerability is ever found that can be exploited after authentication we are in deep â– â– â– â– because anybody can get a Plex account, authenticate and exploit. This reminds me a little of probing for default credentials: WSTG - v4.1 | OWASP Foundation
Those users can browse to your server’s bundled version of Plex Web, loading the web app. The web app will however not allow them to access the content of your server (except you have shared anything with them).
The only resources involved from your server are involved when they load the HTML/CSS/Javascript files of the web app. Any streaming of Plex’ online media sources or their own media will happen between their browser and those sources.
Hello @tom80H thanks for your response!
I appreciate that my content is safe and the visiting user will only load a small amount of data from my Plex server but I don’t think this should be expected or default behaviour. Ive never in my life heard of a system that allows anyone to authenticate to somebody else’s server just because they have some arbitrary account. It really does not sit right with me and should not be the default behaviour of Plex. Its almost like allowing guest or anonymous access to my server. All users should have proper authentication as per basic web app security, right?
If a vulnerability is ever found behind the login page of the Plex web app the authentication system will do nothing to protect my server from potential exploitation.
just because i happen to know the IP address of your plex server doesn’t mean i have access to it in any way.
you are confusing plex.tv logins with logins that have access to your server - they are not necessarily the same thing. the only way i could access your server is if you invite me.
Sorry but this isn’t correct, at least I don’t think so.
You can go to any Plex server right now, for example this random one I found on Shodan: http://66.249.230.252:32400 and login with your Plex account, the owner of that server never invited you but the web app is being served from their server. In fact the Plex GUI even says:
This application is at 66.249.230.252 and is not hosted by Plex. Continue only if you recognise this server and wish to grant access.
yes, and logging in to it with my plex account does NOT give me access to that servers content.
all that happens is that it authenticates my login with the plex.tv servers and then uses that servers plex web interface to give me access to my own content.
I agree that you don’t get access to that servers content but my point is the server is being forced to give up CPU/RAM resources (agreed a small amount) to serve someone randomer on the internet the Plex web GUI. This isn’t right.
those CPU/RAM resources are already being used to run the local plex server regardless.
you can simply disable 32400 port forwarding, which will mean no-one external to your LAN can access it.
however as yours is cloud hosted then it, by design, it MUST be accessible to the public.
Is your server logged into your account and claimed? Is “Settings → Network → List of IP addresses and networks that are allowed without auth” blank?
If so, only you, and others you’ve invited to use your server, have access to browse your content.
When you browse to any Plex Media Server’s ip:32400/web page, the only thing which occurs is that the web client is loaded. If any authentication needs to take place (which will, unless the client already has the Plex token for the server), the client is redirected to app.plex.tv. When that occurs, the client is made aware of any Plex servers to which the logged in account has access and that’s what is displayed in the client.
[Edit]
Based on your most recent post, it seems like you do understand this. Good. Regarding the potential resource utilization, that might be a legitimate concern. However, the only way around that would be for you to firewall all access to 32400 and only allow known IPs to connect.
Hello @pshanew thanks for your response and acknowledging my actual concern around resource usage by “unauthenticated” users. Perhaps my concern is best raised with Plex directly instead of in the Forum, I may not be explaining my self very well.
Most(?) of us run Plex on NAT’d networks where explicit port-forwarding is required for remote access. And many of us who use this feature expose a non-standard TCP port (something other than 32400) as the externally-forwarded port. This somewhat mitigates casual access to our local servers’ web clients; folks have to work a little harder to find that we have a remotely-accessible Plex Media Server.
You may find that more challenging in a hosted environment if your server is not firewalled and is on the open Internet. It’s not impossible, but it will require some local firewalling and forwarding on the server itself (don’t allow connections to anything other than the localhost address for 32400, forward some other port to localhost so 32400 isn’t accessible externally).
This forum is your means of communicating with Plex.
Hello @pshanew thanks for your suggestion! What you are suggesting is known in the IT industry as “security by obscurity” and as such not an effective control. Network scanning tools like Shodan and even nMap can find Plex or any service no matter what port they exist on. I do agree it would stop casual use to some extent but a simple port scan with banner grabbing is enough to defeat your proposal.
In any case your feedback is appreciated a lot, thanks for taking your time to write. Hopefully we can keep this discussion open and flowing.
If this cooks down to the question of resources of your server being used.
Keep in mind… even if there was a local authentication mechanism (vs. using plex.tv), your server would have to process requests addressed to it – as pointed out by philipsw… especially if you’re running your server on a public machine.
There’s been a feature suggestion some time ago to only allow access to the bundled version of Plex Web from a local network (e.g. while being on your home network or in your case after connecting to the server locally using e.g. a SSH tunnel or remote desktop session). Given the “server” and “web app” part are running on the same port, that’s nothing you can achieve with your current setup. → [Edit: link to feature suggestion]
Still… somebody would have to trigger some kind of DDOS attack to get into your server’s resources by simply repeatedly requesting to load the web app resources (quite a massive one to compare to the main use case of Plex which is streaming high-bitrate videos). If you’re running your server on a public machine, you might want to consider adding some security to deal with that kind of attacks (most web apps / servers I’m aware of won’t handle that by themselves but require some layer of protection by apps / network management).
@carpentydog, something that you could do is put in place firewall rules for your port forwarding that restrict access only from certain IP addresses or ranges. Not a perfect situation but would provide some protection. Another option would be to use a VPN to access the server.
.