Skip to content

Guezli/crowdsec-plex-collection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
acquis
acquis
 
 
collections
collections
 
 
parsers/s01-parse
parsers/s01-parse
 
 
scenarios
scenarios
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

crowdsec-plex-collection

Custom Crowdsec collection for Plex Media Server.

Detects:

  • Plex authentication brute-force — 5 failed auth attempts in 10 min from same IP
  • Plex invalid-token brute-force — 10 invalid-token requests in 5 min from same IP

Why custom?

There is no official Plex collection in the Crowdsec Hub. Plex Media Server logs HTTP-level requests with source IPs to its rolling log file, including authentication failures and invalid-token responses. This collection parses those events and feeds them into Crowdsec scenarios.

Files

Path Purpose
parsers/s01-parse/plex.yaml Grok-based parser; extracts source_ip, http_verb, http_path and tags log-type (plex_request, plex_auth_fail, plex_token_invalid)
scenarios/plex-auth-bf.yaml Leaky scenario, 5 capacity / 10 min leakspeed
scenarios/plex-token-bf.yaml Leaky scenario, 10 capacity / 5 min leakspeed
collections/plex.yaml Bundles parser + scenarios
acquis/plex.yaml Example acquisition (where to place Plex log)

Installation

Via cscli (after PR-merge into Hub — not yet available)

cscli collections install Guezli/plex

Manual (until Hub-merged)

On the host running Plex Media Server:

sudo mkdir -p /etc/crowdsec/parsers/s01-parse \
              /etc/crowdsec/scenarios \
              /etc/crowdsec/collections \
              /etc/crowdsec/acquis.d

sudo cp parsers/s01-parse/plex.yaml \
     /etc/crowdsec/parsers/s01-parse/Guezli-plex.yaml

sudo cp scenarios/plex-auth-bf.yaml \
     /etc/crowdsec/scenarios/Guezli-plex-auth-bf.yaml
sudo cp scenarios/plex-token-bf.yaml \
     /etc/crowdsec/scenarios/Guezli-plex-token-bf.yaml

sudo cp acquis/plex.yaml \
     /etc/crowdsec/acquis.d/plex.yaml

sudo systemctl reload crowdsec

Verify:

cscli scenarios list | grep plex
sudo journalctl -u crowdsec --since "1 minute ago" | grep plex

Acquisition path

Default Plex log path on Linux: /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Logs/Plex Media Server.log. The path is customisable via PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR env-var; adjust acquis/plex.yaml accordingly.

The Crowdsec daemon needs read access to that log file. Either run Crowdsec as plex-group member or grant o+r on the log directory.

Caveats

  • Failure-log patterns are heuristic based on Plex Media Server 1.42–1.43 behaviour. Plex changes log formatting between major releases — patterns may need updating.
  • Patterns are case-insensitive ((?i)).
  • Plex log entries can be very long (token-related sometimes up to 4 KB). Default Crowdsec line buffers handle that.
  • This collection does not attempt to detect Plex-internal token-leak or other attack vectors — only authentication-layer brute-force from a single IP.

Contributing

Bug reports / pattern improvements welcome via GitHub issues.

License

MIT

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors