Dahua camera phoning home to China

user54t45t

n3wb
Joined
Aug 27, 2018
Messages
7
Reaction score
0
Location
Australia
noticed my IP camera was reaching out to some China based IPs, so dropped those outbound packets (60k packets in less than a day). Should I set my hair on fire? Currently the camera is still on my LAN, just blocked from reaching out. No idea what it was doing :(
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
You'll get a lot of advice on this subject.

Most of us block all of our cameras and any NVRs from directly accessing the internet or actually, anything beyond our LANs.

You are wise to be aware of this and to take the proper measures to mitigate these vulnerabilities. Good for you!
 

john-ipvm

Known around here
Joined
Oct 15, 2015
Messages
420
Reaction score
675
Even if Dahua (or Hikvision or whomever) first sent the traffic to Australia or the USA or the EU, they could always forward it back to China, such is the nature of the public Internet.

As @J Sigmo notes above, best to block all outbound unless you really trust the provider.
 

Pneuma

n3wb
Joined
Oct 24, 2017
Messages
15
Reaction score
10
Agree, security cameras, not just Dahua, are well known to have backdoors. I use my router to give each IP camera a static IP address and I block those IPs from access the outside world.
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
I use static IPs and block the IPs on the router On the cameras, bogus DNS and default gateway addresses and shut off everything I possibly can that even might look like it would access the internet.
 

wpiman

Pulling my weight
Joined
Jul 16, 2018
Messages
332
Reaction score
246
Location
massachusetts
Huh. I have an EdgeRouter and was just monitoring the IP for my Dahua. Noticed it was getting maybe a small packet every couple of seconds. Set up a rule to block it. Dropped maybe a couple thousand this hour.

I suspect they might be NTP packets. Once I get a chance: I will try to check it.
 

wpiman

Pulling my weight
Joined
Jul 16, 2018
Messages
332
Reaction score
246
Location
massachusetts
If it's NTP it'll be port 123. Set up a local NTP server.
Huh, I just learned that my router has NTP server on by default.

mike@ubuntu18:~$ ntpdate -q -s time.nist.gov
server 129.6.15.28, stratum 1, offset 0.001920, delay 0.04875
mike@ubuntu18:~$ ntpdate -q -s 192.168.0.1
server 192.168.0.1, stratum 2, offset 0.002806, delay 0.02609
 

user54t45t

n3wb
Joined
Aug 27, 2018
Messages
7
Reaction score
0
Location
Australia
creating a VLAN for all Chinese IP Cameras...
-no internet access
-no access outside known destination ports to my router
 

sbex55

n3wb
Joined
Aug 24, 2018
Messages
8
Reaction score
8
Location
New York
Newbie here ... could someone point me to a good primer on how to setup a VLAN for my cameras along with disabling internet acesss? I am using the Blue Iris mobile app to access my cameras remotely.

Thanks for the help!
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
Newbie here ... could someone point me to a good primer on how to setup a VLAN for my cameras along with disabling internet acesss? I am using the Blue Iris mobile app to access my cameras remotely.

Thanks for the help!
Have you segmented the cameras into their own VLAN yet?

With a Ubiquiti USG router, it's easy to block any LAN device from reaching the internet, and having a VLAN isn't even needed just for blocking internet access. The blocking is accomplished by simply adding a rule on WAN_OUT.

Go to the Settings, then Routing & Firewall, then Firewall, then Groups.
Create a new group, with perhaps a name such as 'Cameras'.
Type: 'Address'.
Add in each of the static IP's of all your cameras (and any other device you wish to block from reaching the internet).
Save the group.

Then go to the Rules. Then click on 'WAN OUT'.
Create a new rule. Give it a name, such as 'Block_Cameras'.
Enable it.
Rule applied: Before predefined rules.
Action: Drop.
Protocol: All.
In my case, I enabled logging.
IPsec: Don't match.

In the SOURCE section:
Type = Address/Port Group.
Address Group: 'Cameras'.
Since you don't want a destination, just leave that section alone.
Save the rule.

