How to Make Your Plex Server More Secure Using a Simple Domain Name
Plex is the dominant software used to self-host a media library on Windows, Mac, and Linux. With it, you can access your films, shows, and music from any device, anywhere. But thousands of users are making a mistake which leaves their servers and networks vulnerable to hackers.
So what's the problem with running Plex? How can you fix it? How can you make your Plex server more secure?
Is Your Plex Server Really Secure?
The premise of Plex is simple. You keep a large media library at home; either on a desktop PC, a Raspberry Pi, or a NAS, and with the Plex server software, you can use dedicated apps or a browser to guzzle media to your heart's content. If you pay for extras such as the Plex Pass, you can even watch and record live TV broadcast, and sync progress across devices.
To do this, you direct the devices in your home to access port 32400 on the host machine. If you want to consume media while out and about—while traveling on the train, relaxing or working in a coffee shop, or while at a friend's house, for instance, you need to open port 32400 on your router and forward traffic to that same port on your PC. You can access your Plex media server from anywhere with your.public.ip.address:32400. So far, so simple.
By default, network traffic to an individual IP address is unencrypted. And that can be a major problem.
Why Is It Dangerous to Run Plex Over an Unencrypted Connection?
By using an unencrypted connection, your traffic is vulnerable to a Man-in-the-Middle (MITM) attack. This means an attacker can snoop on your network traffic, inject unwanted code into your traffic, and even intercept usernames and passwords.
The situation is exacerbated by security vulnerabilities in Plex. These are regularly patched by the Plex security team and their details divulged to the internet at large. Unfortunately, not all Plex users keep their Plex software up-to-date, and some users may not have updated in years. Server versions older than 1.18.2, for instance, have vulnerabilities through which an attacker can take over your entire host system.
Criminals and other interested parties have access to open source tools, such as Robert David Graham's MASSCAN, which can scan the whole internet in five minutes. This makes it easy to identify IP addresses where port 32400 is open.
Why You Should Access Plex Through a Domain Name With TLS
Most servers on the internet are accessed through two standard ports: 80 for unencrypted HTTP traffic, and 443 for encrypted traffic, using HTTPS (the extra "S" means "Secure") and implimenting Transport Layer Security (TLS), which is immune to MITM attacks. If you're running a Plex server behind either of these ports, a mass port scanning tool will not reveal it to potential attackers—although, obviously, HTTPS is better.
Domain names are cheap, or even free if you choose a provider such as Freenom. And you can configure a reverse proxy so that web traffic to your Plex server passes through port 443, and port 32400 is never exposed.
One way of doing this is to buy a cheap $10 Raspberry Zero W to act as a middleman.
How to Use a Raspberry Pi to Protect Your Plex Server
The first thing to do is visit your registrar's Advanced DNS settings page. Delete all records and create a new A record. Set the host to "@", the value to your public IP address, and the TTL as low as possible.
Now, log into your router's admin panel. Open ports 80 and 443, and forward both to the local IP address of your Raspberry P i Zero. Close port 32400.
After you have installed Raspberry Pi OS, use secure shell (SSH) to log into your Raspberry Pi.
ssh pi@your.pi.local.ip Update and upgrade any installed packages:
sudo apt update
sudo apt upgrade Install Apache server:
sudo apt install Apache2
sudo systemctl start apache2
sudo systemctl enable apache2 Install Certbot—a tool which will fetch and manage both security certificates and keys from Let's Encrypt, a service which sets up SSL certificates.
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt-get install python3-certbot-apache Change directory, and use the nano text editor to create a new Apache configuration file to forward all requests for your new domain name to the machine which hosts the Plex server:
sudo nano plex.conf You will be presented with a blank text file. Paste in the following:
<VirtualHost *:80>
ServerName your-domain-name.tld
ProxyPreserveHost On
ProxyPass / http://your.plex.server.local.ip:32400/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
</VirtualHost> Save and exit nano with Ctrl + O then Ctrl + X.
Enable the configuration and restart Apache:
sudo a2ensite plex.conf
sudo service apache2 restart Run certbot to grab SSL certificates and keys from Let's Encrypt:
sudo certbot Enter your email address when requested, and agree to the terms and conditions, then select your domain name from a list of one, and hit return.
Certbot will fetch and deploy security certificates and keys from Let's Encrypt again. Restart Apache once more.
Log out of your Raspberry Pi Zero:
exit Your Plex Server Is Now Hidden From the World!
By following these instructions, you have managed to close port 32400 and hidden your Plex server's existence from port scanners—while ensuring you can still access it using your custom domain name. All traffic to your Plex server will be encrypted and protected with TLS, meaning you can relax and enjoy the latest episodes of House of The Dragon without needing to worry about who's trying to break into your network.
ncG1vNJzZmivp6x7rq3KnqysnZ%2Bbe6S7zGinpZ2oYsCmvtWeqWacn6KuqrqMp5imnV2osqTB0Z5m