PFBlocker for PFSense

Sparkey · Aug 7, 2019

Keeps the Chinese from trying to hack into Blue Iris. I've had zero attempts from China since I installed it. All my cams are on an internal subnet and not accessible from the Internet. Hopefully I am safe.

bud_spencer · Aug 29, 2019

Well, I think you could think it in this way instead, if u have cameras (non-official I guess) and u havent checked these in deepth. They are in the same zone as your blue iris server so have protection on the wan edge and dns, i would not be so sure that u are so secure

Always best to have cameras on seperate vlan, especially when they are usually also outside.

However, pfblocker and suricata is really good to have on fw of course

Ps. If neccessary to have it on same vlan, full drop in the fw for the cameras ip range (if no local ntp I guess ntp to specific src is ok)

TL1096r · Aug 29, 2019

How do you see the Chinese trying to hack your cams on BI? If there is no log in attempts in BI Status connections is there a different location.

Sparkey · Aug 29, 2019

Status button at the top.

TL1096r · Aug 29, 2019

Sparkey said:
Status button at the top.

That is odd. You are using a vpn and still see them trying to connect. Luckily I am only seeing UI3 I have and old phone logins etc but nothing suspicious.

Sparkey · Aug 29, 2019

Cameras are on their own subnet. Login attempts are for BI. BI and server it runs on are protected by an uncrackable passwords.

TL1096r · Aug 29, 2019

Sparkey said:
Cameras are on their own subnet. Login attempts are for BI. BI and server it runs on are protected by an uncrackable passwords.

Yes. What do the log in attempts on BI Status - Connections look like? I am just curious. I didn't think it could be accessed.

bud_spencer · Aug 29, 2019

Sparkey said:
Cameras are on their own subnet. Login attempts are for BI. BI and server it runs on are protected by an uncrackable passwords.

But then I dont understand what pfblocker adds for value if the attempts are for BI from WAN and you havent publish it externally?

Pfblocker should not be used on wan interface in general if no public services are published. So if you have vpn, you csn add a pfblocker rule for only that port so to speak.

So yeah, im also curious now whats going on

Sparkey · Aug 31, 2019

No one has gained access but I'm still concerned and prefer that people in China, Russia and whatever other country I choose to block do not get past my router. Simple as that.

My BI server has 2 network interfaces. One for the cams (192.168.5.XX) and the other for Internet. (192.168.1.xx).

PFBlocker does the job.

TL1096r · Aug 31, 2019

Sparkey said:
No one has gained access but I'm still concerned and prefer that people in China, Russia and whatever other country I choose to block do not get past my router. Simple as that.

My BI server has 2 network interfaces. One for the cams (192.168.5.XX) and the other for Internet. (192.168.1.xx).

PFBlocker does the job.

Nice. What are you using to run it. I am trying to find a little computer that might do the job. So do you use vlans or just 2 network cards?

NoloC · Aug 31, 2019

@Sparkey sounds like you have open ports? Port forwarding generally a bad idea. Any particular reason?

Most of us set up OpenVPN for remote access and do not expose any ports.

TL1096r · Aug 31, 2019

NoloC said:
@Sparkey sounds like you have open ports? Port forwarding generally a bad idea. Any particular reason?

Most of us set up OpenVPN for remote access and do not expose any ports.

That would clear up some confusion. Open ports I did see odd connections. With asus/openvpn seems much better.

CCTVCam · Sep 2, 2019

Not sure it adds much safety although it's better than default. If you block by IP, what about the Chinese hacker who detects the camera and uses a proxy service eg a server based in the US to circumvent IP based Geolocation restrictions?

Best way is to make sure your camera is not visible or accessible to the wider internet either directly or by exploit / back door. That way, there's nothing to go after. Certain OSINT Tools will soon find your cameras IP's and sub addresses if they are visible to the internet even if popular search engines show no results.

whoami ™ · Sep 11, 2019

Most connection attempts are from bots randomly scanning ports. If you set up a honeypot on a server that captures IP's you'd literally see hundreds of connection attempts a day. Some open ports get more than others, and no port is exempt.

crw030 · Sep 11, 2019

whoami ™ said:
you'd literally see hundreds of connection attempts a day

I average 2300 per HOUR, with peaks of over 4000 per HOUR between firewall port scans and WIFI ASSOC scans both of which I log to syslogd server.

So YEAH, wild west out there on the interwebs.

Search

PFBlocker for PFSense

Sparkey

Pulling my weight

bud_spencer

n3wb

TL1096r

Sparkey

Pulling my weight

TL1096r

Sparkey

Pulling my weight

TL1096r

bud_spencer

n3wb

Sparkey

Pulling my weight

TL1096r

NoloC

Getting comfortable

TL1096r

CCTVCam

Known around here

whoami ™

Pulling my weight

crw030