> I dont have to hide like you to remain secure.
We're all "hiding" when our internet connection is a dynamically-assigned residential IP address.
> my home automation server is running on port 80/443 on the host above.
At home, I operate nothing on port 80 or 443 or any standard port. Right off the bat that makes my situation far more secure that yours.
Bots and other malicious actors know that 99.999% of residential device owners don't have a clue as to how to configure specific port-forwarding so they can access their device from off-site, and the bots know what the standard ports are for these devices (80, 8080, a very few others). So the bots only scan for those very few ports.
> This botnet here was rather unsophisticated, but there are many
> out there far more complex than this and have proven to be quite
> a challenge to dismantle.
You equate the complexity to dismantle a botnet with what the botnet is actually doing, and that's the wrong equation. There is NO comprehensive effort on the part of anyone (black hat or white-hat) to scan all 64k port on all in-use IPv4 addresses. The reason is beyond obvious.
> You dont even have to bother scanning for hosts on port 80
> google will do that for you.
Google does not hit naked IP's on port 80 by IP address and with no page target. I know this because I've been running a corporate web server for 15+ years and I read the logs frequently and web servers are almost universally set to not respond with their working site if you just hit them at their IP address. You need to hit them at their domain. I've never seen google's bots hit my home IP, for example, to see if there's a web server operating there. You hit a working web-server by hitting it's IP address and you'll get "page not found" or "invalid request" or something like that, which for google is useless because there's no content to index when you do that.
> but yes the vast majority of automated attacks are
> simply looking for default configurations; congrats
> for not being default.. but if you think that makes
> you secure you just being delusional.
Truth be told, I've been operating a half-dozen IP cams on alternate ports with the default UN/PW (which usually means no PW) for years and nothing or nobody except me hits them. These cams just send email when they detect motion so I don't interact with them with any apps or shit like that. When I want to talk to them, I'll bring up a browser (like ie6, because it's fast and simple) and contact the camera.
> Many Video Surveillance software wont let you define
> custom ports for backend control and video, yeah you
> can change the WebUi to another port but if you want
> your app to work
Don't care / don't use apps.
Your router can re-map alternate external port numbers (on the WAN side) to standard/fixed ports on the LAN side (if you can't change port numbers on your device). At least with most routers you can do that.
> you leave the RTSP stream on 554 and the ONVIF on 9000
> those alone will identify you by response and trigger
> a further in-depth scan.
So re-map them on the WAN side or don't forward those in the first place.
> Security is not about just not becoming part of an
> automated botnet, but yes I have seen automated deep
> scanning of large networks,
Have you seen a comprehensive scan of all 64k port numbers on a single IP address?
Answer yes or no to that question.
> I am a Cloud Infrastructure Engineer.. I see it all
> the time, dont take much to become a target.
You don't get it. It takes nothing to become a target because every routable IPv4 address IS a target. Bots don't care and generally have no for-knowledge about which IP's they should scan next. They're given a range or a CIDR and they just bang away.
> VPN is not hard, millions of idiots use it every day
> to check work email without the slightest clue how it works
My home mail client checks for pop mail on a non-standard port to my $dayjob server where the router maps the non-standard-port to port 110 on the lan. Simple un/pw is used, no tls or crap like that. The SMTP server is circa 1999 (Post.Office by now defunct Software.com). Great software - it's been running on our NT4 server for the past 17 years.
I'm not swayed at all by new / shiney things or the IT peer pressure that forces others upgrade. Ever here of "The Emperor's New Clothes" ? By the way, I'm reading this forum and posting this on my home PC - Windows 98se with KernelEx, 2 GB ram, and 3.5 TB installed SATA hard drives with a P4-3.5 ghz CPU.