7 Dahau cameras lost connectivity

[marigo]

When you have an ICMP echo reply to the camera try to connnect with Dahua's configtool on port 3800 and see if it stays connected.
Maybe worth the try?

 

[hmjgriffon]

Welp, you don't do your banking over VPN.

 

[hmjgriffon]

My BI machine is fully patched and updated on a regular basis so I don't feel too skeered.

 

[sleetdawg]

Welp, you don't do your banking over VPN.

True, but that would be unnecessary. Your bank's website has been coded and is regularly tested to withstand the types of attacks that you face on the internet. Additionally, one would hope that the bank has additional layers of security designed to detect and mitigate attacks as soon as possible including things like intrusion detection systems, nex gen firewalls, anomaly detection systems, monitoring, and proper network segmentation. Most of us don't have those layers at home. TLS/SSL is just a protection against sniffing and some MITM attacks. It dows not affect the security of the endpoints talking through the tunnel in any manner.

While I have a lot of trust in what BI is designed for, I don't have faith that it has been coded to protect against most web vulnerabilities, nor do most end users have the knowledge or resources to protect their networks should their BI machine be compromised. VPN servers are hardened endpoints, so they can significantly mitigate that risk.

 

[hmjgriffon]

True, but that would be unnecessary. Your bank's website has been coded and is regularly tested to withstand the types of attacks that you face on the internet. Additionally, one would hope that the bank has additional layers of security designed to detect and mitigate attacks as soon as possible including things like intrusion detection systems, nex gen firewalls, anomaly detection systems, monitoring, and proper network segmentation. Most of us don't have those layers at home. TLS/SSL is just a protection against sniffing and some MITM attacks. It dows not affect the security of the endpoints talking through the tunnel in any manner.

While I have a lot of trust in what BI is designed for, I don't have faith that it has been coded to protect against most web vulnerabilities, nor do most end users have the knowledge or resources to protect their networks should their BI machine be compromised. VPN servers are hardened endpoints, so they can significantly mitigate that risk.

you better make sure that vpn server is actually kept patched and updated, some people think VPN's and firewalls are magic, they are not. If you are running some shitty home router or an old ass cisco device you're vpn is probably just as vulnerable as anything else because the firmware hasn't been updated in ages. You can also be sure those lame ass home routers aren't doing anything advanced at all lol. Not saying you don't have that, just saying people think because it's a VPN it's a magic bullet, it is not. Plus everyone who knows anything about IT security knows, if someone wants you bad enough, aint nothing gonna stop them.

 

[nayr]

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style

SSL its self is responsible for your bank being compromised in the past; and it didnt save Yahoo from becoming entirely owned by hackers.

 

[nayr]

you better make sure that vpn server is actually kept patched and updated, some people think VPN's and firewalls are magic, they are not. If you are running some shitty home router or an old ass cisco device you're vpn is probably just as vulnerable as anything else because the firmware hasn't been updated in ages. You can also be sure those lame ass home routers aren't doing anything advanced at all lol. Not saying you don't have that, just saying people think because it's a VPN it's a magic bullet, it is not. Plus everyone who knows anything about IT security knows, if someone wants you bad enough, aint nothing gonna stop them.

Your VPN Server running on your router is Open Source, and has been audited for security vulnerabilities by professionals non-stop for oh, the last 15 years or so.. Give me half a day w/BlueIris's source code and I'll find enough issues to take down every BlueIris box stupidly connected to the internet a few times over.

You can have all sorts of security issues and be quite fine; its called attack surfaces.. VPN is a hardened attack surface.. your router likely has no exposed surfaces of its own, so even if its chocked full of bugs its likely only exploitable by someone actually on your network and whom already made it past it.

Take a $10k bike, chain it up in your garage and it'll be relitavely safe.. Take a $10k bike and chain it to your mailbox and now the attack dont need to penetrate your house first to even know the bike exists, the'l just kick your mailbox over and ride off.

 

[hmjgriffon]

Your VPN Server running on your router is Open Source, and has been audited for security vulnerabilities by professionals non-stop for oh, the last 15 years or so.. Give me half a day w/BlueIris's source code and I'll find enough issues to take down every BlueIris box stupidly connected to the internet a few times over.

You can have all sorts of security issues and be quite fine; its called attack surfaces.. VPN is a hardened attack surface.. your router likely has no exposed surfaces of its own, so even if its chocked full of bugs its likely only exploitable by someone actually on your network and whom already made it past it.

Take a $10k bike, chain it up in your garage and it'll be relitavely safe.. Take a $10k bike and chain it to your mailbox and now the attack dont need to penetrate your house first, the'l just kick your mailbox over and ride off.

go for it, i'm sure everyone would like to see all the hacks you find.

 

[nayr]

go for it, i'm sure everyone would like to see all the hacks you find.

Like This: Blue iris massive security flaw!!!! All your recordings are visible to all users
Or This: Security warning if you use IP based authentication (Non-LAN only/Limit IP) - Take action ASAP

 

[hmjgriffon]

vpn server vulnerabilities - Google Search


nothing is 100% saaffeeee lol.

