UPnP wasn’t the attack vector for Qlocker or Deadbolt. Those issues equally affected those that manually configured port forwarding and those who manually activated UPnP to expose their NAS systems to the Internet.
UPnP certainly shouldn’t be exposed to the Internet. That has always been a misconfiguration, and it is an embarrassment that so many devices were shipped that way and haven’t been updated.
UPnP is a great improvement over the previous common configuration of a DMZ host.
The aggressive stance many people take against UPnP doesn’t make sense.
I politely disagree, those who manually port forwarded just the Plex port or other actual secure services had no problems, those who left web servers open unaware and left router / NAS with UPnP were also vulnerable and attacked at least via Qlocker which has been going for much longer than 2 years.
.
But we both agree, no UPnP on edge facing devices
Deadbolt I am still uncertain on the actual vectors
The advantage to adding your LAN or specific local hosts to ... allowed without auth is that they can connect to your Plex Media Server if your Internet is out or if Plex.tv is not reachable to get an authentication token.
The disadvantage is that that they connect without any authentication, and connect as the admin user. That might be fine with you!
Yes, basically.
How much that matters will depend on your router and modem and connection type, and if anything like FQ-CODEL or CAKE or specific client prioritization is available in the router, and how sensitive you are to slowdowns.
Obviously it also depends on the bitrate of the media.
Sadly there’s no way to configure “classes” in Plex - this user gets aaa quality and yy bandwidth, but this OTHER user gets AAA quality.
All true, if you keep the address to just your internal network really no risk. That it works without the internet is a HUGE plus, but each device has to have first connected at least once via the internet so the authentication is cached. As I recall you will not be able to get a new device to work this way until after it’s the first instance.
Good point. It depends on the device. Some will discover the server on the local LAN automatically. Others seem to depend on the connection to Plex.tv to get a list of registered servers.
Because ...allowed without auth means connections are automatically accepted as the admin user, it also allows changing server settings, sharing configuration & friends, deleting media files, etc.
So I wouldn’t really recommend enabling it on an entire LAN.
hmm, did not know that. Thought if Plex was set to not allow deletion only a signed-in admin could do it. So everyone gets admin rights through that? That seems a bit extreme that it is set up that way in the programming.
