Banned IP Addresses

[OBXJeepGuy]

I have had a ton of sniffers around my BI system. I'm quite sure its because I am using Port 81 for the web server. I have a list of what I've banned so far, and was wondering if anyone else also had a list of banned IPs they wanted to share. Here's what I have so far:

-198.98.52.213
-209.141.41.193
-35.245.188.175
-205.185.116.89
-209.141.33.65
-205.185.116.25
-43.129.35.207
-93.174.95.106
-45.137.21.9
-195.133.18.112
-185.220.100.251
-45.153.160.137
-198.98.51.245
-209.141.59.110
-185.142.55.38
-80.82.77.192
-209.141.60.143
-5.8.10.202
-45.148.10.241
-35.225.82.182
-99.228.225.177
-178.17.170.23
-45.154.255.147
-113.220.30.164
-199.195.252.74
-162.142.125.42
-128.199.197.12
-45.137.23.238
-193.169.254.223
-209.141.36.253
-209.141.62.11
-23.183.81.197
-220.133.204.95
-223.71.167.166
-185.220.100.255
-136.144.41.6
-199.19.225.163
-209.141.55.220
-222.186.19.235
-50.31.21.8
-50.31.21.9
-50.31.21.6
-170.253.9.228
-192.241.207.115
-159.89.32.10
-212.192.241.211
-71.6.167.142
-46.175.22.54
-61.242.58.67
-183.136.225.9
-92.118.161.49
-167.248.133.57
-2.57.122.74
-171.25.193.20
-185.220.101.42
-167.248.133.43
-221.145.239.171
-23.224.186.119
-183.80.212.132
-92.118.161.21

 

[OICU2]

Your should set up a VPN for access. You'll have zero on that list.

 

[OBXJeepGuy]

I've been told that, or change my port to some off the wall number. The port change is the free option, but I tried it, and bungled something and ended up going back to port 81. I'm sure I missed a step somewhere.

 

[OICU2]

You can change the port a million times, there are botnets that search within seconds. Setup a VPN, it is also free and included with most newer consumer routers. You may be thinking about a pay VPN which is used to mask your own IP for purposes of gaming or other anonymous browsing, that is not what we reference. We mean something like OpenVPN. There's a nice writeup somewhere here on IPCT but I can't find the thread right now.

 

[OBXJeepGuy]

My router is as old as dirt. There is nothing about VPN on it. At some point I will have to get a new one.

As for the money part, I built this thing all at one time brand new and got 4 Amcrest cameras, and BI. I was trying not to take another hit with a pay VPN. Now I'm looking into OpenVPN. Thanks for the heads up!

 

[OICU2]

Here is the writeup: VPN Primer for Noobs

 

[OBXJeepGuy]

Whew... Tough crowd in there. Now to figure out how to set this up on my server. Wish me luck.

 

[SpacemanSpiff]

Share the make and model of router

 

[SpacemanSpiff]

Whew... Tough crowd in there. Now to figure out how to set this up on my server. Wish me luck.

Very little to do on the BI machine itself, follow the prompts for the wizard they built-in. After that it is configuring your router, and the device that you will connect with remotely

 

[iwanttosee]

Now to figure out how to set this up on my server. Wish me luck.

I used my BI server Windows 10 HyperV to run a VM instance of RaspberryOS with 1GB of ram and a few GB for harddrive space, Raspberry Pi OS – Raspberry Pi
Then I install PiVPN PIVPN: Simplest way to setup a VPN
Once you get your OpenVPN setup done, you close that port 81 and open a UDP port (1194 probably) and point that to your OpenVPN server.
There are other OpenVPN server/client out there but I find myself using RaspberryOS because it's what I am familiar with and I already use Pi-Hole so it's already there.

Sign up your favorite DDNS server and client installed and you're good to go.

 

[OBXJeepGuy]

Share the make and model of router

Arris/Motorola SBG-6580

 

[TVille]

ZeroTier. Free service for home use. Runs on the Windows machine, apps for your phone or other computer. Should work through/with virtually any router, no matter how old.

 

[looney2ns]

ZeroTier | Global Area Networking

ZeroTier enables secure, modern overlay networking for the Internet of Things, Industrial IoT, RMM, Remote Access, Embedded Networking, SD-WAN, VPN, and more.

www.zerotier.com

 

[Teken]

A VPN offers absolutely no solution to address the root of the problem. As noted by me and countless others in this forum true security would mean the video system would have no outside Internet connection - none. Since all of us live in the real world and like to use the technology we spent gobs of money, and time on.

Viewing remotely seems to be a thing for people . . .

Thus, people always tout connecting from the outside - in via, a VPN tunnel.

