Server Version#: 1.25.1.5286
Player Version#: 1.39.0.2753-d48b8c8b
Hello, My Unifi firewall is reporting an increase it potential attcks on my plex port.
Just to clarify, I use a non standard port for Plex, but that is not directly related to my question.
My question is, if you take a look at the screenshot, are these IP addresses comming from Plex or should I continiue to block them and those alike?
There’s always a chance this is the current/temporary IP address of a friend who’s browsing your server (or streaming from it).
It’s none of Plex’ worker servers – though that’s server your PMS will connect to (usually not the other way around). Those connections seem to me to be spread out too thin for an actual attack or something “regular”
The detail level on that screen is doing nothing positive for you, except instilling paranoia.
It might also have been made to convince you what a great job your firewall is doing, so that you are more likely to stick with the UBNT ecosystem.
Helpful to diagnose what’s going on and whether that is of concern, it is not.
I have very few family members accessing my server and I know they do not use VPN and non of them are located in UK. I am just wondering if these IPs are related to Plex public services.
Otto, my question was simple: Are these public ip addresses related to Plex services? I was not asking you for your personal opinion on Unifi products. IPS/IDP is also offered by other manufactured to this is not some Unifi “magic”. I would be interested in seeing documentation that would backup your claims that this is false marketing just to make Unifi customers happy with their products. To me it sound more like you are have having a rough time. In that case, I hope things will go your way…
If I may augment Otto here?
If you want to confirm whether or not
nslookup plex.tv[chuck@lizum ~.2000]$ nslookup plex.tv
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: plex.tv
Address: 52.48.253.46
Name: plex.tv
Address: 52.18.69.157
[chuck@lizum ~.2001]$
Now also look in your log files after Plex starts.
You will see “MyPlex” identified addresses.
You can take any of the addresses you find and reverse lookup
Here is one example
[chuck@lizum ~.2001]$ whois 54.154.207.104
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#
NetRange: 54.144.0.0 - 54.221.255.255
CIDR: 54.208.0.0/13, 54.160.0.0/11, 54.144.0.0/12, 54.220.0.0/15, 54.216.0.0/14, 54.192.0.0/12
NetName: AMAZON
NetHandle: NET-54-144-0-0-1
Parent: NET54 (NET-54-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate: 2014-10-23
Updated: 2021-02-10
Ref: https://rdap.arin.net/registry/ip/54.144.0.0
Notice this Amazon AWS.
This is where plex.tv resides in the cloud.
– Amazon IP addresses are likely Plex
– IP addresses you can geolocate to family member locations – probably them
– Anything else - You have your answer
You’re being scanned by a supposed white hat organization that helps other security researchers. Don’t worry - you’re not being singled out as something special but part of a mass scan of the internet.
whois 89.248.165.24 brings up this little bit of information:
remarks: ±----------------------------------------------
remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use The Recyber Project
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact admin@recyber.net
remarks: ±----------------------------------------------
Their website states this:
The Recyber project assists researchers, universities and other educational instutions.
Partnered instutions use our platform to conduct their research.
So to reinforce what others have said here is if you don’t know what any of this means and have no faculty to look any of this information up yourself then running this type of system (an IDS) is pointless and is serving absolutely no purpose but to “look cool” on screen. It really is a false sense of security in this regard.
It’s not helping you to stay safe if you can’t proactively respond to anything that appears on screen by not knowing what you’re even looking at.
Also, what really has me worried is you say you use a non standard Plex port but then say you’re seeing an increase of potential attacks on your Plex port which according to the screen shot is port 32400 which is a STANDARD Plex port so I’m confused as to what you say because the information doesn’t back it up.
Sorry for my late reply. (Holidays)
@ChuckPa Thank you for your input. Do you know if there is a elastic IP scope list that Plex in AWS? I could use that to identify their connection attempts.
@kegbeach Thank you for taking the time. I agree with everything that you are saying, I am looking up the IPs that are being blocked and that is why I can in here and asked this question: “Are these IP addresses comming from Plex?” I could have maybe used other words, but I assumed I would be understood. English is not my native language.
I have missed the remark: “RECYBER PROJECT NETBLOCK” when I loocked in up on icann.org. Where do you get the extended remark information, what do you use to look up 89.248.165.24?
Unifi UDM Pro:
I have only 1x port open in my firewall and that is the port I have chosen for Plex Server.
See picture: lets call public plex it port “8”. The Forward port is then “8” and destination port is IP:32400
Then in Plex Server:
Private port is: IP:32400 and Public is: IP:32400
Plex port forwarding is working is fine both inside and outside my network.
I agree with you that is looks strange in IPS/IDS that public connections are connecting in on the internal Plex port 32400 since they must be hitting “8”. But that would not be the first Unifi bug that I have come accross 
I totally undestand that there are some that prefer other firewalls, but I am pretty invested into unifi and I enjoy learning and understanding more how things are operating on my network.
Again I come here to look for answers about those IP addresses and fortunently someone like yourself takes the time to educate. For that I am thankful.
Everyone gets a slightly different IP range because Plex has AWS servers all over the world.
What you can do, with high reliability, is look for the MyPlex IP address block when PMS starts up.
The list presented there in your logs are those server IPs which are closest to you .
You can can then whitelist those IPs.
AWS IPs do change from time to time (thanks Amazon 
) so if you do get an alert, go look at your logs and update appropriately.
This way, if you get a request from an IP address way out of the range AND one you don’t recognize, you can decide what to do with it.
I implemented a closed list mechanism.
In my firewall, I created two things -
I could give you my WAN IP and port here in the forum knowing with absolute certaity that you won’t get a reply from my server unless I approve your access and add you to that list.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
