December 27, 2025Dec 27 Hi all, I 90% run my unraid server as a plex media server and 10% of the time for random mass storage. I was looking into my plex configuration and peeked at the system log and noticed about 5k login attempts the other day. It looks like someone was trying to brute force their way in with a bunch of random users i.e test, guest, user, sysadmin, root, etc trying what looks like 4 times each before trying again. This lasted all of about 4 minutes according to the log.I saw zero successful logins in the log, but it made me start to double check my security position on the server.I have no users named any of the things they tried (except root obviously since that cant be removed)All users have secure passwords stored in a password managerAll shares are setup for read only for all users and I enable writing when I need to add some movies then remove the permission again.All smb shares are setup as Secure or PrivateThe only port forwarded to the server from my router is the plex tcp portSo with all that said. Is this just something I have to deal with since I have a server on the internet or is there something else I can do to prevent these sort of brute force attacks? Is there something I have misconfigured that is allowing this to be allowed in the first place?Thanks Edited December 27, 2025Dec 27 by Medwynd
December 27, 2025Dec 27 welcome to the internet 😁As soon as you open a port, you will have visitors. Depending on the service you run the attacks will be visible or not, but they are there, always.You COULD install a firewall, log these addresses and block them for further actions. You COULD install a program like FAIL2BAN that will do this blocking almost automatically for you. But still there will be time when somebody slips through.So make sure you have good passwords (2FA is even better) for all your accounts and never use standard users/passwords. Also it is good practice NOT to allow all outgoing traffic automatically like windows does.Better play it safe and restrict the outgoing ports too. So you will get informed about internal malware that tries to create a tunnel without your notice (but still there are enough "common" ports where tunnels can be set up too...))(Also note that there are many companies / organizations that run active scanners. They do no harm (they say), they put you on a blacklist if they find an easy entry to your net and others use these blacklists to train their firewalls) Edited December 27, 2025Dec 27 by MAM59
December 27, 2025Dec 27 Without seeing any logs, and that you say only your Plex port is open, my guess is this is coming from your router. Several of the mainstream routers come with a security application which probes devices on your LAN.
December 27, 2025Dec 27 Author 40 minutes ago, ConnerVT said:Without seeing any logs, and that you say only your Plex port is open, my guess is this is coming from your router. Several of the mainstream routers come with a security application which probes devices on your LAN.You nailed it. I went and kicked off a scan from my router and saw the same pattern. Thanks!
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.