The video demonstrates how easy it is to find open Sonarr installations (https://sonarr.tv) currently accessible via the internet with no authentication. Starting with a basic query we find there are over 2,000 indexed installs in Shodan at the time of recording. These however may not all be completely unprotected, so we must adjust the query to filter down to those which are open with no authentication. We can do this using the http.title value from the banner.

Using a basic http.title search query with a not condition to remove Sonarr installs that do at least have the built-in authentication enabled (the http.title value will contain the word Login), we can find over 1,000 Sonarr installations (both v2 and v3) that are completely wide open right now. This is very dangerous considering Sonarr usually has read/write access to storage locations and is often connected to a variety of other services.

Realistic scenario: Assuming the role as a bad actor, by using a few Shodan CLI commands, this data could be leveraged to harvest API keys from Sonarr installations and any connected services e.g. Plex (via credentials or auth token), Download clients, Indexer API keys, notification services API keys as well as dumping the entire SQLite database for harvesting all of this information from. By having something like Sonarr completely open on the internet, it can act as an entry point into other services.

Someone acting with even more malicious intent could even go as far as deleting entire media libraries as well, given there is no access control.

The Shodan CLI commands used are trivial and only expose what is already publicly available to anyone else.

The important point to highlight is make sure your Sonarr install is not wide open on the internet. If you haven’t ever forwarded any ports before you are likely safe. If you have, at minimum enable authentication (it is off by default). Better yet, do not directly expose Sonarr to the internet at all. Instead, consider using more robust access methods such as a VPN or reverse proxy (Apache, NGINX, Caddy etc) with some form of authentication management in front.

Port forwarding without proper security is extremely dangerous. You can see from the search data that changing the default port from TCP 8989 won’t help you. When needing to expose applications using HTTP/HTTPS, the preferred scenario would be to have a load balancer/reverse proxy running on TCP 443 with SSL/TLS configured, this setup would route traffic accordingly based on hostname using SNI to other internal services without exposing them directly. This would mean only having one single port forward rule and allowing you to minimise externally exposed services.

In addition you are also potentially exposing your origin IP which makes it a target for any port scanning tool to find. If you want to have web based services externally available, consider proxying this traffic through Cloudflare to avoid having your origin IP exposed. You can also have your firewall block any traffic that’s not from Cloudflare to have better traffic flow control. By doing this, you will also hide yourself from services like Shodan as they will be unable to connect to your origin IP without going through Cloudflare first which they cannot map in the same way.

Remember, if something is wide open and accessible on the internet, it is not a case of if it’s when it will be discovered and breached. You might be lucky and someone may try and alert you to the issue before someone else with less good intentions comes along but this video demonstrates what is open and out there now.

The IP addresses from the search query are a small portion of the potential targets a bad actor could attack. This video is not encouraging the use of Shodan to hack or use this data for malicious purposes. It is for educational and awareness purposes only.

Please secure your external facing applications!