Plex mediaserver on FreeNAS allowing anyone to stream without login

I’ve been a user of Plex mediaserver for over two years, I set this up on a FreeNAS jail a long time ago and in the past few days I noticed something funny.

Out of nowhere there were two additional streams going on in my server onto the internet, I usually share my library with friends and family but what was curious about this traffic was that Plex was claiming that these two streams were “on my local network”

After reviewing firewall logs and traffic reports (pfSense), I saw traffic from some Australia IP addresses as well as Egypt on my plex port. I discovered that when I setup Plex on FreeNAS I had followed someone’s guide and steps and there was a setting that the guide required on file /usr/pbi/plexmediaserver-amd64/plexdata/Plex Media Server/Preferences.xml

disableRemoteSecurity="1"

Somehow for the past 2 years this has gone undetected, mostly because I have never (until now) detected anyone that I did not trust streaming my media library. Some Google searches told part of the story, some websites and facebook pages started sharing links to my public IP address and plex port.

I setup a quick SSH tunnel to one of my servers to get an ‘external’ view from outside my network and sure enough, you could see my library and stream anything, no login required!

After some research, even though my plex settings were set to require a login to be able to stream settings set on the Plex server settings page were being ignored. Finally when I checked the XML file manually I found out that the security was being disabled and so that is why Plex was not applying the settings.

If you have noticed any weird traffic or use the setting above on your FreeNAS + Plex jail – please be wary and you may want to close that loophole by removing that string from the XML Preferences file and restart Plex. You can whitelist your local network so that no login is required (I have 172.16.0.0/20 whitelisted).

It remains a mystery how these people found my public IP address, but I assume someone port scanned me for vulnerabilities and found the web portal wide open, so they started sharing the link.

Leave a Reply