Once again, that doesn't do anything as it relates to being scanned and bombarded by outside forces. At a very basic level one of the key pillars to network security is having a firewall appliance at the edge of the network. Those who are more serious and have the finances spend money on ISP filtering.

This essentially blocks ever changing threats literally at the ISP before it ever comes into your home. Other Best Practices as it relates to network security is to run the video security on a completely isolated network from the main private LAN. Employing this basic topology limits the possibility of a network breach along with negating any impact on the main network as it relates to bandwidth.

When all of the best practices as it relates to network security is employed and in place the attack surface on your home network is extremely small.

 

[OBXJeepGuy]

Once again, that doesn't do anything as it relates to being scanned and bombarded by outside forces. At a very basic level one of the key pillars to network security is having a firewall appliance at the edge of the network. Those who are more serious and have the finances spend money on ISP filtering.

Like Fortinet Fortigate, Barracuda, et al?

 

[OICU2]

A VPN offers absolutely no solution to address the root of the problem. As noted by me and countless others in this forum true security would mean the video system would have no outside Internet connection - none. Since all of us live in the real world and like to use the technology we spent gobs of money, and time on.

Viewing remotely seems to be a thing for people . . .

Thus, people always tout connecting from the outside - in via, a VPN tunnel.

Once again, that doesn't do anything as it relates to being scanned and bombarded by outside forces. At a very basic level one of the key pillars to network security is having a firewall appliance at the edge of the network. Those who are more serious and have the finances spend money on ISP filtering.

This essentially blocks ever changing threats literally at the ISP before it ever comes into your home. Other Best Practices as it relates to network security is to run the video security on a completely isolated network from the main private LAN. Employing this basic topology limits the possibility of a network breach along with negating any impact on the main network as it relates to bandwidth.

When all of the best practices as it relates to network security is employed and in place the attack surface on your home network is extremely small.

My mistake, I ASSume if one is running OVPN or similar, they already have at least a basic firewall in place running alongside VPN. I have both and my BI system is physically on a separate isolated network with BI having a dual NIC.

 

[Teken]

Like Fortinet Fortigate, Barracuda, et al?

Absolutely, along with using any of the half dozen free firewall software like pfSense.

 

[Teken]

My mistake, I ASSume if one is running OVPN or similar, they already have at least a basic firewall in place running alongside VPN. I have both and my BI system is physically on a separate isolated network with BI having a dual NIC.

No mistake in your reply I simply wanted to offer more insight and clarification as to the OPS concern of seeing and detecting IP addresses scanning & probing his network. As such, only a firewall appliance will offer that wall to reduce the same.

For the benefit of others it should be made clear almost every router sold in 2021 offers the most basic firewall / VPN services and protection. Even the ISP you're using and connected to incorporate all manner of IDS / IPS / Antivirus. On that note one would have to ask if the ISP offers such services in the connection why then are the general public still impacted by bad actors???

Because its impossible to filter everything without it impacting the speed of the connection from the ISP to end user.

Another problem that exists since the age of man is the fact people simply don't care. Worse, are those who do care but fall quickly into complacency thinking I just spent gobs of time and money on XYZ - I'm invincible.

Fail . . .

Like the weather it is ever changing and every second there is someone wanting to do something bad. Think Antivirus, there probably isn't a computer out there today that doesn't have antivirus protection. Yet, everyday there is news show casing a computer / network impacted by a virus and ransomware.

Why???

99% of the time its from within (insider) who thinks its OK to bring (insert whatever media) into a place of business and inserting the same into the corporate network. 99% of the infections comes from audio / video media / documents that the imbeciles just wanted to view / listen to with no regard to security. The last 1% is from social engineering which impacts thousands of people each year because the company or people have no concept of best practices of following basic authentication as it relates to privacy.

This is analogous to the question always posed by the people too dumb to know what is the most important safety on a fire arm?!?!?

Is that (IF) the weapon is hot and loaded - no.

That's your freaking finger isn't on the trigger until ready to fire! Obviously, it goes without saying assume a firearm is hot until proven otherwise by clearing the weapon and inspection. Never pointing any weapon at a person and secure the same in a secure enclosure when not in use far away from children - uneducated.

Everyday systems are compromised not because the IT staff are incompetent. It's the fact they can't protect stupid from surfing to a dangerous website. They can't protect the network from CEO imbecil who must watch the 3rd quarter which he downloaded from a untrusted torrent only to infect the entire network by doing so!

The IT department must balance access, ease of use, and long term maintenance with the end clients. Thus, everything we do is a compromise of convenience vs security.

 

[OBXJeepGuy]

Well now this has turned into something else I would like to build. Or I could just buy a Netgate 1100, and be done with it.

 

[Teken]

Well now this has turned into something else I would like to build. Or I could just buy a Netgate 1100, and be done with it.

Sure . . .