Server Version#: 1.19.2.2737 (waiting to update now until this question is resolved)
Player Version#: Irrelevant?
I got a notification on my phone about 2 hours ago that a new device had been added to my account. I’m the server owner and only admin and was nowhere near Plex when it happened (sitting in the same room as the server but not on any device). I checked and a new user had just been added to my server accessing from a Windows PC. I don’t have any Windows devices so I immediately removed the user and began investigating as best I could with minimal understanding of network security.
In the last hour I updated and added HTTP login credentials to Tautulli and have tried to tighten security wherever else I could on Tautulli and Plex. I didn’t have anything for SSL or Port Forwarding or HTTPS set up and still don’t because I was unsure how to properly do any of that despite plenty of googling.
I just went through the logs from around the time I got the ping on my phone and found the initial authentication with an IP address I have no connection to whatsoever (somewhere near Newark, NJ according to IPLookup). Looks like Relay was used to connect but the part that still troubles me the most is this snippet from the log (VERBOSE lines removed because I thought I’m supposed to do that):
Jun 24, 2020 12:37:01.602 [0x7fd5a4ff9700] INFO - [PlexRelay] Allocated port 23807 for remote forward to 127.0.0.1:32401
Jun 24, 2020 12:37:01.868 [0x7fd5c4f22700] DEBUG - Auth: Refreshing tokens inside the token-based authentication filter.
Jun 24, 2020 12:37:01.868 [0x7fd5c4f22700] DEBUG - HTTP requesting GET https://plex.tv/api/v2/server/access_tokens?auth_token=xxxxxxxxxxxxxxxxxxxx&includeProfiles=1&includeProviders=1&unknownToken=xxxxxxxxxxxxxxxxxxxx
Jun 24, 2020 12:37:02.429 [0x7fd5c4f22700] DEBUG - HTTP 200 response from GET https://plex.tv/api/v2/server/access_tokens?auth_token=xxxxxxxxxxxxxxxxxxxx&includeProfiles=1&includeProviders=1&unknownToken=xxxxxxxxxxxxxxxxxxxx
Jun 24, 2020 12:37:02.431 [0x7fd5c4f22700] DEBUG - MyPlex: updating with 31 access tokens
I don’t like the sound of 31 access tokens being added as soon as an IP address I’ve never seen gets access and a new user gets added. Please help me understand what this means, what I should do immediately, and what I should do in the very near future to prevent whatever this was from happening again. I can provide any logs that are needed for more detail. Thanks in advance and sorry if my first post on this forum was too long and poorly executed lol.
