Firewall Settings on Dahua NVR

How are they gaining access? Do you have UPNP enabled and your system is forwarding your ports to your WAN? If that is the case you will always have someone trying to gain access.. In account lock out I would change from 5 to 3 and make sure that the longest time for lock is enabled.. While that don't always help it can. Next if you are using P2P your and your NVR was setup with UPNP enabled everyone that has looked at your NVR knows your Serial Number so you will want to turn off P2P for a while so they move on lol.. There are 235 Dahua and 68 Dahua based NVR5216-16P with all the rest you listed in your country.. Either because they don't know and have UPNP enabled or have port forwarded the NVRs not knowing people troll trying to find people with default or weak passwords.. I said knows your Serial Number, maybe not if using SSL as they can be blocked. But yeah I would look to see if you are forwarding your ports or have UPNP enabled and take steps to secure your connection.. Being linked to your WAN is asking for issues..

Blocking ports is useless.

As mentioned, it sounds like you either have port forwarding enabled, or UPnP or some hack thru P2P.

I take it this is a non POE NVR (or your bridged it on purpose) because by default the NVR will isolate cameras connected to the POE ports by assigning them the 10.x.x.x subnet, so you now likely have attempts, and possible success, not only at the NVR but also the camera level.


No need to block out the LAN addresses.

You can list the private LAN IP addresses as it does not tell anyone anything - they are the same as everyone else.

The IP address of your service provider for your WAN is what you don't provide...Everything on the inside past the modem is fine to put out.

Everything on the inside, the local LAN will fall under these ranges and you are not telling anyone anything about how to hack your system because these ranges are reserved for the "home side" of the service so every home internally will be within this same range):

10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255

Those firewall settings are to help manage access by the devices that already have access on your network (ie all the other devices in your house that have network access). With them you can allow or block access to the NVR from your other household devices. I suspect one of those "allow" rules basically allows ALL devices on the local network to access the NVR. That's normally how these are set up by default and it means that unless you change it, everything on your local network can access the NVR. That isn't necessarily a bad thing either as you should generally be able to trust everything that is on your local network.

However your problem is that you have devices that are not originating from your local network somehow accessing this NVR. This is a MUCH bigger problem. Your router/firewall device should be blocking 100% of that outside traffic from even "knowing" your network exists. (Firewalls/routers don't just "block" traffic, they make it seem as if the network doesn't exist). The fact that some random person on the internet can find and attempt to access your NVR is extremely troubling. This means that person is already getting through your router/firewall and is on your network. The only security/protection you have from that person accessing everything else on your network is the "security" of your NVR's firmware. To be blunt - it sucks and can be hacked very easily by someone that knows what they are doing.

To prevent this type of outside access, you need to immediately stop forwarding ports on your router/firewall as well as turning off services like UPnP (which simply allows devices to secretly open ports to the outside world without your express permission). When you forward a port, you are bypassing all of the security that your firewall/router is suppose to provide and simply sending all traffic directly to another device/service on your network. Therefore the only "security" you have at that point is whatever is build into the device/service you are forwarding traffic to. IOT devices like this NVR are notoriously bad at providing network security.

If you need to be able to have access to the NVR and/or other devices on the local network while you are remote (ie away from the house and using the internet to access them), then you really need to set up a VPN or similar service that will allow you to securely access your network while also blocking unauthorized people from accessing your network. While traditional VPN services require a single forwarded port on your firewall to work, the VPN service requires a matching encryption key to be provided by the outside party before that traffic is allowed onto your local network. The security programmed into the VPN services is 1000 times better than any IOT device and while there is always the potential for exploits to be found (which is true of any software/device), the VPN services tend to find and patch these exploits very quickly. On the flip side, IOT device manufactures rarely patch their firmware even when known exploits have been found in them.

Long story short, you need to lock down your local network from any/all outside traffic. If you need to access the network yourself from the outside, you need to setup a VPN connection. Doing anything else is leaving the door wide open for hackers to exploit.

PS - there is no need to block the local network address on that screenshot. Your local addresses have no meaning to the rest of the world and it is not unsafe to show them. Just don't show your actual public IP address that you have been assigned by your local service provider. Blocking the local addresses is equivalent to me showing a drawing of my house and blocking out the room names like "den", "bathroom", "kitchen", "bedroom", etc. There is no security value provided by blocking them out as every house has those same rooms. What I would want to block out is the actual physical address (ie 100 Main Street, Anytown USA) of my house. The "physical address" of your network is your public IP address assigned by your provider, and you would want to block it out if there was some screen that actually showed it.