Can you guess the analog?

[thewireguys 3]

Some cameras have insecure user accounts or telnet logins that can't be disabled, so anyone who finds the camera access can mess with them over the internet. Dahua's got some well-publicized security holes.

 

A better bet would be to have remote desktop access to the NVR (assuming PC based) and adjust camera paramters from that. Otherwise, using obscure ports can help, but if someone's focused on your IP address, port scans don't take that long.

 

[ak357 0]

And, technically, I am not ópening' them, I am forwarding them to an IP address.

 

 

Woow

Can you plz explain difference between "not opening port" and "forwarding them to IP address" please ?

[thewireguys 3]

First of all, I am not the only one asking. Second of all, I have not asked any stupid questions so watch your mouth. Third of

all, if I google what you said to google, it won't tell me what the difference is if I open an NVR port only or the NVR port and a bunch of camera ports. So, I'm asking you, why is it ok to open just the NVR port, but not ok to open the NVR and a few cameras?

And, technically, I am not ópening' them, I am forwarding them to an IP address.

 

Relax the Russian gets cranky when he doesn't have a cigarette but he has some good advice.

[shockwave199 0]

Generally, I think too much is made over breach risks. Remote customer service would win for me as well.

[ak357 0]

Generally, I think too much is made over breach risks. Remote customer service would win for me as well.

unfortunately Shock

very nasty script/program exist

here is how it works

u enter city or state

then product Brandt

click enter

wait few sec

and then it will show lots of IP in given search

plus some other info

now u have IP's

imagine what can be done...........

my point is simple

open least amount of ports

or use VPN

[luckyfella 0]

So AK, when you install a cctv system, you do not do any port forwarding at all because it's not safe? You don't port forward the dvr/nvr?

[MaxIcon 0]

So, what is the difference between the NVR port and an IP camera port being open?

 

There are a couple of key differences:

 

- Camera ports would have one or more ports open for each camera, so that could be 4, 8, whatever ports and logins that need to be managed. An NVR only needs one port open (sometimes a few ports, depending on what you need to do).

 

- You have limited camera control from most NVRs, so there are fewer changes that can be done through the NVR. Some have more camera control than others, so it all depends. It's harder/impossible for someone to brick a camera through the NVR, for instance.

 

- If you have multiple brands of cameras, you have multiple opportunities for back doors and exploits. With a single NVR, you're more likely to know all the common issues, but there may still be undocumented exploits.

 

In either case, a lot depends on the robustness of the login and control code. Cameras and NVRs often have mediocre code running them, especially the budget ones, and especially in the security regime.

 

This is why logging in to a PC via VNC, RDC, or similar is a safer way to control - these are generally more secure if you stick with the well-known names like TeamViewer or UltraVNC.

 

That said, many, many people run open ports on their cameras, NVRs, etc. A lot depends on how confidential the data is and whether there are back doors in the code. Many people don't mind someone on the internet watching their driveway, but wouldn't want them to be able to see inside the house. Nobody wants a stranger to be able to brick their camera, though.

[luckyfella 0]

Maxi, I do understand that the NVR has less control over the IP camera rather than the camera itself. When I port forward my NVR, I forward the HTTP port and the TCP port, so that is two ports. When I port forward the cameras, I ONLY port forward the HTTP port so I can open IE and log into it. I do not need to log into the camera itself on my iphone or PSS. I do understand the less ports open, the better, but if we are opening two ports for the NVR, c'mon, we already started the risk of security so why not a few more ports for the cameras themselves?

 

I go to some houses and when I log into the router, I see a whole more bunch of ports open for the home automation, and other stuff. If you guys don't want to open your ports for your cameras, than don't. No one is putting a gun to your head. But don't complain if you have to change a setting in one of the cameras or update the firmware and you have to drive an hour to your customers house to do it. As of now, I do all of that from the comfort of my living room couch so your not going to change my mind.

[StanLee2066 0]

luckyfella, I totally agree with you. One of the great advantages of IP cameras is that you can remotely configure/stream with total control and ease. The ports can be opened for just that reason! Its the how and why IP systems are designed. I for one will also continue to take full advantage of what they have to offer .... or why even bother at all. Risks? Sure, I take them everyday the minute I walk out the door. Obviously care/caution needs to be taken, and as a responsible installer I'm sure you do just that. We've both seen many installers and homeowners do a lot worst! The stories I could tell ....

 

Cheers!

Edited October 2, 2013 by Guest

[thewireguys 3]

It depends on the system. With Avigilon we have full control of the cameras via the client software so we only have to forward the ports of the server for remote configuration of the cameras. This is much cleaner, faster and more secure.

 

If you do forward the ports of the cameras I strongly recommend you change them from standard ports and change the default user and password.

 

I would also stay away from cameras that have back door access with user and passwords that can't be changed.

[luckyfella 0]

luckyfella, I totally agree with you. One of the great advantages of IP cameras is that you can remotely configure/stream with total control and ease. The ports can be opened for just that reason! Its the how and why IP systems are designed. I for one will also continue to take full advantage of that they have to offer .... or why even bother at all. Risks? Sure, I take them everyday the minute I walk out the door. Obviously care/caution needs to be taken, and as a responsible installer I'm sure you do just that. We've both seen many installers and homeowners do a lot worst! The stories I could tell ....

