I disable external access and use an OpenVPN server just to prevent these situations. Rasplex (OpenPHT now) supports it as a client. iOS, Android, and Windows all have free VPN Clients.
I’d like to know how many people are using Secure Connections Preferred instead of Required.
@Night said:
Can’t they put it in bridge mode? I got my ISP to do that.
Unfortunately they don’t allow this either they’re pretty harsh and I think there is also an element of their customer support having a meltdown if that kind of question was asked :)) but thanks for the tip.
Hi everyone,
2nd Update:
I’ve completed the initial scripts that will wake the server if accessed from an external IP just trying to figure out how to get the internal to work as the logging on tomatousb and ddwrt based firmwares are quite strict in an ‘all’ or ‘nothing’ logging mechanism and for some reason custom iptables rules don’t always wish to work, more information to come once the scripting for internal is complete.
As mentioned above OpenVPN is a great way to go which I plan to use for mobile device connectivity as it is a built in feature on tomatousb firmware. This way I can lock down to specific IP’s dropping any unknown IP’s and then use VPN for mobile devices to tighten the security further. The only concern I have is with the level of encryption potentially slowing things down if I use something like AES-256-OFB, though I can say with all the configuration and scripts the router CPU % never peaks above 3% usage.
In case any are wondering why AES-256-OFB, this is because it is relatively secure and not very widely used lowering it’s overall potential attack surface, I’m avoiding CBC because of vulnerabilities such as BEAST and POODLE though it is worth noting that for a Man in the Middle attack, the attacker would need to be strategically placed, however DDoS attacks are still possible through the use of CBC ciphers and I want to ideally mitigate that attack type.
@Morton024 said:
Hi everyone,2nd Update:
I’ve completed the initial scripts that will wake the server if accessed from an external IP just trying to figure out how to get the internal to work as the logging on tomatousb and ddwrt based firmwares are quite strict in an ‘all’ or ‘nothing’ logging mechanism and for some reason custom iptables rules don’t always wish to work, more information to come once the scripting for internal is complete.As mentioned above OpenVPN is a great way to go which I plan to use for mobile device connectivity as it is a built in feature on tomatousb firmware. This way I can lock down to specific IP’s dropping any unknown IP’s and then use VPN for mobile devices to tighten the security further. The only concern I have is with the level of encryption potentially slowing things down if I use something like AES-256-OFB, though I can say with all the configuration and scripts the router CPU % never peaks above 3% usage.
In case any are wondering why AES-256-OFB, this is because it is relatively secure and not very widely used lowering it’s overall potential attack surface, I’m avoiding CBC because of vulnerabilities such as BEAST and POODLE though it is worth noting that for a Man in the Middle attack, the attacker would need to be strategically placed, however DDoS attacks are still possible through the use of CBC ciphers and I want to ideally mitigate that attack type.
I’ve just started logging every ip that connects to my plex, I add every ip not known to my filters…
#!/bin/bash
TODAY=$(date)
HOST=$(hostname)
echo “-----------------------------------------------------”
echo “Date: $TODAY Host:$HOST”
echo “-----------------------------------------------------”
cut -d’[’ -f3- /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs/* | cut -d: -f1 | sort | uniq | grep ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’ -a | nl | grep -v Notify
echo “-----------------------------------------------------”
@Night said:
@Morton024 said:
Hi everyone,2nd Update:
I’ve completed the initial scripts that will wake the server if accessed from an external IP just trying to figure out how to get the internal to work as the logging on tomatousb and ddwrt based firmwares are quite strict in an ‘all’ or ‘nothing’ logging mechanism and for some reason custom iptables rules don’t always wish to work, more information to come once the scripting for internal is complete.As mentioned above OpenVPN is a great way to go which I plan to use for mobile device connectivity as it is a built in feature on tomatousb firmware. This way I can lock down to specific IP’s dropping any unknown IP’s and then use VPN for mobile devices to tighten the security further. The only concern I have is with the level of encryption potentially slowing things down if I use something like AES-256-OFB, though I can say with all the configuration and scripts the router CPU % never peaks above 3% usage.
