160 open BI Ports?

jmburton2001

Getting the hang of it
Joined
Aug 16, 2015
Messages
73
Reaction score
29
I stumbled onto this list of open ports for Blue Iris. I have ten cameras (seven currently enabled) but there are 160 open ports. This is a partial list and the overwhelming majority are connected to China.

The 10 cameras are made up of 9 LTS Hikvision and one Amcrest AD110 doorbell.

Is this normal?

Software -> CurrPorts by Nirsoft

 

jmburton2001

Getting the hang of it
Joined
Aug 16, 2015
Messages
73
Reaction score
29
Hi bp2008!

Yes, BI's web server is on port 8088. Should I change it? It's been on that port for many, many years so if it's time for a change, not a problem.

Is all that hammering remote scanning affecting my bandwidth?
 

mikeynags

Getting comfortable
Joined
Mar 14, 2017
Messages
871
Reaction score
672
Location
CT
Hi bp2008!

Yes, BI's web server is on port 8088. Should I change it? It's been on that port for many, many years so if it's time for a change, not a problem.

Is all that hammering remote scanning affecting my bandwidth?
You should stop port forwarding and look at setting up your own vpn. Regardless of what port you change it to, they will find the new one. Plenty of info here on setting up something like OpenVPN to solve this issue.


Sent from my iPhone using Tapatalk
 
Joined
Dec 28, 2019
Messages
7,339
Reaction score
15,748
Location
New Jersey
VPN Primer
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
11,230
Reaction score
10,335
Location
USA
The intrusion scanning by the Chinese IP address was probably not using a significant amount of bandwidth (unless you have very low upload speed). The bigger concern is that they could exploit a vulnerability in your Blue Iris web server to infect the machine with malware. It isn't likely because Blue Iris is not a huge target, but it is still possible.
 

jmburton2001

Getting the hang of it
Joined
Aug 16, 2015
Messages
73
Reaction score
29
Oh my goodness... OH.MY.GOODNESS!

I think I have a bigger problem than previously expected. Port forwarding isn't just enabled for Blue Iris on port 8088, it's enabled for every single camera on my system.

Oh myyyyy.... :banghead:




EDIT: I disabled all port forwarding in my router and then disconnected 207 Remote IP connections from China.
 
Last edited:

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
1,449
Reaction score
1,468
Is port 8088 your Blue Iris web server? You probably did port forwarding and used a common port so it got scanned and that remote address is just trying to find vulnerabilities.
This is one area that needs a video tutorial or at least a comprehensive manual. In prep for my BI server, I've been searching both the IP Cam and BI forums for instructions on how to configure BI for remote viewing both on LAN and WAN, and I cannot find a tutorial anywhere for networking newbs like myself, and presumably the guy above (hope you don't mind falling into the same category as me :p ).

I personally tried to remote view on my tv and although I finally got access on my pc on LAN to the login page (still didn't get access depite not setting up credentials (mayeb that's what I needed to do ratehr than leaving them blank as maybe blank is blocked by default)), it was only after going partially through the Web Server Wizard in BI, which 1/2 way through had a page that wanted to automatically open my Windows Firewall ports and port forward. It was at this point I panicked and stopped.

The issue here is that wizard by default appears to require port forwarding if you don't choose Stunnel. That's where I stopped as I tried to avoid port forwarding but now don't have a clue whats open and whats not. Access via LAN is definately there but I did try putting the port into 2 external port scanners on the internet and they suggest the port is still closed.

However, this demonstrates the lack of a tutorial in this area and the shorcoming of BI in documentation and wizard setup as it's pretty much set up to port forward by default. It assumes a knowledge of networking as does much of the helpful knowledge on here. For someone such as myself who's networking knowledge extends to you can connect 2 computers together using a twisted LAN pair, it keeps you in the dark.

I was very surprised how little documentation there appears to be for BI. I cold find none to download or read on the BI web page. Nor are there any walk through tutorial vidoes apart from a few on here, none of which cover the Web server setup (I did look at the ones on here that mention web server)

I managed to find out what Stunnel is, some kind of external softare download that appears to be a poor version of Open VPN. However, this is of little help in the wizard as if you don't choose Stunnel you're pretty much port forwarding.

BI really needs a better wizard with more options and explanation and BI needs documentation or video walk throughs in this area as the big elephant in the room is there's quite steap learning curve for networking which is fine for software engineers or experienced networkers as many are on here, but totally useless for anyone who's never had any experience of networking at all.

