Hi !
Sometimes I share my library with a friend. I can see what he is watching in the moment if I’m connected at the same time, but I can’t have his IP address. I can’t be sure that he’s not going to give his account all around the world and anybody will be able to see my personal videos.
It would be useful to have a ban ip / whitelist / blacklist functionality to increase security of the Plex Media Server. I think it is a kind of security issue…
Thanks
It's probably better to manage this kind of security on your router/firewall. If your router doesn't support it, I'd recommend upgrading to one that does.
In any case it probably would not work unless all your friends have static WAN/Public IP Addresses. They could be connecting to the server from any IP address - depending on where they are / what ISP / Network Service Provider connection they use
Ought not share libraries with people you do not fully trust and if you do have private stuff then split the Plex Media Server contents so that it would be in separate Library Section and only share the other Library Sections
Wouldn't it be easier to block more than 2 simultaneous Plex sessions from an outside source on your firewall? That way the firewall (who is designed to do this kind of stuff) prevents any bad behaviour reaching the server. That way the security is handled in a proper way by components who are designed to do that job.
Having said that: it is extremely difficult to do that kind of filtering based on IP-address. Addresses are usually dynamic, and not easily predicted, especially with larger ISPs.
If you can't trust your friend to behave as a guest on your system, you shouldn't be sharing with him in the first place....
Jaap
Hi, thanks for the answers. Of course, this story of IP addresses was an example. However, it could be useful to block ranges of addresses, or simply use whitelists only. A lot of IP addresses are dynamics, but addresses are not changing every days…
I can’t add an IP filter on my router, but I don’t agree with you : if I use a filter on my router, other services (like apache servers, …) will not be reachable if they are behind this router too. And I’m not going to buy and add a router between a unique server with Plex and the other part of the network. It would be really easy to add a very light IP firewall on Plex, and it would be useful for me.
Moreover, it is possible for anybody with a Plex account to log on the server of anybody else. Why ? (Of course he can’t see the files if they are not shared with him but I don’t think it is normal).
For any virtual servers I have, there is a way to control traffic from IPs or accounts, and administrate connexion (not only see them). I can’t stop the movie of someone if the server is overloaded, … We need features like that.
Moreover, it is possible for anybody with a Plex account to log on the server of anybody else. Why ? (Of course he can't see the files if they are not shared with him but I don't think it is normal).
It is not
From outside your local network, they can only reach your server and access it if
- They know your plex.tv username and password - the one used in Media Manager / Settings / Server / Connect to connect to plex.tv
or
- The library is shared with them and they would access through their own plex.tv username/password
From outside your local network, they can reach your server but not be able to access it if
- they know your WAN / Public IP Address and WAN Port used to connect the Plex Media Server to plex.tv.
They would be challenged with username/password prompt
There was an issue with the Plex Media Server FreeNAS plugin where access was not challenged but this should be fixed in the current version. A config change is documented in forum posts to plug this hole in FreeNAS PMS
Other issues seen were from a few users that had incorrect router configuration ending up with Open NAT
Usually the IP-lease is 24 hours, so that gives some indication of the dynamics. And Mobile phones keep changing constantly when you are highly mobile.A lot of IP addresses are dynamics, but addresses are not changing every days...
Most devices capable of running a PMS can also run their own firewall. Linux boxes have iptables installed by default, Windows has its internal firewall. And a normal firewall is capable of filtering on a combination of IPAdress and portnumber. So you can open up port 80 to the world (webserver) and port 32400 (Plex) to only small set of IP's.I can't add an IP filter on my router, but I don't agree with you : if I use a filter on my router, other services (like apache servers, ...) will not be reachable if they are behind this router too.
Although I am a fan of posing more limits on sharing, basic firewalling (ratecontrol, sessioncontrol) can help a lot here. Above that, specific scripts can detect CPU-load and simply kill the violating process. I have an hourly check that does that: it excludes Plex transcoding (a process that frequently hits 100%) but heavy processes can be managed.For any virtual servers I have, there is a way to control traffic from IPs or accounts, and administrate connexion (not only see them). I can't stop the movie of someone if the server is overloaded, ... We need features like that.
Jaap
If my friends shared out their plex accounts just to access my PMS shares and not told me. I’d not bother sharing with them in the first place!
Sounds more like you have trust issues with whom you are sharing with. Just don’t share with them! Simples!
In my opinion Plex should provides solutions, there would be no need to spend hours on making scripts and finding solutions because developers doesn’t want to add a link to stop the movie of a user (a script which kill a process is a war weapon, there are a lot of specific cases) or just show the IP address to the admin (I like, when I administrate a server, to know what is happening or what happened when I wasn’t there).
I’m pretty sure that if someone with a Plex account enters his username and password on my sever, connexion will be a success. He will not see my files but he will be connected to his Plex account, throught my server. This is really not normal. No link to local connexion (and sign in is required on my server in the local network too). Try it !
I want and I need to know what is happening on my server, if multiple persons are using the account of a friend to stream files (so I will know because I will see all the different IP addresses). I don’t wan’t to install plugins with a lot of requirements or spending my time reading logs file.
I insist, this is a security risk.
