BI http web server

[Hound Dog 911]

All the security hoopla going around I decided to do some checking on my system. If I enable http Web Server under BI, I get a crazy amount [LAN access from remote] entries in my router log. Turn off http web browser and open up BI program (not the background process that is already running) and I get zero hits on my router log. Can someone explain that to me. I am slowly learning the security end and realize it is important I need to lock this down.

Thank you for any and all help.

 

[Hound Dog 911]

I take that back. Whenever I have the BI program on I get all kinds of LAN access from remote entries regardless if http is enabled.

 

[Hound Dog 911]

I think it was my fault. Default DMZ server was turned on. I think I closed all the loop holes. smh Gotta learn this security stuff!

 

[hmjgriffon]

I think it was my fault. Default DMZ server was turned on. I think I closed all the loop holes. smh Gotta learn this security stuff!

yeah putting your NVR into a DMZ is suicide, you'll see it get wailed on all day and night until someone hacks it. If you plan to access BI remotely and do not want to get on vpn every time, install stunnel on the bi machine, then the traffic is SSL encrypted.

 

[Hound Dog 911]

It's now turned off. No more crazy ip hits. Man are you right. It was crushed. It's so much faster now. I will have to look up how to install a stunnel. I'm learning. Slowly! But I'm still learning.

 

[hmjgriffon]

It's now turned off. No more crazy ip hits. Man are you right. It was crushed. It's so much faster now. I will have to look up how to install a stunnel. I'm learning. Slowly! But I'm still learning.

it's very easy, install the software, stunnel: Downloads it will generate a cert during the install, then go to C:\Program Files (x86)\stunnel\config on the BI machine, open stunnel.conf, insert this text:

[Blue-Iris]
accept = 443
connect = 80
cert = C:\Program Files (x86)\stunnel\config\stunnel.pem

delete everything else under "Example TLS client mode services" that doesn't have a semi colon. you will probably have to kill stunnel to edit the config file then run it after you make changes. installing stunnel service is also nice.

in BI you have to go to settings, web server, check off "stunnel is installed for HTTPS on port" and make sure it says 443 and BI is running on 80, otherwise modify the stunnel config accordingly.

 

[Hound Dog 911]

And the BI app for my Galaxy S7 will be able to remote view it?

 

[hmjgriffon]

And the BI app for my Galaxy S7 will be able to remote view it?

correct, just make sure the app is pointing to whatever your public IP is and whatever port you have forwarded, to port 443 on the BI machine. Yeah, forgot to mention make sure you port forward to 443 and not 80 once stunnel is up.

 

[Hound Dog 911]

Man thanks. Seems a lot easier than paying for a VPN service.

 

[hmjgriffon]

Man thanks. Seems a lot easier than paying for a VPN service.

don't waste your money, but I accept free beer as payment, LOL.

 

[Hound Dog 911]

No beer. Just shine and Captain Morgan. I have a buddy that home brews. He has some great recipes.

 

[hmjgriffon]

No beer. Just shine and Captain Morgan. I have a buddy that home brews. He has some great recipes.

moonshine will make you go blind, and liqueur makes me wanna LOL.

 

[Hound Dog 911]

It's store bought stuff. Beer makes me feel like I want to . But I have had good homemade shine.

 

[looney2ns]

Man thanks. Seems a lot easier than paying for a VPN service.

You don't have to pay for the type VPN you need. Your router may include OpenVpn and all you have do is set it up.

 

[hmjgriffon]

not even needed just to connect to an NVR or Blue Iris, so long as they do https, it's like a VPN that only goes to one IP and port, lol. but yes, I do run openVPN and it's fairly easy, especially if you have a web gui to do all the heavy lifting, generating the certs and creating the config files.

 

[Hound Dog 911]

Is one better than the other. The router supports VPN but I got this from the app.

 

[hmjgriffon]

Is one better than the other. The router supports VPN but I got this from the app.

you want TUN based.

 

[hmjgriffon]

Is one better than the other. The router supports VPN but I got this from the app.

you're gonna need a .ovpn file from the router and it may or may not come with separate cert files, my .ovpn file has the certs all inline, inside the file so I only need the one file.

 

[hmjgriffon]

this is why I say stunnel is a hell of a lot easier if all you need to do is connect to blue iris, full on VPN is overkill unless you need to be able to get to other machines and stuff remotely on your lan.

 

[hmjgriffon]

Since I've never used a dedicated NVR, do they have an https option? I'm curious.

Sent from my Nexus 6P using Tapatalk