Do you port forward to your BI machine?

Port forward to BI?

  • Yes

    Votes: 8 61.5%
  • No

    Votes: 5 38.5%

  • Total voters
    13

Mr_D

Getting comfortable
Joined
Nov 17, 2017
Messages
596
Reaction score
527
Location
Southern California
My BI machine lives on a separate subnet along with the cameras so even if it got owned, it would not have free run of my LAN. Still, exposing anything to the Internet carries risks. I wouldn't dare expose a typical NVR or camera to the Internet, but at least Windows is actively maintained. How hardened is BI's against attacks? Does it have a reputation for taking security seriously and patching issues quickly?

I already have VPN access to my network but it's a bunch of extra taps on my phone to make the connection. I'd still need it for accessing the cameras directly, but being able to hit BI through the app without a VPN would be a lot faster.
 

awsum140

Known around here
Joined
Nov 14, 2017
Messages
1,254
Reaction score
1,128
Location
Southern NJ
Port forwarding is sending out an invitation to be hacked. An extra gesture or two on a smart device is well worth the "terrible" imposition of those gestures.
 

JRNAn30

n3wb
Joined
Oct 24, 2015
Messages
29
Reaction score
14
I have VPN access but also have a reverse proxy to my BI login page and protect it with secure passwords and fail2ban service. I've previously used firewall rules to restrict access to a few regular locations I log in from, i.e my office and my cellphone providers IP range. I found VPN'ing in all the time was a headache where as now I can just tap the blueiris icon on my cellphone and see my cameras within seconds.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
As far as I know Blue Iris has a home-grown web server so it isn't going to be vulnerable to typical automated attacks which target well known vulnerabilities in web servers. This makes it fairly safe as opposed to running a Hikvision camera where there are millions of the things out there and lots of hackers targeting them all the time. At the same time it doesn't instill a great sense of security either. Someone who really knows their stuff could probably find any number of ways to easily perform a denial of service attack on a BI web server or figure out a buffer overflow attack to make BI run malicious code.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
I have VPN access but also have a reverse proxy to my BI login page and protect it with secure passwords and fail2ban service. I've previously used firewall rules to restrict access to a few regular locations I log in from, i.e my office and my cellphone providers IP range. I found VPN'ing in all the time was a headache where as now I can just tap the blueiris icon on my cellphone and see my cameras within seconds.
Wow, what I'm I doing wrong! On my Android, I put the OpenVpn icon and the BI app icon next to each other on the phones screen. It takes 5 seconds for me to connect and have BI app running. /snark.

Or setup Tasker to manage your vpn connection.
 

Mr_D

Getting comfortable
Joined
Nov 17, 2017
Messages
596
Reaction score
527
Location
Southern California
Wow, what I'm I doing wrong! On my Android, I put the OpenVpn icon and the BI app icon next to each other on the phones screen. It takes 5 seconds for me to connect and have BI app running. /snark.

Or setup Tasker to manage your vpn connection.
I use the built-in VPN facility in Android. Accessing it requires going into the settings. I did find that I can add a widget to the home screen that saves a few taps getting there, but it still not one tap. I had Nova Launcher on my old phone which has a way to get to the VPN more quickly, but I'm on an Pixel now and would prefer to keep the stock launcher if possible.
 

JRNAn30

n3wb
Joined
Oct 24, 2015
Messages
29
Reaction score
14
No need for snark, theres multiple ways to solve this issue depending on your level of paranoia, technical competency and end-user needs.
In my use case my wife who uses the system has some challenges when it comes to understanding technology and didnt fully understand the connection between the VPN and accessing our self hosted services of which blueiris is only one. It makes her life easier if everything we self host is accessible just like other web services shes familiar with and the access works identically regardless if she is at home or away.
 

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
16,436
Reaction score
38,154
Location
Alabama
What does port forwarding have to do with compromised routers?
I won't attempt to speak for @looney2ns (pretty sure he'll chime in anyway). However, pretending that you poised a general question to this forum and not necessarily directed it solely to the originator that may have prompted it, I can say this:

The news that "hackers infect half a million routers" is not the point in this case, IMO; it's the fact that someone out THERE is trying very hard to get IN....don't make it easier for them by:

1) not using a VPN and
2) leaving UPNP enabled in your router and/or cameras
3) forwarding ports in your router
 
Last edited:

Jaxon

Getting the hang of it
Joined
Aug 9, 2016
Messages
67
Reaction score
38
I won't attempt to speak for @looney2ns (pretty sure he'll chime in anyway). However, pretending that you poised a general question to this forum and not necessarily directed it solely to the originator that may have prompted it, I can say this:

The news that "hackers infect half a million routers" is not the point in this case, IMO; it's the fact that someone out THERE is trying very hard to get IN....don't make it easier for them by:

1) not using a VPN and
2) leaving UPNP enabled in your router and/or cameras
3) forwarding ports in your router

Sometimes there is a need to forward ports, like my case I forward ports for SIP and RTP to an ATT. The service listening on the node could potentially be vulnerable. In my case, I mitigate this risk by only forwarding pkts from my voip provider src ip. (others are dropped silently) Am I at risk here? Maybe, but I'm not too worried about it.

I asked not as you accuse, "pretending" but as a legitimate interest in these kinds of discussions. I wondered if there was a link between being able to compromise a router with forwarded ports? Maybe attackers craft pkts that exploit some vulnerability in the kernel or netfilter used on these routers? Had this been the case, then I would be concerned.

So I read the linked articles....there are a lot of hacked routers, but they really have nothing to do with port forwarding, or did I miss it?

From the article:
"
Q: How does VPNFilter infect affected devices?

A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.
"
 

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
16,436
Reaction score
38,154
Location
Alabama
I asked not as you accuse, "pretending" but as a legitimate interest in these kinds of discussions.
"
You are likely the only person on this forum that understood I said the YOU were 'pretending' and 'accused' you of anything. Is English NOT your first language?

I said "..However, pretending that you posed a general question to this forum and not necessarily directed it solely to the originator that may have prompted it, I can say this".

My understanding of how English works, what I said in context is "..I....(as in ME), pretending that YOU posed....I can say this".
 
Last edited:

Jaxon

Getting the hang of it
Joined
Aug 9, 2016
Messages
67
Reaction score
38
You are likely the only person on this forum that understood I said the YOU were 'pretending' and 'accused' you of anything. Is English NOT your first language?

I said "..However, pretending that you poised a general question to this forum and not necessarily directed it solely to the originator that may have prompted it, I can say this".

My understanding of how English works, what I said in context is "..I....(as in ME), pretending that YOU poised....I can say this".
Your a really awesome person, thanks much and have a great evening.
 
Top