Jump to content
luckyfella

Can you guess the analog?

Recommended Posts

Some cameras have insecure user accounts or telnet logins that can't be disabled, so anyone who finds the camera access can mess with them over the internet. Dahua's got some well-publicized security holes.

 

A better bet would be to have remote desktop access to the NVR (assuming PC based) and adjust camera paramters from that. Otherwise, using obscure ports can help, but if someone's focused on your IP address, port scans don't take that long.

 

Share this post


Link to post
Share on other sites

And, technically, I am not ópening' them, I am forwarding them to an IP address.

 

 

Woow

Can you plz explain difference between "not opening port" and "forwarding them to IP address" please ?

Share this post


Link to post
Share on other sites
First of all, I am not the only one asking. Second of all, I have not asked any stupid questions so watch your mouth. Third of

all, if I google what you said to google, it won't tell me what the difference is if I open an NVR port only or the NVR port and a bunch of camera ports. So, I'm asking you, why is it ok to open just the NVR port, but not ok to open the NVR and a few cameras?

And, technically, I am not ópening' them, I am forwarding them to an IP address.

 

Relax the Russian gets cranky when he doesn't have a cigarette but he has some good advice.

Share this post


Link to post
Share on other sites
Generally, I think too much is made over breach risks. Remote customer service would win for me as well.

unfortunately Shock

very nasty script/program exist

here is how it works

u enter city or state

then product Brandt

click enter

wait few sec

and then it will show lots of IP in given search

plus some other info

now u have IP's

imagine what can be done...........

my point is simple

open least amount of ports

or use VPN

Share this post


Link to post
Share on other sites

So AK, when you install a cctv system, you do not do any port forwarding at all because it's not safe? You don't port forward the dvr/nvr?

Share this post


Link to post
Share on other sites
So, what is the difference between the NVR port and an IP camera port being open?

 

There are a couple of key differences:

 

- Camera ports would have one or more ports open for each camera, so that could be 4, 8, whatever ports and logins that need to be managed. An NVR only needs one port open (sometimes a few ports, depending on what you need to do).

 

- You have limited camera control from most NVRs, so there are fewer changes that can be done through the NVR. Some have more camera control than others, so it all depends. It's harder/impossible for someone to brick a camera through the NVR, for instance.

 

- If you have multiple brands of cameras, you have multiple opportunities for back doors and exploits. With a single NVR, you're more likely to know all the common issues, but there may still be undocumented exploits.

 

In either case, a lot depends on the robustness of the login and control code. Cameras and NVRs often have mediocre code running them, especially the budget ones, and especially in the security regime.

 

This is why logging in to a PC via VNC, RDC, or similar is a safer way to control - these are generally more secure if you stick with the well-known names like TeamViewer or UltraVNC.

 

That said, many, many people run open ports on their cameras, NVRs, etc. A lot depends on how confidential the data is and whether there are back doors in the code. Many people don't mind someone on the internet watching their driveway, but wouldn't want them to be able to see inside the house. Nobody wants a stranger to be able to brick their camera, though.

Share this post


Link to post
Share on other sites

Maxi, I do understand that the NVR has less control over the IP camera rather than the camera itself. When I port forward my NVR, I forward the HTTP port and the TCP port, so that is two ports. When I port forward the cameras, I ONLY port forward the HTTP port so I can open IE and log into it. I do not need to log into the camera itself on my iphone or PSS. I do understand the less ports open, the better, but if we are opening two ports for the NVR, c'mon, we already started the risk of security so why not a few more ports for the cameras themselves?

 

I go to some houses and when I log into the router, I see a whole more bunch of ports open for the home automation, and other stuff. If you guys don't want to open your ports for your cameras, than don't. No one is putting a gun to your head. But don't complain if you have to change a setting in one of the cameras or update the firmware and you have to drive an hour to your customers house to do it. As of now, I do all of that from the comfort of my living room couch so your not going to change my mind.

Share this post


Link to post
Share on other sites

luckyfella, I totally agree with you. One of the great advantages of IP cameras is that you can remotely configure/stream with total control and ease. The ports can be opened for just that reason! Its the how and why IP systems are designed. I for one will also continue to take full advantage of what they have to offer .... or why even bother at all. Risks? Sure, I take them everyday the minute I walk out the door. Obviously care/caution needs to be taken, and as a responsible installer I'm sure you do just that. We've both seen many installers and homeowners do a lot worst! The stories I could tell ....

 

Cheers!

Edited by Guest

Share this post


Link to post
Share on other sites

It depends on the system. With Avigilon we have full control of the cameras via the client software so we only have to forward the ports of the server for remote configuration of the cameras. This is much cleaner, faster and more secure.

 

If you do forward the ports of the cameras I strongly recommend you change them from standard ports and change the default user and password.

 

I would also stay away from cameras that have back door access with user and passwords that can't be changed.

Share this post


Link to post
Share on other sites
luckyfella, I totally agree with you. One of the great advantages of IP cameras is that you can remotely configure/stream with total control and ease. The ports can be opened for just that reason! Its the how and why IP systems are designed. I for one will also continue to take full advantage of that they have to offer .... or why even bother at all. Risks? Sure, I take them everyday the minute I walk out the door. Obviously care/caution needs to be taken, and as a responsible installer I'm sure you do just that. We've both seen many installers and homeowners do a lot worst! The stories I could tell ....

