Securing usenet client/plex server

SticKx911

2[H]4U
Joined
Mar 14, 2004
Messages
2,558
Tldr: I received a notice from one of the better indexers I have that my api key had been found on the open web. Any suggestions for ways I can better lock it down?

Details:
I'm running sonarr and radarr and these are the only places the indexers api key are used that I can think of. I have a username and password set for remote access, and that's all I know to do to limit access.

I'm using nzb360 to manage those two wherever I happen to be. Again, using a username and password.

I also use sabnzbd and plex, but neither have access to the indexers api.

They locked me down and will permanently block me if it happens again. Which is why I'm reaching out for ideas.

Do I just need to use better passwords, or is there something I'm missing.

Screenshot_20241117_100726_Chrome.jpg
 
Generally you never want to have a server running exposed to the Internet--any server. And the way you would have access to a remote server is via a vpn connection via IPsec, wireguard, etc.
 
seperate lock from the key. This why I containerize my plex and other apps away from each other. Only Port that's open is a random plex port from the outside.....
 
maybe your main system is compromised and you do not even know it?

How do you have your current set up open to the internet? Just a simple port forward? Do you patch the OS and Apps often? Could of been an exploit in one of them

ANY time you open something to the internet, the first step, if you must open it, is to segment your networks. Isolated VLAN for that device and it has access to nothing else on your internal network, unless it needs it. If it does need it, then you create specific rules for said access.
 
maybe your main system is compromised and you do not even know it?

How do you have your current set up open to the internet? Just a simple port forward? Do you patch the OS and Apps often? Could of been an exploit in one of them

ANY time you open something to the internet, the first step, if you must open it, is to segment your networks. Isolated VLAN for that device and it has access to nothing else on your internal network, unless it needs it. If it does need it, then you create specific rules for said access.
Yea simple port forward. Good idea on the v lan.
 
Yea simple port forward. Good idea on the v lan.
How often do you patch this system that is exposed?
Do you have SSH open or RDP?
Do you monitor to see if the app has any known exploits or CVE with packages it may have in it?
 
How often do you patch this system that is exposed?
Do you have SSH open or RDP?
Do you monitor to see if the app has any known exploits or CVE with packages it may have in it?
It reboots to do updates at least twice a week.
The others I'm not sure, but that's definitely something I can look into. Thank you
 
Yea simple port forward. Good idea on the v lan.
Don't do this. You shouldn't expose Sonarr and Radarr to the Internet, at all. Even with a username/password in place an exploit can happen.

If you want to manage it remotely, setup a secure VPN back to your home network using something like WireGuard or OpenVPN so that only you can access it. Use a free Dynamic DNS if you don't have static IP. If you want to open up requests to other people, run Ombi isolated and you can expose that to the Internet. At worst if that gets compromised, they get the API key to actually interface with any of your ****arr software (which is worthless since they can't access them) and not the API key for your indexer.

Random advice as well:
NZB360 is an awesome Android app
Prowlarr works great to use as your NZB index manager, and just set Sonarr and Radarr to use it instead of your indexer directly
 
Don't do this. You shouldn't expose Sonarr and Radarr to the Internet, at all. Even with a username/password in place an exploit can happen.

If you want to manage it remotely, setup a secure VPN back to your home network using something like WireGuard or OpenVPN so that only you can access it. Use a free Dynamic DNS if you don't have static IP. If you want to open up requests to other people, run Ombi isolated and you can expose that to the Internet. At worst if that gets compromised, they get the API key to actually interface with any of your ****arr software (which is worthless since they can't access them) and not the API key for your indexer.

Random advice as well:
NZB360 is an awesome Android app
Prowlarr works great to use as your NZB index manager, and just set Sonarr and Radarr to use it instead of your indexer directly
How do you use nzb360 but still lock down sonarr/radarr? I'll have to look into prowlerr as that sounds like a good way to protect my api keys.
 
How do you use nzb360 but still lock down sonarr/radarr? I'll have to look into prowlerr as that sounds like a good way to protect my api keys.
I run OPNsense as my firewall and have a WireGuard VPN tunnel back to my home network (I followed this guide.) I don't have a static IP to connect back home, so instead I use DuckDNS to monitor my IP address (using OPNsense Dynamic DNS plugin, but DuckDNS can be updated a variety of ways) and connect to that as my endpoint.

On any PCs I use the official WireGuard application and import my config file. On Android I use WG Tunnel.

I simply connect to the VPN and can access everything at home meanwhile it's not publicly accessible from the Internet. I also use essentially the same config files for multiple profiles, just with different AllowedIPs section to route traffic differently (e.g. maybe I want ALL traffic going through the VPN, or maybe I just want to access certain LAN ranges.)
 
Back
Top