Could someone exploit NVR with ports being open?

[vich22 0]

Since forwarding ports 8000, 554, and 84 is necessary to have real time viewing from a computer and cellphone how secure are our camera feeds? Going to www.grc.com and doing a port scan ports 554 and 84 and 8000 are open and respond to probes. This means theoretically someone can connect to and attempt to break into our private feeds. Other than closing all ports and disabling viewing from smart phones can anything be done to secure this? I feel like our passwords could easily be broken?

[Securame 0]

Of course doing a port scan on those ports shows them as open, you opened them yourself, otherwise you would not be able to watch your own cameras.

 

Your password could easily be broken? Change the default 12345 password to something stronger. Set up your NVR to send emails, and email you in case of any login failed attempt.

 

Still feeling paranoid? Use a VPN to connect to your unit.

[vich22 0]

Yes changed the default password of course. Something I have not found out yet is how long can the NVR password be and can we use special character like %$#@* ?

Trying to find where I can setup the NVR to email me if a failed login attempt is detected... Do you know?

When using a VPN to connect to the NVR, doesn't that render the mobile app useless?

Thanks

[Securame 0]

Trying to find where I can setup the NVR to email me if a failed login attempt is detected... Do you know?

 

Config -> Network -> Email

and

Config -> Exceptions -> Illegal login -> Send email

[Boogieman 1]

You also dont need the http and rtsp post to be open...all you need is the media port 8000.

[Antitrust 0]

Most certainly it could be exploited. Almost anything can be. Definitely change default ports and remember a long password is generally more secure than a complex one.

 

I would also recommend creating user accounts with only viewer privileges for use while away from home. Although my old analog dvr had a compromised viewer account, which they successfully used to obtain the administrative credentials.

 

But at the end of the day, the risk of me not seeing my cameras is worse than the risk of somebody else seeing them. VPNs are another option.

[vich22 0]

Most certainly it could be exploited. Almost anything can be. Definitely change default ports and remember a long password is generally more secure than a complex one.

 

I would also recommend creating user accounts with only viewer privileges for use while away from home. Although my old analog dvr had a compromised viewer account, which they successfully used to obtain the administrative credentials.

 

But at the end of the day, the risk of me not seeing my cameras is worse than the risk of somebody else seeing them. VPNs are another option.

 

Thanks for the responses everyone. Apologize for the barrage of questions! But everyone is very helpful.

For the 8000 port (device port) what is the range of ports I can use instead of 8000? And antitrust can you elaborate on the specific user accounts while away?

[Securame 0]

Change default ports.

Change passwords.

You can even lock the admin account to work only from a given IP address.

Create a guest account with just the privileges you need to work over internet.

[vich22 0]

BTW max char # for password is 16

[Boogieman 1]

BTW max char # for password is 16

16 is way more than enough..you can set the unit to alert you in case of false attempts..the problem is not brute force password attached but rather exploits in the firmware...you can minimize the risk by only forwarding the media port...or simply use vpn.

[vich22 0]

Of course doing a port scan on those ports shows them as open, you opened them yourself, otherwise you would not be able to watch your own cameras.

 

Your password could easily be broken? Change the default 12345 password to something stronger. Set up your NVR to send emails, and email you in case of any login failed attempt.

 

Still feeling paranoid? Use a VPN to connect to your unit.

 

Just today I got 5 emails within 20 minutes. My NVR emailed me and said I had 5 illegal login attempts.

 

Anyway to find out what IP's are connected to NVR?

[SyconsciousAu 0]

Of course doing a port scan on those ports shows them as open, you opened them yourself, otherwise you would not be able to watch your own cameras.

 

Your password could easily be broken? Change the default 12345 password to something stronger. Set up your NVR to send emails, and email you in case of any login failed attempt.

 

Still feeling paranoid? Use a VPN to connect to your unit.

 

Just today I got 5 emails within 20 minutes. My NVR emailed me and said I had 5 illegal login attempts.

 

Anyway to find out what IP's are connected to NVR?

 

Should be in your connection log

[zr1 0]

Port forwarding simply pushes off security for that port to your DVR/NVR and the person from the outside can try their hand at it.

 

For the 8000 port (device port) what is the range of ports I can use instead of 8000?

 

There's a lot:

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

 

For residential, many ISP's block outbound port 80, and some DVR/NVR's have port 80 as the default. So changing it to whatever you'll remember (and doesn't conflict with your browser's port 443, your email's port 110 or 25 or 587, etc.)