 

Cheers!

 

 

Finally, someone that agrees with me, lmao. " title="Applause" />

[ak357 0]

 

Finally, someone that agrees with me, lmao. " title="Applause" />

 

Agree with what ?

that opening 15-30 ports is OK

looks like you never done schools or decent corporation

[luckyfella 0]

Your a real piece of work. Were we talking about schools or corporations? NO, we were not. We were talking about small residential jobs. And, he agrees with me that it's a good idea to port forward a few cameras that were installed for

a house. If you want to bring up if it's a good idea port forwarding LARGE commercial jobs for big corporations or Schools,

why don't you start a new topic and keep that talk out of this one? Thanks.

[ssmith10pn 0]

Forward the cameras through the firewall just so you can get to them from the outside? Are you freakin kidding me?

That is the dumbest idea I ever heard of.

Stuff like that is what separates the trunk slammers from professionals.

[MaxIcon 0]

Maxi, I do understand that the NVR has less control over the IP camera rather than the camera itself. When I port forward my NVR, I forward the HTTP port and the TCP port, so that is two ports. When I port forward the cameras, I ONLY port forward the HTTP port so I can open IE and log into it. I do not need to log into the camera itself on my iphone or PSS. I do understand the less ports open, the better, but if we are opening two ports for the NVR, c'mon, we already started the risk of security so why not a few more ports for the cameras themselves?

 

I go to some houses and when I log into the router, I see a whole more bunch of ports open for the home automation, and other stuff. If you guys don't want to open your ports for your cameras, than don't. No one is putting a gun to your head. But don't complain if you have to change a setting in one of the cameras or update the firmware and you have to drive an hour to your customers house to do it. As of now, I do all of that from the comfort of my living room couch so your not going to change my mind.

 

I wasn't trying to change your mind, just answering the question on what the differences were, and throwing in what I perceive to be the risks. I'm not one to judge!

 

As long as you (and your customers, if you're commercial or corporate) understand the issues and risk assessment, it's all good.

 

In fact, having both cameras and NVR ports forwarded allows you to view the cams directly as a backup in case the NVR has problems. It can add up to a lot of ports to manage, though.

 

There are lots of unsecured cams out there on the 'net open for viewing. Most of them are incredibly boring, but it's always interesting to cruise them.

[shockwave199 0]

^^ Exactly. As I said earlier, generally too much is made over breaches. I would do it for easier, remote CS too. But I wouldn't do it with indoor cameras, or I would only do it short term if the job was a multi day job and I had a chance to confirm they were okay, and then off line they would go. And of course, it would be a case by case situation, after conferring with the client. But for general exterior small residential jobs where outdoor cameras can very likely need further tweaking after the fact- you bet I'd be doing that remotely as well. Put me on the trunker list I suppose. LOL.

[ak357 0]

^^ Exactly. As I said earlier, generally too much is made over breaches. I would do it for easier, remote CS too. But I wouldn't do it with indoor cameras, or I would only do it short term if the job was a multi day job and I had a chance to confirm they were okay, and then off line they would go. And of course, it would be a case by case situation, after conferring with the client. But for general exterior small residential jobs where outdoor cameras can very likely need further tweaking after the fact- you bet I'd be doing that remotely as well. Put me on the trunker list I suppose. LOL.

 

I can bet that "luckyfella" did not tell his customer about opening cameras ports on their system

[luckyfella 0]

AK, when you forward ports for your customers NVR/DVR so he can view his cameras on his phone, do you tell him that it is

not a good idea or it's not safe to do that? Or, do you just forward the port and leave the cameras ports alone? If you

do not give him that warning even for that single port for the NVR, than your just as guilty as I am if I do not tell

my customers the risks of port forwarding.

[bigjezza 0]

This actually got me wondering. What's stopping me from bruteforcing a cam/NVR login? Do cam manufacturers actually lock out the login after several (incorrect) tries?

[Alexbrown012 0]

I think last one.

[luckyfella 0]

Yes, I'm not sure the number of tries, but after several wrong attempts, the Dahua cameras lock out the user even if its the Admin.

The only way to unlock it is to reboot the camera/nvr.

[thewireguys 3]

It's a lot easier then you think.

 

http://www.shodanhq.com/

[luckyfella 0]

Should we all stop port forwarding our dvr/nvrs now?

[MaxIcon 0]

This actually got me wondering. What's stopping me from bruteforcing a cam/NVR login? Do cam manufacturers actually lock out the login after several (incorrect) tries?

 

Like everything software related, this totally depends on the software developers. I would not put any faith in them doing things correctly without testing it myself.

 

Once tested, you can't guarantee the same results will hold for the next firmware release.

 

Assuming no lockouts, the main thing that would stop you from bruteforcing it over the internet is response time. Using a basic dictionary attack (seeded with IP cam logins) would come first, then on to smart brute force. Your PW/second rates would be pretty much dependent on how fast the camera returned results to you, but I'd bet the rate would not be very high.

[thewireguys 3]

Should we all stop port forwarding our dvr/nvrs now?

 

Ideally you should us a VPN