What I believe is needed is a walk through of how to setup a BI webserver and sepecifally how to set up:

1. LAN access without using VPN

2. WAN using a VPN and avoiding port forwarding

3. Both, Lan without and WAN with

4. How to tell if ports are open using Windows Firewall as well as BI and how to reclose them if they are
 

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
1,449
Reaction score
1,468
Don't know if anyone wants to bring this to BI Developer attention but this is how I believe the networking Wizard should be set up:

3 wizard buttons instead of one:

1. Set up LAN (local) Access

2. Set up WAN (internet) Access

3. Set up both Lan and WAN Access


This would make it easier for those with less understanding, and could be more secure by default by ie. LAN access by default could allow local access but keep external ports unforwarded and closed.

The WAN wizard could give you options similar to the existing ones but with clearer menu choice eg:

1. "Port Forward (easiest but most dangerous way to allow remote access - risks hackers accessing your pc and cameras)"

2. "Use a VPN Server - Most secure but requires additional software in your router"

3. "Use Stunnel" - Requires additional software - Falls between a VPN an Port Forwarding in security and ease on implementation"


I believe something as simple as this may help massively in getting people to make the right choices.

It may be worth also looking at the sub menus within the wizards to make them easier to understand by non pc pros.

Finally a port checking utility might be helpful so users can check which ports are open and be informed of any vulnerabilities / close ports on anything identified.

Of course, tutorials and instructions / help file with simple comprehensive walk throughs are another real way of making BI more accessible and preventing more instances of dangerous access being granted but there's no substitute for making the menus easy...
 

jmburton2001

Getting the hang of it
Joined
Aug 16, 2015
Messages
73
Reaction score
29
Finally a port checking utility might be helpful so users can check which ports are open and be informed of any vulnerabilities / close ports on anything identified.
Just an observation. The "Tools" tab at the top of this page has an open port checker (and other tools). I personally find the IPCT DDNS service to be invaluable in a residential ISP and 3rd party VPN setting. i.e. Anywhere you have an ephemeral IP address.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
12,108
Reaction score
14,188
Location
Evansville, In. USA
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk
VPN Primer for Noobs | IP Cam Talk
Randy : OpenVPN on a Asus router



Cameras should always be blocked from accessing the internet in your router.
UPNP should always be turned off in your Router and in EACH camera.

Only a VPN should be used to remotely access your system.

The BI wizard works just fine as it is, if you understand how it operates.
Networking is NOT part of BI support, you are expected to handle that or hire someone to do it for you.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
34,576
Reaction score
15,465
Oh my goodness... OH.MY.GOODNESS!

I think I have a bigger problem than previously expected. Port forwarding isn't just enabled for Blue Iris on port 8088, it's enabled for every single camera on my system.

Oh myyyyy.... :banghead:




EDIT: I disabled all port forwarding in my router and then disconnected 207 Remote IP connections from China.
This likely occurred automatically because you had upnp enabled in your router and cams. Disable it.
 

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
1,449
Reaction score
1,468
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk
VPN Primer for Noobs | IP Cam Talk
Randy : OpenVPN on a Asus router



Cameras should always be blocked from accessing the internet in your router.
UPNP should always be turned off in your Router and in EACH camera.

Only a VPN should be used to remotely access your system.
Thanks I checked out those top 2 links already.

They don't really tell you how to enable LAN only access or give much information about ports and routing.

The BI wizard works just fine as it is, if you understand how it operates.
Networking is NOT part of BI support, you are expected to handle that or hire someone to do it for you.
Not a helpful attitude from the developer or forum.

If the product uses a network to function, then it set up should be explained. That's like saying a router shouldn't come with instructions because it's the end users responsibility to connect it to the internet and network. It's not helpful and doesn't do a lot to push sales when the product you're selling doesn't come with instructions on how to set up it. Even more so when the product comes with a wizard that actually attempts to set it up unsafely via port forwarding unless you choose 2 very unexplained options as alternatives.

I appreciate documentation and / or video walk through take a considerable effort to produce and to that end, everyone on the forum has an excuse for not doing so, after all it's not their responsbility. However, from my pov it's different for the developer. If you produce a product it should at least come with comprehensive documentation when you're being paid for it.

Finally, anyone using / tried one of these? As I have money put away to buy a gaming router, I was wondering about this? It has a VPN but more importantly the VPN fusion feature whcih is supposed to let a VPN runa longside your main connection without it slowing it down. Not sure how it does that, some kind of interlacing tech?