 

[sleetdawg]

you better make sure that vpn server is actually kept patched and updated, some people think VPN's and firewalls are magic, they are not.

Agreed. Applies to all internet facing software, and most internal facing software.[/QUOTE]

just saying people think because it's a VPN it's a magic bullet, it is not.

Also agreed. However, using a tool that is designed to be hardened and exposed to the internet - is better than using a tool that has not.[/QUOTE]

Plus everyone who knows anything about IT security knows, if someone wants you bad enough, aint nothing gonna stop them.

As a 20 year infosec pro who has built and run successful security teams at some of the largest companies in the world, I agree. But that argument is often used as an excuse to justify security that is not commensurate with the risks. Determined hackers are hard to stop, but they tend to be well-resourced and target weaknesses in the human part of the chain to get to a specific goal. But most technical hacks against systems like this on consumer sections of the internet are not targeted, they are used against victims of opportunity. I for one, want my network to be inopportune

 

[nayr]

Openvpn : Security vulnerabilities

Look at the Gained Access Level and the Authentication Tabs, The last issue that allowed user level access w/no authentication was 2005... Last BlueIris issue known to allow same level of intrusion was 2016

Vast majority of the issues are denial of service attacks to crash the VPN Server; almost none ever allowed anyone to bypass the VPN Server and gain deeper entry into the network.. Yes nothing is 100% safe; but forwarding ports is like taking the front door off your house; you can never really know who or whats inside yer house.. Running a VPN is like putting that door back on and installing a very expensive, unpick-able lock and hardening it so nobody can kick it down.. meaning nobody's going to be coming through the front door anymore, the'll need to find a back way in.

 

[sleetdawg]

Take a $10k bike, chain it up in your garage and it'll be relitavely safe.. Take a $10k bike and chain it to your mailbox and now the attack dont need to penetrate your house first to even know the bike exists, the'l just kick your mailbox over and ride off.

I am so stealing that analogy.

 

[hmjgriffon]

Yeah well, security is always a balance between secure and usable, you can unhook your godamn computer from the internet and burry it in the back yard, no one will hack it, but then it's worthless. You can block everything with a firewall and then you can't do anything. Not everyone wants to run a VPN client on their phone 24/7 and drain the battery in an hour, and firing up a VPN everytime you wanna check in on your cameras is also annoying. People have to make their own decisions of convenience vs security.

 

[hmjgriffon]

IT guys tend to have an annoying trait of thinking they know everything and trying to make everyone else looks stupid, sometimes people know and make calculated decisions.

 

[sleetdawg]

I don't need to make you look stupid; you did that well enough on your own. If you understand the issue then don't try to defend your choices with half baked arguments and cliche responses.

 

[NoloC]

Aw come on now. He grows on you after a while. Actually he incites great debate, but sometimes comes across somewhat obtuse. I like a guy not afraid to say what he thinks, even when it is dumb! Hey, many of us hide and try to look smart. Old Hmj is just wysiwyg. I root for that. He's an asset to this community.

So wonder if the OP ever got his cams back?

 

[Go3Team]

I had 1 camera go out attached to POE. I took it down and powered it up with a power brick and it worked. Whatever I tried with POE didn't work.

Try the brick.

 

[yobigd20]

Not everyone wants to run a VPN client on their phone 24/7 and drain the battery in an hour, and firing up a VPN everytime you wanna check in on your cameras is also annoying.

Just my 2c, I have an iPhone 7plus that runs OpenVPN to my pfsense VM that hosts an OpenVPN server. I've never noticed any additional drain on the battery caused from the VPN. Granted I don't keep Blueiris app running in the background. I only check it when I get a notification push. And these come through a different channel, you don't need to be connected to get the notifications. (Push notifications hit apple's push service which then goes to mobile phone, don't need app running or connected to get them)

To connect it though OpenVPN is dead simple. Click the App. Click connect. Done. It takes about 500ms. Easy peasy. I tend to be one that hates additional steps and treasures response times so for me this really is not annoying at all. When I play games and it takes 5 seconds to open the damn app and log then then I get annoyed but that's not the case here. Honestly the biggest annoyance is just the initial setup, having to generate a cert and connect my iPhone physically to the computer and open iTunes and drag and drop the cert into the OpenVPN app, that's annoying and that takes like 30 seconds lol but you only have to do it once at least. There's really no reason to take the risk to exposing blueiris directly. Last thing I want is some creeper perving in on us.


Sent from my iPhone using Tapatalk Pro

 

[shmookles]

ok so some new developments. I got a proper 12v brick and the camera powers up with the 12v brick and I am able to get into WebUI and via configtool to manage the camera and view video. My new switch is a NETGEAR ProSAFE JGS524PE and it seems to be negotiating POE just fine based on LEDs. What else is weird is that I just received a new camera AE and upon plugging it in its exhibiting similar behavior. Could it be that somehow my switches are not pushing enough power. I mean this is just so strange that now a new camera would have the same problem.