So I recently figured out that my server was directly exposed to the internet (thank you to the person that changed my server name to alert me).
So, I’ve disabled remote access in the server settings and I’ve blocked the inbound firewall NAT rule. I now see that traffic is trying to go from my server leaving on port 32400 to places all around the world (sg, mx, ie, various us ISP (verizon, mycingular, etc). What could be causing this?
@depasseg said:
So I recently figured out that my server was directly exposed to the internet (thank you to the person that changed my server name to alert me).So, I’ve disabled remote access in the server settings and I’ve blocked the inbound firewall NAT rule. I now see that traffic is trying to go from my server leaving on port 32400 to places all around the world (sg, mx, ie, various us ISP (verizon, mycingular, etc). What could be causing this?
the remote access for plex, and the port to get data.
@starbetrayer said:
the remote access for plex, and the port to get data.
Which would make sense if remote access was enabled and allowed through the firewall. But remote access is disabled and both inbound and outbound port 32400 traffic is blocked at the firewall.
@depasseg said:
@starbetrayer said:
the remote access for plex, and the port to get data.Which would make sense if remote access was enabled and allowed through the firewall. But remote access is disabled and both inbound and outbound port 32400 traffic is blocked at the firewall.
plex goes to get metadata through port 32400 as well.
It looks like metadata is retrieved using https from random high number ports on the server to port 443 at google, amazon and linode. I don’t think it’s looking in singapore, mexico, ireland and ATT wireless phones for metadata. 
The plex.tv servers are in Ireland
I don’t think these are Plex servers:
tcp4 0 0 192.168.1.107.32400 162-235-5-192.lightspeed.irvnca.sbcglobal.net.50366 TIME_WAIT
tcp4 0 0 192.168.1.107.32400 google-proxy-66-249-84-241.google.com.36733 TIME_WAIT
tcp4 0 0 192.168.1.107.32400 72.132.3.123.sta.dodo.net.au.50787 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 c-76-99-7-124.hsd1.pa.comcast.net.59487 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 172.58.200.36.32820 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 139.sub-70-209-51.myvzw.com.2913 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 139.sub-70-209-51.myvzw.com.2940 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 139.sub-70-209-51.myvzw.com.2912 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 139.sub-70-209-51.myvzw.com.2930 TIME_WAIT
tcp4 0 0 192.168.1.107.32400 dsl-187-173-202-118-dyn.prod-infinitum.com.mx.50896 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 dsl-187-173-202-118-dyn.prod-infinitum.com.mx.50895 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 c-76-99-7-124.hsd1.pa.comcast.net.59488 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 c86-211.i11-5.onvol.net.53267 LAST_ACK
tcp4 0 0 192.168.1.107.32400 72.132.3.123.sta.dodo.net.au.50787 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 168.21.30.109.rev.sfr.net.63580 TIME_WAIT
tcp4 0 0 192.168.1.107.32400 168.21.30.109.rev.sfr.net.63584 TIME_WAIT
tcp4 0 0 192.168.1.107.32400 168.21.30.109.rev.sfr.net.63581 TIME_WAIT
tcp4 0 0 192.168.1.107.32400 72.132.3.123.sta.dodo.net.au.50935 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 c-76-99-7-124.hsd1.pa.comcast.net.59488 FIN_WAIT_2
tcp4 0 0 192.168.1.107.32400 c86-211.i11-5.onvol.net.53267 LAST_ACK
tcp4 0 0 192.168.1.107.32400 72.132.3.123.sta.dodo.net.au.50787 FIN_WAIT_2
tcp4 0 997 192.168.1.107.32400 97-89-226-215.static.snfr.nc.charter.com.52162 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 97-89-226-215.static.snfr.nc.charter.com.52161 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 97-89-226-215.static.snfr.nc.charter.com.52160 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 97-89-226-215.static.snfr.nc.charter.com.52158 ESTABLISHED
tcp4 0 0 192.168.1.107.32400 97-89-226-215.static.snfr.nc.charter.com.52159 ESTABLISHED
Have you install any Channels, Torrent Clients, or is this the only app running on this computer
There aren’t any channels, and I haven’t installed anything else. This is in a freenas jail.
Just commenting on the first post - there were some FreeNAS plugin releases that had an incorrect Preferences,xml released which had a preset MachineIdentifier and also had the setting disableRemoteSecurity set to 1. This problem goes back a couple of years and did get reported in the forums for 12 months or so after that - so may be you had a bad download for the Plex Media Server install on the freenas and picked up some old faulty install file
See if your Preferences.xml has disableRemoteSecurity key
The advanced settings are covered by this support page https://support.plex.tv/hc/en-us/articles/201105343-Advanced-Server-Settings
This of course has no bearing on outbound connections to tcp port 32400
This jail has been running for a long time (over a year), but was updated in ~Jan. The original problem I believe was due to me setting disableRemoteSecurity to 1 a little while ago to do some troubleshooting and forgetting to switch it back. (there is a checkbox in the jail setup which makes this easy). So it was 0 for a long time, and is now set back to 0.
Is there a way to get a new machine identifier? I’ve tried reclaiming the server with my credentials, but that doesn’t seem to help.
