Hey All,
I just wanted to let you know there is a group on FB that is taking advantage of an old setting that got carried over to the newer version allowing remote access for outside unauthenticated users… The Specific group (Plex Nation) on facebook decided to go hunting for poeple’s addresses via a website that port scans ip addresses consistently.
The poster on the group who happens to be an Admin - Jeffrey Gerke - Decided this was ok to do as its the fault of the server admins who had some of the earlier editions of the code ended up with this bug…
My Question would be outside of being scammed by some of these people who are doing this, is there a way to ensure that all the traffic is not going through HTTP modes anymore and/or ensure that any external ip address requires authentication…
I have sent emails to the people’s IP’s to warn them of this issue as their Email address gets shown when going to the server tab in the configuration.
To add to this the fix is specific to the Preferences.xml file on the server containing disableRemoteSecurity=“1” needs to be set to disableRemoteSecurity=“0” to prevent this from occurring.
Thank you for reporting this. We are investigating.
@dasaint said:
I just wanted to let you know there is a group on FB that is taking advantage of an old setting that got carried over to the newer version allowing remote access for outside unauthenticated users…
Decided this was ok to do as its the fault of the server admins who had some of the earlier editions of the code ended up with this bug…
FYI, this was not a bug. The setting in question was never activated by default Plex software releases.
What did happen is this: some plex user built a pre-configured “jail” for FreeBSD / FreeNAS with Plex server. He did set this preference without warning those users who downloaded it.
Telling the server to work without authentication was just less difficult to get it to work in this specific operating system with its concept of segregated “jails”.
Ironically, a concept introduced to improve security - go figure…
@OttoKerner Gotcha, i would suggest as a possibility to improve security for these kinds of ordeals maybe have Plex Warn the users that the setting is turned on. Since its not a GUI accessible option it would be a hard one to spot unless you ended up in the above scenario.
Maybe something like turning the Green Lock to Yellow Lock warning them that this setting is on and could reduce the security of the system.
Thanks guys. The team is looking at a few options and will be addressing this asap.
I’ve been letting @OttoKerner know about instances like this in the past, and I was the person who informed @dasaint about his being listed here.
One of the many ive emailed in the past, and one of the only ones who has thanked me and not gone mental about me “hacking” his server… *le sigh
Rgds,
Your Plex Friend 
@teshiburu I appreciate your help on this and i wanna make sure others get the same help too… Grant you when i saw your email i was wondering if u were a hacker TBH 
but i set aside the pride and looked at it objectively like anyone with a server should. Tested out the issue and blam 100% correct so i am very appreciative of your help. Sadly i wish more people had your level of integrity, unlike those FB people who run that group. I can still see their comments and they are all bashing me for the emails sent out as well as calling them out. Sadly some of the people are mid 30s-40s these aren’t kids just sad adults who think they own it all…
Hopefully some sort of notification will come of it and make it harder for people like that to take advantage of people who just don’t know, and provide incite on how turning this feature on does make you open to the world!
@dasaint - yeah I really cannot believe the attitude of these people, they even discussed the morality the other day of reporting one server they had “found” because it had CP on it… instead, they just decided to remove it from their list because “what we are doing may be illegal”
@kinoCharlino - would the simplest option be removing the ability to add “manual connections”? i cant think of anyone who is using it like this?
Also the timhaak Plex docker container would disable security by default without informing the user. In fact, it is still doing it: https://github.com/timhaak/docker-plex/blob/master/Dockerfile#L48 We were aware of this behavior and it is one reason we created our own container to try and get people off of using containers which set such disastrous settings.
Just so I’m clear, this only affects people using this docker 3rd party version, right?
@dasaint you should probably take off that screenshot, I’ve just tested one of the addresses for the heck of it and it’s still accessible… it would be wise not to share it here on top of the private group.
EDIT the server contains private videos, wouldn’t want those shared to the world.
easy to avoid by just running a (even free) firewall that blocks all this and even blocks ip that do portscan. sophos has a very nice FREE firewall (if you have less then 50 ips in the house) i use this always. Portscans are irrelevant without firewall/utm who on earth would run plex without a firewall or any other device.
@KarlDag - Good call i used a photo editor to strip out the first 3 octets…
@brunomc - i have a firewall but the port is open due to the external requirements with port forwarding. Do you have a better suggestion for how to do this with PFSense? I would assume u are using some sort of Jail program to prevent the same IP from pounding your Firewall.
@KarlDag - No this can happen to people with the Windows/Linux based version as well, i had a Old Server Pre 0.9 version that i have upgraded for years and this became known to me recently, i don’t know how the setting ended up there but it did… Other editions out there when they are compiled by a 3rd party could also implement these settings without the user knowing.
@dasaint said:
@KarlDag - No this can happen to people with the Windows/Linux based version as well, i had a Old Server Pre 0.9 version that i have upgraded for years and this became known to me recently, i don’t know how the setting ended up there but it did… Other editions out there when they are compiled by a 3rd party could also implement these settings without the user knowing.
I’m on windows. How do I make sure this doesn’t happen to me? Chexk the setting to let secure connections only?
@KarlDag said:
I’m on windows. How do I make sure this doesn’t happen to me? Chexk the setting to let secure connections only?
If you have secure connections to preferred and you don’t have a wide open list of IP addresses in “List of IP addresses and networks that are allowed without auth”, I assume that will keep you safe. And of course don’t use the standard port of 32400 - pick one at random, and change it out every so often.
@KarlDag said:
@dasaint you should probably take off that screenshot, I’ve just tested one of the addresses for the heck of it and it’s still accessible… it would be wise not to share it here on top of the private group.
EDIT the server contains private videos, wouldn’t want those shared to the world.
Believe it or not - ive messaged each of the people on that list, and the ones with the private videos didnt even reply! I was tempted to help their privacy a bit by removing the library, but i think thats one step too far on my part!
