My server is being pummeled by some sort of pentest and I don't know what to do

Server Version: 1.31.0.6654 (Win 10)
Logs: Feb 20, 2023 07:13:31.826 [18084] DEBUG - Request: [34.159.24.105:33019 (WAN)] G - Pastebin.com

This is a direct copy/paste from a post I made on Reddit, here:

ORIGINAL POST/ISSUE BEGINS BELOW THE LINE

The conversation there basically ended with me needing to post here. Before I continue with the rest of the post, I’d like to make it clear that - unless I am gravely mistaken - this is not a case of “stupid thing guy forgot to do.” UPnP is off. Port forwarding is enabled only for the default (32400) Plex port and two other ports my system uses and are secure.

The ports being utilized for the requests shown in the long show as blocked/closed when I try to access them from outside my network.

Requests coming from verified users actively watching content seem to also utilize ports not open on my network; I would like to know the details of how this works and if it could be related to the issue at hand. For instance, here is a request from a family member three states away watching something on the server:

Request: [73.53..:44953 (WAN)] GET /:/timeline?key=%2Flibrary%2Fmetadata%2F163294&ratingKey=163294&state=playing&time=232112&duration=3544096&playbackTime=232956&playQueueItemID=900794&context=smarthub (18 live) #20990 TLS GZIP Signed-in Token (ang****)

What allows an incoming request to come in over port 44953? Aside from that - even if a port was open (which, again, they are not) why was this external address not affiliated with an authorized plex account allowed to continuously hit the server; and more importantly, why did the server attempt to execute each and every command? What’s up with that?

Anyways, here is the original post with the original issue:

The logs are long (a hundred times longer than what I was able to paste there), but if you look for “DEBUG - Request: [34.159.24.105” you’ll see the problem.

This is like 1%. I noticed this after a reboot (of the server application) and had multiple pages worth in a handful of minutes. I finally blocked the IP in Windows Firewall (I’m on a Windows server) and it seems to have stopped for now. A traceroute on the IP just shows it’s a Google Cloud customer. I sent the logs to their abuse team via the form they have, but that isn’t going to help right now.

So yeah - after manually blocking the IP in my OS Firewall it stopped, but how can I protect myself from this in the future? I’m curious as to why Plex is not only receiving but attempting to execute calls made to it from an external IP address. There must be some sort of issue with port forwarding for these to even make it to this system, right? This also confuses me, because I have exactly four ports forwarded and none of them were used by these requests.

What can I do to secure things and prevent this from happening? Honestly I’m pretty stumped as to how these requests are hitting the Plex Server in the first place. What do I do?

Edit: I’d rebooted the server because my web-based Console was not responding and would send a chunk and then be dead for a minute, repeating forever. I found that this was the problem, the hits are coming so fast that the console is overwhelmed.

SwiftPanda from Tautulli informed me the port shown is the port being used on the outgoing server and is not the port being hit on the incoming request, which I did not know. Additionally, where I thought 404 implied the server was attempting to execute the request and could not find the file specified they have informed me Plex returns it globally for unauthorized requests; is this accurate? My main concern here is whether or not Plex is actually attempting to access these files the external IP is requesting; while in this situation it’s trying to pentest known web vulnerabilities, I’d like to assume if they had specified a valid location Plex still wouldn’t allow it.

Is there any way for me to have Plex outright ignore any GET requests from external addresses that are not associated with an authenticated user?

Some HTTP endpoints on the server can be accessed without authentication (e.g. the web UI HTML and JS files), so the HTTP routing code runs first, and auth is checked as appropriate for the endpoint requested. If no such endpoint exists, the client may receive a 404 without auth ever being checked (since nonexistent routes are not intrinsically privileged). Most paths on the server aren’t associated with files on disk; instead, they’re looked up in an internal routing structure. Accessing files on disk (outside of static resources like the web UI), such as media parts, goes through auth first.

No; the server isn’t aware of every IP address that every valid user might connect from at some point. Instead, accessing any privileged endpoint requires an authentication token, which is far more secure than an IP-address-based check would be.

I didn’t mean that it would know any potential IP address, I meant I assumed that on request it would perform said validation before attempting to do… well, anything.

I suppose I’ll have to just check my logs frequently and manually block any IPs I see repeating this behavior.

As I mentioned, the token is checked before any security-sensitive code runs for a request. The tokens are sufficiently high-entropy that they’d be impractical to bruteforce. There’s not really any need to seek out IPs performing scans.

Since the request are from IP 34.159.24.105 I suggest you block that IP in your firewall

Yeah, that’s what I did immediately after seeing this. There were so many log entries being generated that the console wouldn’t load. When I eventually realized something was wrong and checked the log files there were pages of just those requests. I blocked the IP in my firewall quickly after that and they ceased.

It would be nice if there was an advanced option to have Plex auto-blacklist any incoming IPs that exceed a threshold of requests and/or continue with requests unrelated to the operation of the server. I’ve ran servers for years and have always had to deal with people IP and port scanning looking for software vulnerabilities, but for some reason I didn’t put two and two together and realize that Plex is really no different. Now I wish I weren’t on Windows so I could run fail2ban.

Is there anything I can do within Plex to prevent anybody that knows my IP from bombarding me with requests, or will I have to suck it up and put the server behind a reverse proxy?

Reverse proxies are not supported. As far as I can tell, there is no issue here.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.