I’ve also reset my password and forced devices to re-authenticate. And I also noticed a bunch of unknown devices which I’ve deleted.
I’ve even rolled back the server snapshot state to before I made the change (and was accessible). And somehow the connections keep getting established.
It’s almost like my server checks in with Plex, and gets a list of clients to go talk to, and reaches out to them. over and over.
And I’m in the process of setting up a new jail. I’m afraid to move anything from one to the other (in terms of settings). Is there a safe way to capture the “watched” history to migrate that without possibly bringing this issue with me?
I believe with disableRemoteSecurity set correctly then all remote attempts will need to authenticate and connections will bounce.
Why not also change your public port so port forward that to local port 32400 and enter the new public port in the manually specify public port field ?
I think if you change the machineidentifier keys then you probably lose all previous watched status - unless the tool provided by @“MovieFan.Plex” here can help https://forums.plex.tv/discussion/120292/moviefans-database-tool-for-plex/p1
I’m seeing that. The connections are bouncing, but it’s strange that they are happening in the first place.
I’ve also changed the port, but outgoing connections still try to get established.
And the moviefan tool looks like it’s windows only.
with debug logging on the server enabled you would then be able to see all requests coming in to the server and how they are handled
This seems like a lot of pubsub announcements.
May 23, 2016 17:41:59 [0x80e227400] DEBUG - HTTP requesting POST https://plex.tv/servers.xml?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 45.33.73.209 was 61 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 45.79.198.112 was 110 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 45.79.11.43 was 165 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 109.237.24.233 was 182 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 173.255.253.36 was 182 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 82.94.168.14 was 235 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 104.214.144.122 was 380 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Time to connect to 139.162.7.93 was 525 ms.
May 23, 2016 17:41:59 [0x80c914c00] DEBUG - PubSubManager: Updating best ping time for 45.33.73.209 to 61 ms.
The above messages are normal. Plex maintains several pubsub servers around the world and PMS will test all of them to determine the best server to connect to. This is for the relay feature.
Also keep in mind that turning off remote access in PMS does not remove the port forwarding in your router if you set one up manually. It would still be possible for someone to try to connect to your network and if port forwarding is still enabled, the requests would still get to your computer.
And yes, my tool is for Windows. No you will not lose watched status by changing the machine identifier. My tool will not help with this in any way.
@MovieFan.Plex said:
The above messages are normal. Plex maintains several pubsub servers around the world and PMS will test all of them to determine the best server to connect to. This is for the relay feature.Also keep in mind that turning off remote access in PMS does not remove the port forwarding in your router if you set one up manually. It would still be possible for someone to try to connect to your network and if port forwarding is still enabled, the requests would still get to your computer.
And yes, my tool is for Windows. No you will not lose watched status by changing the machine identifier. My tool will not help with this in any way.
Thank you for the pubsub clarification. And the tip on remote access vs port-forwarding. I did realize that, but appreciate the tip.
Port forwarding is disabled on my router and I have changed the external port (just in case something else was allowing the traffic into my network), and I still saw connections on port 32400 on my PMS. Which would lead me to think that either something got loaded on the machine and was initiating outbound or some sort of configuration is coming from Plex to my server saying “hey, go talk to these clients”
In the past 12 hours, I’ve slowly seen a reduction in outbound attempts. Maybe it’s because I’m blocking outbound traffic coming from my PMS with a source port of 32400 and that is slowly clearing things up.
@depasseg said:
@MovieFan.Plex said:
The above messages are normal. Plex maintains several pubsub servers around the world and PMS will test all of them to determine the best server to connect to. This is for the relay feature.Also keep in mind that turning off remote access in PMS does not remove the port forwarding in your router if you set one up manually. It would still be possible for someone to try to connect to your network and if port forwarding is still enabled, the requests would still get to your computer.
And yes, my tool is for Windows. No you will not lose watched status by changing the machine identifier. My tool will not help with this in any way.
Thank you for the pubsub clarification. And the tip on remote access vs port-forwarding. I did realize that, but appreciate the tip.
Port forwarding is disabled on my router and I have changed the external port (just in case something else was allowing the traffic into my network), and I still saw connections on port 32400 on my PMS. Which would lead me to think that either something got loaded on the machine and was initiating outbound or some sort of configuration is coming from Plex to my server saying “hey, go talk to these clients”
In the past 12 hours, I’ve slowly seen a reduction in outbound attempts. Maybe it’s because I’m blocking outbound traffic coming from my PMS with a source port of 32400 and that is slowly clearing things up.
The Plex Media Server.log with Debug Logging enabled will show all requests coming in from external IP Addresses and they would be challenged to authenticate. If there are no logged Request entries from external IP Addresses then these communications are not related to external requests coming in
You did say earlier that the requests are bounced - so is there nothing in the logs relating to that?
I appreciate the guidance, but I just didn’t have the time to go through each line of the log file and compare it to the connections I was seeing (I did see in plexWatchWeb, that I had a bunch of “local” connections from non-local addresses as well as usernames that I don’t know). The removal of the manual NAT rule as well removal of all “web devices”, and forced relogin with new password and PIN have improved things. For peace of mind, though, I just ended up configuring a new jail.
