"friend"/user can still access my PMS and watch content after being deleted?!


#1

Environment:
OS: Windows 10 Enterprise 64-bit 1709 FCU
CPU: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz (8 CPUs), ~4.0GHz
GPU: Intel HD Graphics 530
Display Memory: 16231 MB
Dedicated Memory: 128 MB
Shared Memory: 16103 MB
RAM: 32GB

PMS:
PMS: Version 1.11.0.4633

Remote Access: Manually specified port
Enable server support for IPv6: ENABLED
LAN Networks: 192.168.1.1/255.255.255.0
Custom server access URLs: https://mydomain.com:32400
IP addresses without auth: 192.168.1.1/255.255.255.0

ISSUE:

So I deleted a user from my "Friends" via the PMS settings -> Users over 30 days ago. But today he was able to watch content from my PMS from an external IP! I checked the following: https://plex.tv/api/users/?X-Plex-Token=TOKEN and his username or email was nowhere to be listed.

How is this possible?


#2

Have you restarted PMS since removing him from your friends list?


#3

@dduke2104 said:
Have you restarted PMS since removing him from your friends list?

I sincerely hope this is a joke, right?

“over 30 days ago.”


#4

What are your security settings on your Plex Server?


#5

@kegobeer-plex

Security settings? Where do I find such settings?


#6

Under network. Do you have secure connections disabled?


#7

Oh, “network settings”. Yeah, kinda posted them in OP, but they look like this:


#8

Check the devices that are authorized access - is his computer/Plex app still in there? If so, delete it. Also, you don’t need anything in your LAN Networks box, because I assume 192.168.1.x is your local subnet and your Plex Server is in that subnet, so it’s considered local by default.

Since you have a direct link to your Plex Server instead of going through the Plex.tv website, you should change your manual port to something other than the default 32400. Pick something in the 40000-50000 range. Once the port is changed there is no way he will be able to access your Plex server.


#9

@kegobeer-plex said:
Check the devices that are authorized access - is his computer/Plex app still in there? If so, delete it. Also, you don’t need anything in your LAN Networks box, because I assume 192.168.1.x is your local subnet and your Plex Server is in that subnet, so it’s considered local by default.

Since you have a direct link to your Plex Server instead of going through the Plex.tv website, you should change your manual port to something other than the default 32400. Pick something in the 40000-50000 range. Once the port is changed there is no way he will be able to access your Plex server.

Good suggestions @kegobeer-plex . How do you ID the device that was associated with X user? I have like 30 devices in the list…none of them say what accnt they are associated with. I def don’t wanna have to “purge” all the devices in the list. I have more than 20 users.

Yeah, been meaning to change the default port. - You’re saying change the manual port selection in the Remote access section right, or change my direct port number here in the network section…so mydomain.com:48000? Now, would I still want to open 32400 AND the new port on my router?

This is weird tho right?


#10

Here’s part of a guide I use when setting up port forwarding:

Go into your router and create a manual port forward rule for external port 47222 (just an example but don’t use 32400), for protocol TCP, that points to your Plex server’s IP and internal port 32400.
Save that and power cycle your router.
Go into the Plex server remote access settings, tick the box next to manual port, enter 47222, click apply, then disable remote access, shut down and restart the Plex server application, and enable remote access.

You only have the external port of 47222 open, you do not open an external port for 32400.

Even if you delete all of the devices, it’s not a big deal. Your users still have access, they would just have to sign in again. With his device gone, he can’t get access.


#11

@kegobeer-plex DOPE man. Thanks so much for the tips. I’ll get started on this.

Also, in the “devices” menu, I thought this listed only MY devices? I know he was playing from iOS, but I’m not even seeing any iOS devices on this list anywhere?

One question for pure morbid curiosity…is this by design? Or is there something weird going on? I mean - it just seems crazy to me that even excluding all the port stuff…that someone can play content from your server and the user is not listed on your accounts. Now, if this is purely a “cache” thing / ie. devices like you stated - I could understand that, but a month ago?!

Funny to me that PLEX “hardened” all this auth stuff but this is even possible.

Anyway, I’ll give it a go.


#12

I think when you give someone a direct link to your server (which you’ve done by having a custom URL that basically bypasses Plex.tv) then they will have access even if you remove them from the access list, since they have a direct link to you. I’ll ask about this and get back to you.


#13

Since you have a url that gives access to your server, do you also have a reverse proxy set up? That would make any request appear to be local, and since you’ve given all your local IPs access without auth, your recently kicked friend still has access.

Remove the blanket access you’ve given to all the IPs on your local network, which should remove his access to your Plex server.


#14

@seanvree81 said:

I sincerely hope this is a joke, right?

No, it wasn’t. I frequently go 30 days without a PMS restart.


#15

@kegobeer-plex said:
Since you have a url that gives access to your server, do you also have a reverse proxy set up? That would make any request appear to be local, and since you’ve given all your local IPs access without auth, your recently kicked friend still has access.

Remove the blanket access you’ve given to all the IPs on your local network, which should remove his access to your Plex server.

@kegobeer-plex .

Really appreciate your responses brotha.

Okay a bit confused now. Yes, I do have a reverse proxy set up, so that MAY be how he was accessing…which makes sense. I deleted my PlexPY data, so I can’t tell his IP address.

So, you previously said to remove the “LAN networks” so am I now removing “list of addresses and networks without auth”? So both of those blocks are empty? NOW, because of the new auth “restrictions”…if I remove the local subnet mask from the last box, that means that if PLEX ever goes down (or my WAN), I wouldn’t’ be able to auth, right, which would make my PMS inaccessible to ME?


#16

Just put in single IP addresses, not the whole block. I add my server IP and then just the IPs of my clients, since I’ve given them DHCP reservations. Example: 192.168.1.50,192.168.1.57


#17

@kegobeer-plex said:
Just put in single IP addresses, not the whole block. I add my server IP and then just the IPs of my clients, since I’ve given them DHCP reservations. Example: 192.168.1.50,192.168.1.57

Okay, I understand this is a workaround. But this is a VERY important issue/hole I"m trying to understand. Also, I have 8 devices on my network, some are DHCP, so that’s not really a good permanent solution.

Also, just thinking out loud here … He was signed in with his PLEX accnt as I saw his username…now, when I sign in without auth, it shows as GUEST. So why wouldn’t it show him as guest if he was accessing that way?

Now, IF he was accessing via reverse proxy, that means he was accessing via the webserver which is the box that PMS is on, which is the IP of 192.158.1.20…So I would have to add that IP to the whitelist, which would then give him access via the reverse proxy…right?


#18

If your Plex server resides on the machine that hosts the reverse proxy, then yes.


#19

@kegobeer-plex said:
If your Plex server resides on the machine that hosts the reverse proxy, then yes.

Humm, welp, I’m still confused then, and a bit worried that someone can access my PMS externally.

Bottom line:

1 - IF he was signed in with HIS PLEX user accnt (which in this case he was), my server should not show up on his server list in the app on his device.

2 - If he was accessing via reverse proxy then he should have showed up as GUEST (which in this case he was not).

Anyway, thanks for the responses @kegobeer-plex . Have a good New Year. LMK if you check into this .

Thanks,


#20

He was still logged into his Plex account, so that’s what you see. When you tested it, you logged out of your Plex account, correct?

Bottom line is, if you have your reverse proxy on your Plex server system you might want to consider moving one or the other. And unless you really have a need to have custom certificates, a reverse proxy, URLs, etc, I recommend dropping them and making your guests go through plex.tv to access your server remotely.