In case any are wondering why AES-256-OFB, this is because it is relatively secure and not very widely used lowering it’s overall potential attack surface, I’m avoiding CBC because of vulnerabilities such as BEAST and POODLE though it is worth noting that for a Man in the Middle attack, the attacker would need to be strategically placed, however DDoS attacks are still possible through the use of CBC ciphers and I want to ideally mitigate that attack type.
I’ve just started logging every ip that connects to my plex, I add every ip not known to my filters…
#!/bin/bash
TODAY=$(date)
HOST=$(hostname)
echo “-----------------------------------------------------”
echo “Date: $TODAY Host:$HOST”
echo “-----------------------------------------------------”cut -d’[’ -f3- /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs/* | cut -d: -f1 | sort | uniq | grep ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’ -a | nl | grep -v Notify
echo “-----------------------------------------------------”
and another script who cleans it up removes trusted ip rnages and adds it to firewall for me.
Hi guys,
Apologies it’s been a while since my last response as I’ve been travelling for work, I will be finishing the scripts for the router today so will post them in due course.
Okay so I’m still trying to find time to look at the internals of things but here are the scripts to wake plex from an external standpoint, obviously if you configure the port forward to only allow from trusted sources you will essentially lock your plex down.
Modify the following in the scripts:
MAC 00:00:00:00:00:00 to the MAC of your NIC of your server.
IP 192.168.0.2 to whatever the internal IP address is.
On TomatoUSB firmware ->
echo 'PORT="32400"
if grep "DPT=32400" "/tmp/var/log/messages" & ping -c 1 -W 1 192.168.0.2:$PORT
then
echo "Exists & Already Awake!"
cat /dev/null > "/tmp/var/log/messages"
else
ether-wake 00:00:00:00:00:00
echo "Waking Up..."
fi
' > /tmp/home/root/WoL.sh
chmod +x /tmp/home/root/WoL.sh
while true;
do tail -n2 /tmp/var/log/messages |grep -q -e "DPT=32400" &&
(/tmp/home/root/WoL.sh;
logger -p syslog.info -- **Wake-on-LAN**);
sleep 4;
done
I can appreciate this may not be the prettiest way of doing it but it works perfectly, I plan to suss out the iptables with TomatoUSB soon to capture both external and internal logging but whilst it is a bit temperamental this will work as a temporary work around.
Hope this helps.
Hi everyone, apologies for the extremely long delay in response but duty calls and all that…
I have now amended the scripts to work for the internal LAN in addition to over the web, and thought it may be useful to some of you.
I am aware that the below has been issued in quote tags rather than code tags, however this was due to the code not displaying properly because of quotes being used in the script.
Modify the following in the scripts:
MAC 00:00:00:00:00:00 to the MAC of your NIC of your server.
IP 192.168.0.2 to whatever the internal IP address is.
On TomatoUSB firmware →
INIT Script:
echo 'PORT=“32400”
if grep “DPT=32400” “/tmp/var/log/messages” & ping -c 1 -W 1 192.168.0.2:$PORT
then
echo “Exists & Already Awake Over Web!”
cat /dev/null > “/tmp/var/log/messages”
elif grep “plex.direct” “/tmp/var/log/messages” & ping -c 1 -W 1 192.168.0.2:$PORT
then
echo “Exists & Already Awake Over LAN!”
cat /dev/null > “/tmp/var/log/messages”
else
ether-wake 00:00:00:00:00:00
echo “Waking Up…”
fi
’ > /tmp/home/root/WoL.shchmod +x /tmp/home/root/WoL.sh
WAN Up Script:
while true;
do tail -n2 /tmp/var/log/messages |grep -q -e “DPT=32400” || tail -n2 /tmp/var/log/messages |grep -q -e “plex.direct” &&
(/tmp/home/root/WoL.sh;
logger -p syslog.info – Wake-on-LAN);
sleep 4;
done
Hope this helps.
After i first set up my NAS, i started getting attacked randomly on all common ports. FTP on port 21, HTTP on port 80 etc… It was a bot doing the attacks and using standard username and passwords, like admin:1234 or whatever. After that, i changed all my ports to non-standard ports and forwarded them to the ports i needed on my NAS. I’m doing the same with PLEX. Have never been bot sniffed since.