 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
34,576
Reaction score
15,465
I appreciate documentation and / or video walk through take a considerable effort to produce and to that end, everyone on the forum has an excuse for not doing so, after all it's not their responsbility. However, from my pov it's different for the developer. If you produce a product it should at least come with comprehensive documentation when you're being paid for it.
There are hundreds of other vms and standalone NVR's. Point to a single one that does this. You paid 60 bux. Whoppie, that doesnt demand that the developer provide you with a networking manual. Does your PC come with an electrical wiring manual so you can safely bring the proper voltage to your desktop?
The blue iris help file explains both port forwarding and using NGROK.

FYI, there is a blue iris video tutorial that provides remote access info.

If you want anything more than that its on you. There are literally hundreds of different systems that provide vpn or other types of secure access, they simply cannot be covered in a manual or video.

Seems like you many need to reconsider blue iris and exchange everything for a ring system.
 

concord

Getting comfortable
Joined
Oct 24, 2017
Messages
499
Reaction score
407
Thanks I checked out those top 2 links already.

Finally, anyone using / tried one of these? As I have money put away to buy a gaming router, I was wondering about this? It has a VPN but more importantly the VPN fusion feature whcih is supposed to let a VPN runa longside your main connection without it slowing it down. Not sure how it does that, some kind of interlacing tech?

VPN Fusion appears to be a VPN client, where you can connect to a VPN service with multiple connections. This not what you need, you need a VPN server instead, like OpenVPN (which is listed on the router, like other routers). Once you have OpenVPN server going, you need an OpenVPN app on your cell phone, tablet, remote computer, etc to connect to your OpenVPN server.

See: Tech specs and a few (not specific to this router) FAQ links:
[Multiple VPN] How to configure multiple VPN connections on ASUS Router? | Official Support | ASUS Global
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
12,108
Reaction score
14,188
Location
Evansville, In. USA
Thanks I checked out those top 2 links already.

They don't really tell you how to enable LAN only access or give much information about ports and routing.



Not a helpful attitude from the developer or forum.

If the product uses a network to function, then it set up should be explained. That's like saying a router shouldn't come with instructions because it's the end users responsibility to connect it to the internet and network. It's not helpful and doesn't do a lot to push sales when the product you're selling doesn't come with instructions on how to set up it. Even more so when the product comes with a wizard that actually attempts to set it up unsafely via port forwarding unless you choose 2 very unexplained options as alternatives.

I appreciate documentation and / or video walk through take a considerable effort to produce and to that end, everyone on the forum has an excuse for not doing so, after all it's not their responsbility. However, from my pov it's different for the developer. If you produce a product it should at least come with comprehensive documentation when you're being paid for it.

Finally, anyone using / tried one of these? As I have money put away to buy a gaming router, I was wondering about this? It has a VPN but more importantly the VPN fusion feature whcih is supposed to let a VPN runa longside your main connection without it slowing it down. Not sure how it does that, some kind of interlacing tech?

Your network should be properly set up whether blue iris is involved or not. So blue iris has nothing in the game. It's fairly simple really, dive into it and figure it out. In my pov, Use the time that you normally spend here griping to study instead.
 

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
1,449
Reaction score
1,468
There are hundreds of other vms and standalone NVR's. Point to a single one that does this. You paid 60 bux. Whoppie, that doesnt demand that the developer provide you with a networking manual. Does your PC come with an electrical wiring manual so you can safely bring the proper voltage to your desktop?
The blue iris help file explains both port forwarding and using NGROK.

FYI, there is a blue iris video tutorial that provides remote access info.

If you want anything more than that its on you. There are literally hundreds of different systems that provide vpn or other types of secure access, they simply cannot be covered in a manual or video.

Seems like you many need to reconsider blue iris and exchange everything for a ring system.
Thanks for the video link I'll take a look.
 

jmburton2001

Getting the hang of it
Joined
Aug 16, 2015
Messages
73
Reaction score
29
This likely occurred automatically because you had upnp enabled in your router and cams. Disable it.
Nope... This was a direct result of the forwards being manually entered into the router. Hence the :banghead: emoji. It was a bone-headed mistake.

I started my home brew networking back in the 90's with a Cisco 2501 and a T1 line. I never trusted anything plug-and-play and always like to manually "force" my routes. This was (as they say) my bad.
 

kumar2020

Young grasshopper
Joined
May 8, 2020
Messages
40
Reaction score
11
Location
Iowa
Another option for remote access is a service such as ZeroTier. I like it because it's fairly simple to set up on devices, is very secure, and you can really have control over what devices can connect to each other. I shut down my router based VPN and now use this instead to access BI using the BI Android app.
 
Top