And sorry for my bad English 
It’s late and my brain is out…
Jammyb :
No, but anybody can breaks the rules if he wants. I prefer “big brother” them to be sure. (Maybe I’m not normal but it is my server and my personnal files)
I can think of no fathomable reason why you are sharing your PMS if you feel this wayJammyb :
No, but anybody can breaks the rules if he wants. I prefer "big brother" them to be sure. (Maybe I'm not normal but it is my server and my personnal files)
No one can access your personal files unless you add the directories to PMS.
I'm pretty sure that if someone with a Plex account enters his username and password on my sever, connexion will be a success. He will not see my files but he will be connected to his Plex account, throught my server. This is really not normal. No link to local connexion (and sign in is required on my server in the local network too). Try it !
If they are physically at your server of course they will be able to access the library. They don't even need a Plex Account.
If they are not physically in front of your server but on a device or PC on your local network then they will have full access unless you have option 'Require Authentication for Local Networks' set in Plex Media Server Settings
If they are remote / physically away from your location then they will not have access unless you have Open NAT on your router or running FreeNAS with the bug I mentioned. See post #6 above
In my opinion Plex should provides solutions, there would be no need to spend hours on making scripts and finding solutions because developers doesn't want to add a link to stop the movie of a user (a script which kill a process is a war weapon, there are a lot of specific cases) or just show the IP address to the admin (I like, when I administrate a server, to know what is happening or what happened when I wasn't there).
Not sure what you are talking about ... But have a look at PlexWatch
Thank you for the answers.
Jammyb
I share my server with people I trust. But I prefer have a look on what they do, like any administrator check connections in his server.
sa2000
Just try to create a new Plex account. Then go to your server (through a web browser of course not on the same machine, on your local network or not, with authentication needed on local network), and sign in to the server. It will work. You will not see any content but authentication will work. It is an issue or something that I don’t consider as normal. And I’m sure that if someone else share his server with this account, you will be able to see this server trough your own server.
About PlexWatch : I don’t want to spend time to get all the requirements, to have, at the end, informations without any access control and regulation (no way to ban IP, …).
We need a real administration and account regulation on Plex !
sa2000
Just try to create a new Plex account. Then go to your server (through a web browser of course not on the same machine, on your local network or not, with authentication needed on local network), and sign in to the server. It will work. You will not see any content but authentication will work. It is an issue or something that I don't consider as normal. And I'm sure that if someone else share his server with this account, you will be able to see this server trough your own server.
Explain to me how i would do this when not on the local network. How do i go to your server and sign in to your server when not on the local network?
You just use external IP address and try to access trough 32400 port (with a router redirection to the local IP adress on the network).
You just use external IP address and try to access trough 32400 port (with a router redirection to the local IP adress on the network).
Yes that was mentioned in my post #6 above but they need to know your external IP address and external port (You could use one different from 32400) but their login to plex.tv when challenged will not give them access to your PMS - so it is not a security issue
They will not have access to the library but authentication will work. It is not normal. So anybody can see his own library through the web server of anybody else. We need to be able to control any access.
And I’m not convinced : we need a complete administration for security purposes. I don’t feel I’m able to control my server. The only thing I can do is to put it off if there is a problem.
So instead of coding for hours (my script was put together with 5 minutes of Googling and 20 minutes of testing) you spend hours of watching the logs of a server? The goal of automation is to make life simpeler, not more complex. Automating that kind of work gives you a lot of free time....there would be no need to spend hours on making scripts and finding solutions because developers doesn't want to add a link to stop the movie of a user (a script which kill a process is a war weapon, there are a lot of specific cases) or just show the IP address to the admin (I like, when I administrate a server, to know what is happening or what happened when I wasn't there).
I don't think you understand the basic architecture of a Plex server. The server provides access to your own data. It can not act as media renderer for files hosted on another server. When logging on with a "foreign" account, you are probably silently redirected to their own server.I'm pretty sure that if someone with a Plex account enters his username and password on my sever, connexion will be a success. He will not see my files but he will be connected to his Plex account, throught my server.
And using Plex through Home WiFi and GSM aren't possibilities that let your ip-list explode? And I don't even start with close family members logging in remote locations like hotels and their friends and family. My router logs every external Plex connection (and limits it to a sensible number) and my practical experience is that there is no way to detect the legality of a request just by its IP-address. Completely unexpected requests (originating from China or Russia) are easily detected, but from your own country is extremely hard since people move about and do what they should be doing: enjoy music and video's.I want and I need to know what is happening on my server, if multiple persons are using the account of a friend to stream files (so I will know because I will see all the different IP addresses).
Jaap
IP black/white lists would complicate remote use of Plex dramatically, and is something a good router, or even the OS, can support for the limited cases where it may be needed.
The major security issue with Plex is that communication between the client and your plex server is not secure (no SSL). The fix for this is not black/white lists, but for Plex to fully implement SSL on PMS, however, it's not as simple as it sounds.
Jaap_van_Ekris
So you think if a feature doesn’t exist, you will make a handmade fix ? I prefer ask developers to do it (it is the subject of this topic : suggesting). Plex is not free. If they propose multiuser to Plex Pass accounts, they need to provide a way to manage it, with obvious basic features.
I understand how Plex works, and like I write before : anybody can see his own server through an access page in the server of anybody else. Of course, it is transparent for the server, but it is not normal as well.
jkiel
Yes, there is also the https “issue”. I will try to use a reverse proxy to solve this.
And I’m not sure it will complicate remote use, if features are used smartly by the users.