Now any device listed in the Camera group will be blocked from calling home. You can test it by adding in the IP address of your Blue Iris PC, and after saving the change to the group, wait a minute for the USG to act on the rule, and try to access a web page from the Blue Iris PC. When assured the rule is working well, go back and remove the PC's IP from the group, or leave it; as I guess it doesn't matter. In my case, I want the PC to get updates, etc.
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Have you segmented the cameras into their own VLAN yet?
Tip-of-the-day: it makes your life even more easier having an OpenVPN server running on the Ubiquity gear and make "simple" access rules on who can access what in your LAN (eg access to IPC vlan and not to NAS vlan etc)
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
Tip-of-the-day: it makes your life even more easier having an OpenVPN server running on the Ubiquity gear and make "simple" access rules on who can access what in your LAN (eg access to IPC vlan and not to NAS vlan etc)
Is there a primer on OpenVPN you could recommend? On my Note8 and iPhone, I just use the built-in VPN features to connect to the Radius server in the USG. There's this Tasker app on Android which can leverage OpenVPN which I'd like to explore.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Is there a primer on OpenVPN you could recommend? On my Note8 and iPhone, I just use the built-in VPN features to connect to the Radius server in the USG. There's this Tasker app on Android which can leverage OpenVPN which I'd like to explore.
I found tons of inspirational stuff on OpenVPN on the Ubiquity forum. And your network situation might be a "bit" different than mine, so what I did, was harvest bits & pieces from other peoples tutorials, stool some great ideas, ditched some (seemingly less great) ideas. But by doing trial and error, you learn from your mistakes :)

In general, my advice would be:
- DRAW your network layout on paper. Don't start coding / configuration before you have an overview on what you want to implement. Keep in mind: networks do change overtime, you might run into an iterational process and have to start over from this important step. So keep your documentation for later reference, otherwise you find yourself in a situation like: why on earth did I configure vlan 9, clean it up and after a while discover that your smart TV can't play media files anymore. Also important: you have your Physical Diagram (which outlet goes to which room terminated on which switch/router/access point/...) and your Logical Diagram (which IP range, subnet, gateway, vlan number etc)
- once you have your architectural design, you will be able to formulate your requirements:
- if vlans are required: how many, how are they propageted --> this defines whether (or not) you'd require managed switches or unmanaged ones
- if different subnets are required: how many, how are they "concentrated" --> this defines whether (or not) you'd require (additional) routing capabilities
- in case you want to reach your inner network, OpenVPN is thé no-brainer solution. It runs on ample SOHO routers (eg ASUS) but also on the Ubiquity gear. With OpenVPN setup, you can then opt whether you land into a specific vlan, or can connect to restricted subnets.
- in any case of aforementioned options, you'd think about "access restrictions". Everybody on this forum is already aware that blocking internet access TO IPC/NVR is mandatory (which means no port forwarding), however thinking about restricting access TO the internet might be a wise thing too. Exceptions can occur if you really want to have push notifications. Draw these access rules on paper (traffic_in versus traffic_out, by physical interface and/or logical interface (eg which IP can talk with another IP). And think broad: do you really want your Google Home device residing in the same network as your NAS with your family pictures? Same applies for your wifi-IOT-fridge? It's not a question whether they would do you harm NOW, it's more about in 3-4 years, when your fridge is out of warranty, didn't get any firmware update, and the *nix gets whacked and goes rogue on your network. Then you'll be happy to have it isolated in a vlan.​
- then it's play time:
- start configuration of your network gear. Do keep regular backups (and keep them in pairs: firmware file + configuration file). Many people only save the configuration file, but if version 4.39 has configuration features which 3.10 does not have, but if your systems breaks down, and you'll get a new device under warranty, but sitting on the factory default of 3.10, you can't just load the 4.39 firmware file. But maybe that firmware file doesn't exist anymore and sits on 5.59, you lack the intermediate 4.39 firmware file. So keep them both!
- more specifically on OpenVPN: I tend to keep the OpenVPN client in "seamless" mode, which means that whenever my OpenVPN connection drops, even when 3g/4g or wifi still "work", no packets are sent over the air. I do not want to let slip any packets (because maybe my openvpn port is blocked on a public hotspot).​

Tasker might help you in the last use case to see "if not connected to trusted wifi - connect openvpn", but in seamless mode, you don't actually need it.

Hope this helps!
CC
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
172
Reaction score
36
I wanted to do the above also and block my cameras from all internet access. However, the biggest issue i found is if i do that and block everything then i can't get push notifications (gdmss) or emails for any alerts/triggered events. That would then invalidate the point of having the CCTV as i wouldn't know an event had occurred!! What makes it more fun is the fact that it uses standard smtp port (465) and push notifications use 443!!! So basically no point blocking anything on it if it can get out of port 443!
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
At first i use an Asus router. There is parental controls that allow you to block by Mac address. I block all my cameras.

I then went to a segerated network. I use two nic cards in my bi PC. One goes to the main route. The other connects to gigabyte switch whitch connects to 4 Poe switches that connect to the cameras. All cameras and thenic cards use static addresses. The cameras and the nic card are on a separate subnet.

Jagrang
The notifications should be coimg from the NVR or the vms (blue iris)
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
172
Reaction score
36
Jagrang
The notifications should be coimg from the NVR or the vms (blue iris)
I have a Dahua NVR, so yes they are coming from the NVR - which again is from the same manufacturer as the cams and from China. So I was just saying blocking the cams or the nvr are the same thing for me. If your using BI then the story is probably different.
 
Top