 

Cheers!

 

 

Finally, someone that agrees with me, lmao. " title="Applause" />

Share this post


Link to post
Share on other sites

 

Finally, someone that agrees with me, lmao. " title="Applause" />

 

Agree with what ?

that opening 15-30 ports is OK

looks like you never done schools or decent corporation

Share this post


Link to post
Share on other sites

Your a real piece of work. Were we talking about schools or corporations? NO, we were not. We were talking about small residential jobs. And, he agrees with me that it's a good idea to port forward a few cameras that were installed for

a house. If you want to bring up if it's a good idea port forwarding LARGE commercial jobs for big corporations or Schools,

why don't you start a new topic and keep that talk out of this one? Thanks.

Share this post


Link to post
Share on other sites

Forward the cameras through the firewall just so you can get to them from the outside? Are you freakin kidding me?

That is the dumbest idea I ever heard of.

Stuff like that is what separates the trunk slammers from professionals.

Share this post


Link to post
Share on other sites
Maxi, I do understand that the NVR has less control over the IP camera rather than the camera itself. When I port forward my NVR, I forward the HTTP port and the TCP port, so that is two ports. When I port forward the cameras, I ONLY port forward the HTTP port so I can open IE and log into it. I do not need to log into the camera itself on my iphone or PSS. I do understand the less ports open, the better, but if we are opening two ports for the NVR, c'mon, we already started the risk of security so why not a few more ports for the cameras themselves?

 

I go to some houses and when I log into the router, I see a whole more bunch of ports open for the home automation, and other stuff. If you guys don't want to open your ports for your cameras, than don't. No one is putting a gun to your head. But don't complain if you have to change a setting in one of the cameras or update the firmware and you have to drive an hour to your customers house to do it. As of now, I do all of that from the comfort of my living room couch so your not going to change my mind.

 

I wasn't trying to change your mind, just answering the question on what the differences were, and throwing in what I perceive to be the risks. I'm not one to judge!

 

As long as you (and your customers, if you're commercial or corporate) understand the issues and risk assessment, it's all good.

 

In fact, having both cameras and NVR ports forwarded allows you to view the cams directly as a backup in case the NVR has problems. It can add up to a lot of ports to manage, though.

 

There are lots of unsecured cams out there on the 'net open for viewing. Most of them are incredibly boring, but it's always interesting to cruise them.

Share this post


Link to post
Share on other sites

^^ Exactly. As I said earlier, generally too much is made over breaches. I would do it for easier, remote CS too. But I wouldn't do it with indoor cameras, or I would only do it short term if the job was a multi day job and I had a chance to confirm they were okay, and then off line they would go. And of course, it would be a case by case situation, after conferring with the client. But for general exterior small residential jobs where outdoor cameras can very likely need further tweaking after the fact- you bet I'd be doing that remotely as well. Put me on the trunker list I suppose. LOL.

Share this post


Link to post
Share on other sites
^^ Exactly. As I said earlier, generally too much is made over breaches. I would do it for easier, remote CS too. But I wouldn't do it with indoor cameras, or I would only do it short term if the job was a multi day job and I had a chance to confirm they were okay, and then off line they would go. And of course, it would be a case by case situation, after conferring with the client. But for general exterior small residential jobs where outdoor cameras can very likely need further tweaking after the fact- you bet I'd be doing that remotely as well. Put me on the trunker list I suppose. LOL.

 

I can bet that "luckyfella" did not tell his customer about opening cameras ports on their system

Share this post


Link to post
Share on other sites

AK, when you forward ports for your customers NVR/DVR so he can view his cameras on his phone, do you tell him that it is

not a good idea or it's not safe to do that? Or, do you just forward the port and leave the cameras ports alone? If you

do not give him that warning even for that single port for the NVR, than your just as guilty as I am if I do not tell

my customers the risks of port forwarding.

Share this post


Link to post
Share on other sites

This actually got me wondering. What's stopping me from bruteforcing a cam/NVR login? Do cam manufacturers actually lock out the login after several (incorrect) tries?

Share this post


Link to post
Share on other sites

Yes, I'm not sure the number of tries, but after several wrong attempts, the Dahua cameras lock out the user even if its the Admin.

The only way to unlock it is to reboot the camera/nvr.

Share this post


Link to post
Share on other sites
This actually got me wondering. What's stopping me from bruteforcing a cam/NVR login? Do cam manufacturers actually lock out the login after several (incorrect) tries?

 

Like everything software related, this totally depends on the software developers. I would not put any faith in them doing things correctly without testing it myself.

 

Once tested, you can't guarantee the same results will hold for the next firmware release.

 

Assuming no lockouts, the main thing that would stop you from bruteforcing it over the internet is response time. Using a basic dictionary attack (seeded with IP cam logins) would come first, then on to smart brute force. Your PW/second rates would be pretty much dependent on how fast the camera returned results to you, but I'd bet the rate would not be very high.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×