My hard drive for my Plex Mac had to be wiped and restored from a backup. Unfortunately the backup was damaged and I had to fall back to a backup that was about a year old. Since I use Little Snitch to help with security, I decided to start fresh with my rules and as I was rebuilding Plex, I started seeing a slew of incoming and outgoing connections all over the world and I was a bit worried since I have remote access enabled for a members of my family in other parts of the US.
Should I be worried about these connections? I know that Plex is making content deals with companies and perhaps some of those are what I’m seeing. Should I be denying these? Is there an article in the wiki to help me understand how to lock down my Plex server so that just the people that I want are accessing it?
I wouldn’t think the server would make a bunch of random connections. Might make some when building doing an initial scan of the library (cover art, music, synopsis, and other meta data.) but that’s just a guess.
I don’t think that they’re random. I’m looking through the network monitor and I’m seeing things like Plex Script Host and Media Server downloading from Texas, New York, Florida, Malaysia(!), Japan(!) and The Netherlands(!). Granted those are things like imDB and cinematerial.com because I had to rebuild my server after the restore. However, I’m also seeing connections to Plex.tv from the UK.
Same here. I noticed hits from all over the place. Most are AWS IPs, which is likely OK, but I have the same interest as you.
My first stab at it was to connect remotely, then unblock that IP range. It worked for a while, then my remote client started coming in from another AWS IP pool and the connections were again blocked.
I was looking for a list of AWS network addresses online. Amazon has some good resources, but the IP blocks they list are not the ones hitting my network. Quite odd.
Anyone have any thoughts on this ?? Any ideas where to find a decent list of AWS IPs I can dig through ??
Yeah, I’m still wondering why nobody else either cares or wants to discuss this.
Here’s a couple of screenshots of my Little Snitch network map. The one that shows connections to the Pacific countries seem to be explainable in that the hostnames are based on things like “images.plex.tv” and “assets.fanart.tv,” but that still doesn’t explain why I’m getting consistently asked to allow connections from Japan and Singapore to name just a couple.
Also seem to get two different listings for PMS in LS (as shown by the two map graphics). There are other Plex-related entries like Plex Relay, etc., but those are connecting to the same locations and don’t appear to be concerning.
Sorry for the delayed response. I set up some traces and such to collect more information. First quick look shows a bunch of hits recently (today) from Amazon Web Services in Ireland.
I’m still seeing IPs from all over the US and the world, some coming from AWS and some not. I’m a little concerned about all of these connections–not like going crazy or anything. I’m blocking these IPs as was said above and nothing seems to be preventing the server and/or remote access from working.
As more and more security breaches happen with Fortune 500 companies around the world and their (supposedly) crack IT security staff aren’t able to stop them, it makes one wonder if a computer that is sharing out media files to friends and family might be open for attack. I’m just wondering if some Plex folks can come on here and set our minds at ease that this is something that we don’t need to concern ourselves with.
Better yet, perhaps they could tell us what to look for in our network logs to see if something is indeed happening with server security.
Interesting the you are seeing the hits from the US. I block all non-US (whitelist) IPs from any access at all, including Plex. I’m also taking on a harder posture and allowing only specific ports and protocols to specific IPs where possible. So far I have not seen any US-based traffic except that which I initiate.
One thing I did was to search for any CVEs before opening up any ports. Plex seems pretty solid, with few exceptions. Best recommendation is to make sure you have auto updates on.
Depending on what server OS you’re running (sounds like Apple iOS), you might want to look into overall machine hardening as well. It’s amazing what exposure little oversights can create. IT security is definitely a layered approach.
Anyway, glad I found someone else with the same interest as me. Hopefully we can sort out some of the inbound traffic and ensure it’s legit. I’ll keep my traces going for a while and see if they pick up any domestic traffic.
It absolutely is. If you have a port open and a listening service attached, you are absolutely attackable. Full stop.
You need to get comfortable with the fact that you can be attacked if you have a listening service connected to the public Internet. In fact, it’s actually possible to be attacked even if you don’t, though hopefully much more difficult.
If you can’t get comfortable with the reality that you can be attacked through the Plex server, you shouldn’t have it reachable on the public Internet. Network security is a very deep topic, as you yourself point out, Fortune 500 companies can struggle with this. They have much larger attack surfaces though, but any expectation that Plex could do better against a professional, focused attack against it, is unrealistic. If they are better at it than all the others out there, they are in the wrong business.
Instead, you hope that they do all the things a company that provides a network service product does. That they monitor and respond to security bulletins, and that they are responsive to their customers if their products are affected by announced vulnerabilities.
As for random connections from all over the place. Get used to them- network scans happen. The connections are happening because services generally will allow an initial connection to happen. If you run a service on the public Internet, you will see network scans. If you don’t run a service on the public Internet, but are connected, you will still see network scans, you just won’t see successful connections. You cannot prevent these- that would be like saying that you live on a public street, but only want people that you know to drive down it.
I totally get it–if you have ports open you’re vulnerable–I know that as fact. What I was hoping for is that as Plex needs authentication to access the server remotely–therefore it should be more secure than just an open port with a welcome mat in front of it. If any other part of the machine is vulnerable because of that, there should be a way to keep that from happening while allowing only specific access (right?).
I previously used my main machine as my Plex server because that’s all I had. Now I have a separate Mac for my day to day activities and that is running close to the most recent OS and is more secure than my Plex server that can’t be updated as it’s no longer supported by Apple. That older machine is now stripped of all personal information and it’s mainly for Plex use and media file creation.
My concern from the random connections from around the globe was aimed more at the Plex folks to see if their systems are responsible for them due to any connections the server might be making to support sites like thetvdb.com and imdb.com.
I only have two people accessing my server and I’d like to keep it that way. Little Snitch helps me identify connection attempts and block them, but I wish I knew more about network security to keep the unwanted attention at bay. I have searched here on some sort of wiki page or a primer on how to keep Plex as secure as possible while using remote access, but if these exist I can’t find them with searches.
