Woke up this morning to find that my Plex server had been changed to “I’ve got into your server - please secure it” apart from changing the password what things should I consider doing?
I had the same experience this week - the name of my server also changed to the same as the OP. I’m using Plex on FreeBSD.
Some things that comes to my mind;
When changing password, remember to check the little box below that signs out all connected devices. See https://support.plex.tv/hc/en-us/articles/204059436-Finding-your-account-token-X-Plex-Token and “getting a new token”
If using Plex Home, remember to only have trusted family members in your home (since it’s only a PIN guess away from full access).
If not using Plex Home, secure the local LAN https://support.plex.tv/hc/en-us/articles/200890058-Require-authentication-for-local-network-access
Set the crypto setting to forced if possible (instead of preferred)
Turn off DLNA (if not in a Home)
Do not use UPNP
I’m sure you’ll get more helpful feedback from others.
There was a preconfigured Plex server distributed by a 3rd party in the past for FreeBSD/FreeNAS which had a crucial setting wrong:
disableRemoteSecurity=1
which disables all user authentication. Everyone has full admin rights!
This preference needs to be set back to 0
https://support.plex.tv/hc/en-us/articles/201105343
I am no expert for FreeNAS, but if you run Plex in a kind of ‘virtualised container’, before you reset the pref to 0, verify that you are running the Plex container not NAT’ed but ‘bridged’. So it gets an IP address of your normal private network and not some intermediate subnet which would put it into a double-NAT situation.
My server is up to date… I use plexpy which I’ve just updated to the latest update… I’ve two servers but they only changed one so I suspect they’ve logged in online somewhere?
Does Plex have any logs for me to try and check how someone had logged in and changed my Plex server name?
This has nothing to do with up-to-date or not.
You must find the advanced server preferences on your installation and change the preference in there. Follow the link I set.
? I don’t have that option, I’m using the officially released Plex for Synology server not the FreeBSD/FreeNAS you mention above
These are advanced preferences. They don’t have a GUI representation. Instead, they are hidden in a file Preferences.xml (at least in Linux, you should be able to find where they live in FreeBSD by looking through the FreeBSD subforum) somewhere in the plex data folder.
[edit]: take a look at https://forums.plex.tv/discussion/comment/1184970/#Comment_1184970
[edit2]: I totally missed that you didn’t tell me which platform your server runs on. My answers were informed by @JGNTSteve mentioning of FreeNAS.
The synology subforum should be able to tell you where to look for the file. It is definitely named Preferences.xml on the Syno platform.
Your plexlogs should say the IP of the user to accessed your server. but this seams like a white hat “hacker”.
Thanks Night… doesn’t appear I can go back far enough to check my Plex logs on the server… I suspect they’ve got in to my online account and they only changed one of my server names, the other is only available internally so wouldn’t have been available… Which makes me wonder how they’ve hacked my password? Is there anything else I can check to see whats happened?
Thanks for your assistance.
@x2srj said:
Thanks Night… doesn’t appear I can go back far enough to check my Plex logs on the server… I suspect they’ve got in to my online account and they only changed one of my server names, the other is only available internally so wouldn’t have been available… Which makes me wonder how they’ve hacked my password? Is there anything else I can check to see whats happened?Thanks for your assistance.
Two things comes to mind:
- You did not have a password which was hard to brute force. Brute-forcing a password takes mere milliseconds for average peoples password, and mere seconds for a bit stronger ones. Only truly strong passwords are safe. For now.
- Maybe you used PlexWatchWeb before you installed PlexPy? PWW was great, but it was a 3rd-party tool in which you could save your Plex password. That password was (still is maybe?) visible if you just visited the web interface and right clicked and chose “show source”.
@atrus said:
@x2srj said:
Thanks Night… doesn’t appear I can go back far enough to check my Plex logs on the server… I suspect they’ve got in to my online account and they only changed one of my server names, the other is only available internally so wouldn’t have been available… Which makes me wonder how they’ve hacked my password? Is there anything else I can check to see whats happened?Thanks for your assistance.
Two things comes to mind:
- You did not have a password which was hard to brute force. Brute-forcing a password takes mere milliseconds for average peoples password, and mere seconds for a bit stronger ones. Only truly strong passwords are safe. For now.
- Maybe you used PlexWatchWeb before you installed PlexPy? PWW was great, but it was a 3rd-party tool in which you could save your Plex password. That password was (still is maybe?) visible if you just visited the web interface and right clicked and chose “show source”.
thank you… I’ve changed my password… I’m not sure what I did with PlexWatchWeb but it’s a possibility.
I’ll look at increasing the password on my all my accounts across the board going forward. Thank you for your advice and assistance.
When you changed the password, did you remember the “sign out all connected devices”? You’ll have to sign in again on your server but this is necessary to purge all cached tokens (afaik).
Also, I can recommend to start using a password manager and where possible two-time authentication (ex your phone). I personally use lastpass as my manager, but there are others.
@x2srj said:
Thanks Night… doesn’t appear I can go back far enough to check my Plex logs on the server… I suspect they’ve got in to my online account and they only changed one of my server names, the other is only available internally so wouldn’t have been available… Which makes me wonder how they’ve hacked my password? Is there anything else I can check to see whats happened?Thanks for your assistance.
There should be lots of logs which have rolled over, check out
Plex Media Server.1.log
Plex Media Server.2.log
Plex Media Server.3.log
Plex Media Server.4.log
Plex Media Server.5.log
and so on,
an IP wont how ever do you much since you will not be able to get name behind that IP but you can block it in your firewall.
Thanks Peter… I’ve completed the “Sign out of all devices now” and increased the password for the near future whilst I look in to a password manager.
@Night said:
@x2srj said:
Thanks Night… doesn’t appear I can go back far enough to check my Plex logs on the server… I suspect they’ve got in to my online account and they only changed one of my server names, the other is only available internally so wouldn’t have been available… Which makes me wonder how they’ve hacked my password? Is there anything else I can check to see whats happened?Thanks for your assistance.
There should be lots of logs which have rolled over, check out
Plex Media Server.1.log
Plex Media Server.2.log
Plex Media Server.3.log
Plex Media Server.4.log
Plex Media Server.5.log
and so on,
an IP wont how ever do you much since you will not be able to get name behind that IP but you can block it in your firewall.
I checked these however they only appeared to go back a couple of days and didn’t cover the 29th or early on the 30th when I believe the intrusion occurred. Should I increase the logging time? Is there a way to do that? Thanks
i have logs on different parts, like firewalls i log every connection to given ports, and i keep for for all time. Normal people do not need such logs, which OS are you on? might be able to get some extraction
@Night_2 said:
i have logs on different parts, like firewalls i log every connection to given ports, and i keep for for all time. Normal people do not need such logs, which OS are you on? might be able to get some extraction
I’m on Synology… Here is a screen shot of what I see (you’ll see the Plex Media server logs appear to be only today/yesterday):
Right so this was my fault. Not having my server secure whilst on a vpn and no auth on my pms. I’ve sorted that and no more issues. Thanks for your support
