Security?

Over night my security server captured an ip address/port from overseas…
It made one attempt. It wasn’t a port scan since it was just one hit but it did contain a valid port forwarded to one of my servers at 32400…
The PMS server in question did not respond to the system since I trapped it, and that maybe why there was only one hit…

Question is; how would they have known the forwarded port to use? since no scans had been detected.

I have no users overseas everyone is in the US…
The source IP was from Italy…

Public Port 32400 is in use by, I reckon, about a million Plex Users.
Are you one of them?
I’m not.

the port that was forwarded was not 32400 to 32400

It was a random 5 digit number…

EDIT: and the source IPaddrss was not one of Plex’s IP addresses, General ISP address

There’s a range of random numbers to use - one between 20000 and 50000 should do. The one I use is in that range.

Yep…

What bothers me is that they knew a public ip and port to use…
It was not a scan of ports…

If a network ninja happens by some logs showing the event may shed some light.

There is nothing in the logs…
They never got that far, I trapped it so the PMS server never saw it and didn’t respond.
I see access by the Plex API Servers (Amazon) from all over and I know those IP address.
This was from Italy and a general ISP address, not directly associated with anyone.

If they somehow obtained your Plex token it would be easy enough for them to find your server, its public IP address, and its public port. No need for a port scan.

https://plex.tv/api/resources?X-Plex-Token=[your token here]

This returns an XML document with detailed information for each of your servers. There’s some more detailed information here.

There’s some information here on how to obtain a new token:

How would one go about doing that?

If you visit this link and replace [your token here] with your token, it will load an XML document listing all your servers and their details:
https://plex.tv/api/resources?X-Plex-Token=[your token here]

On some browsers (I’m looking at you, Safari) you have to view the page source as it just loads a blank page.

You can find your token using the second article I linked.

If you mean how would someone (who’s not you) go about finding your Plex token, I’m not sure.

Yea, that’s what I meant…
Seeing the reports of accounts being taken over and people saying they didn’t have trivial passwords, makes you wonder…

Seems a lot of work just to gain access to watch a few movies.

And Plex doesn’t seem all that concerned. Their lack of interest does bother some.

Here’s one potential way for a Plex token to be leaked:

Thanks…
I saw that thread when it was reported… It’s also what has got me thinking…
I don’t use Tautulli and its not loaded anywhere on my systems…

What precautions does Plex take to keep us safe…

Would it be possible for a rogue player to create a Plex add on that would collect information and no one know it.

That’s why when I saw that single hit with the correct information I posted it.
I don’t collect packet information about the hit’s because there is little I could to other then what I am doing.
Would it be nice to see what they were trying to do, did it contain a token, all good questions but I don’t know.

What is a Plex Add-on?

Tautulli

Plex Inc. cannot police what users decide to install on their systems. If you install WebTools which asks for your Plex credentials, it is up to you to decide if you trust the developer enough to do that. I do trust @dane22 , so I use it.

There may be steps which Plex Inc can take, after it has gained knowledge of a security issue. But it will not proactively inspect the source code of all 3rd-party add-ons.

And adding to @OttoKerner here (And thanks for the kind words btw.)

When using 3.Party tools, that ask for plex.tv credentials, then I personally divide those into the following:

• If not running locally => NEVER use it
• If running locally, and from a well known and trusted developer => Use it
• If running locally, and from an unknown developer, check the source code
  • If source code isn’t avail => NEVER use it
• If running locally, but plugin communicates with external sites, check the source code, as well as what is communicated

And in general, if running locally, and not asking for plex.tv credentials, then a plugin can grab server token, so always check code if avail!

How many Plex users do you think have the background knowledge to do those checks…

most would be from an unknown developer, dane22 I do not know you,
I do not use your app, but that’s because I don’t see a need for it.
I’m not trying to make this personal just pointing out that care does need to be taken.
And I do believe that Plex should take on the responsibility that an addon meets it’s security requirements for it’s users.

Not many, and thus why I said what I personally do

So you want Plex to set aside resources (People), that scans the internet daily in order to find new 3.Party tools unknown to them?

The way I see it, is like this:
If a user decides to use 3.Party, it’s at their own risk, since it’s out of Plex control !

And above been both a player, an external tool or a plugin

So your saying its the Plex user’s responsibility for the security of the Plex Applications.

OK…