Server Version#: 1.19.5.3112
Player Version#: 4.34.3
I have been hosting a plex server for my family and I for a couple years now and recently I moved my server infrastructure to something more stable and got better logging set up at the same time through NGINX RP.
Recently when viewing the logs from my NGINX RP, I noticed that someone else is using my Plex web at plex.[my domain]. Is there a way to limit who can sign into your self-hosted Plex-Web? I am trying to avoid HTTP basic auth and VPNs if possible because both cause a lot of issues for usâŠ
Change your password and Force a LOGOUT on every logged in user using it.
Donât allow ANYONE to use your credentials.
Do insist ANYONE wanting to access your server - creates their own Plex.tv account - then share with that user account.
The US Gubmint doesnât give me the keys to Fort Knox.
They KNOW what would happen to the Gold if they did - and theyâd be correct.
Iâm sorry I think you misunderstood or I didnât explain well enough. They are simply using my Plex-Web interface using their own account. They are not using my account.
Tell them to stop using Plexweb.
If they donât comply - remove them from your friends list and deny them access - until they realize their actions have consequences. Tough Love.
Thereâs no way, I guess to stop them from using Plexweb - other than the Dishonor and Die System (I use).
If Plexweb is 'causing all sorts of transcoding issues - have then install Plex for Windows and use that instead⊠or take a hike - a forced march, if necessaryâŠlol
That means they only load the web app into their web browsers. (In my opinion not a big deal, because the data volume for loading the app is not that large.)
They must have made a bookmark in their browsers with your serverâs URL in it.
Tell them to change these bookmarks to point at https://app-plex.tv instead.
If I knew who they were I could, itâs a collection of about 15 IP addresses that are hitting it. All but on is residential. I am not sure how someone would have even gotten the URL⊠It is not indexed and I donât post it anywhereâŠ
It really isnât a big deal, mostly just a comfort thing.
Iâm still not quite understanding what the problematic behavior is.
Almost any publicly-reachable service will find itself being scanned and probed; visibility and ânormalizationâ of those requests is one reason to use something like NGINX. Being âunpublishedâ or using âunusualâ ports isnât enough to avoid scanning and probing. You can ignore a few random requests, if thatâs what they are.
Itâs more interesting if theyâre authenticating and browsing directly to your PMS. If an account was being shared so that people could watch your media, youâd probably see any playback in your Dashboard.
You could look at the Plex Media Server logs for lines with âAuth: authenticated userâ and âAuthâ.
If your valid/legit shared users are using app.plex.tv or their apps or TVs, you will still see their IP addresses hitting your NGINX and PMS when they play shows. But again you would see those in your Plex dashboard.
A very small note - itâs possible to configure NGINX+Plex poorly, and to accidentally open your Plex up to the entire Internet. That could happen if you configured Plex to trust the NGINX IP addresses without authentication, and didnât configure NGINX to pass original IP addresses to Plex. Thatâs unlikely.
So, the behavior that I am seeing is that they are loading the app, but not accessing my actual plex media server. The traffic appears to be whoever it is using my plex-web as if it is app.plex.tv to sign in and use another Plex server.
I think what I am going to do is just replace that page with a dead site page and just have my users use app.plex.tvâŠ
I also just noticed that the referrer tag for people visiting plex.[my_domain] is âl.instagram.comâ but I donât have an instagram account and my users know not to post our URLâŠ
That sounds âgoodâ, I think - random scanning/probing is much less worrying than active users or password attacks or shared credentials would be.
Yeah, I am not super worried about it since I didnât see odd activity reflected in my Plex serverâs dashboard.
Thatâs probably even a nonsense referrer tag. People frequently use âgoodâ domains as camouflage.
Good to know, I will keep my eye on the activity and see if anything else pops up. If it is scanning, I am a little annoyed that my robots.txt is being ignored. But I guess that robot.txt is more of a âno trespassingâ sign than a gate, lol.
My other option is to just block the offending IP addresses with PFSense. I used to do that but the blocklist eventually ended up in the thousands and I did not want to manage that anymore (I host more than just a Plex server)âŠ
Itâs fun stuff to do as a hobby and to learn about whatâs out there. Itâs phenomenal how many different approaches the âbig guysâ use to analyze traffic, block bad stuff, allow good stuff through. Thereâs no way to do it all on a small scale. Luckily you usually donât need to ⊠the Internet isnât completely broken.
