Check your BI logs for logins from unknown IPs

[erkme73]

Thanks in part to the discovery in this thread, I discovered that since mid-May, my server has been accessed from numerous off-shore IP addresses (Turkey, China, Australia, Mexico, etc) using my primary credentials.

While I don't know for certain that it was the Roku app (found at the tread above), the timing is suspect - as the unverified logins began right around the time the app was installed.

I use Notepad++ to view the text log, and then search for "login" in "whole document". That creates a split-window showing only the logins with IPs, and the full log in the other window. You can quickly see all the logins, and what happened just prior or after that point in the log.

It is gut wrenching to realize numerous individuals had access to my server, and I was clueless about. It will be my morning routine now to go over the logs from the previous 24 hours.

FWIW, I had "secure only" on the webserver options tab turned off (for compatibility with my VERA home automation system).

Two days ago, I changed my credentials, and enabled the 'secure only' option. As of last night, I had no more unwanted logins. So, last night, I turned off the secure login. By this morning, I had someone from Australia getting in using the new credentials.

Somehow, something is revealing my creds. I've also created separate creds for my VERA HA controller (which I should have done initially anyway). If the next logins occur with those, I'll know the problem is with the HA controller.

I've sent several emails to Ken letting him know what happened, and asking him:

1) Is there a way for the wget command used in HA controllers to trigger BI to circumvent the SSL login
2) Is there anyway to blacklist EVERY IP address, and whitelist only those (ranges) I authorize
3) Is there away to auto-ban IP addresses that attempt repeated failed logins (i.e. brute force attacks).


TL;DR: Had I not checked the logs specifically for unrecognized IP addresses, I would still have no clue that my cameras were open to the world. Stop what you're doing, and review your log files. If you find suspicious activity post it here so we can see if this is a bigger problem than just my system.

 

[tangent]

You might want to only allow access from certain white listed ip ranges like full class a or b ranges that belong to your isp / cell carrier. You could still get attempts from those ranges for a botnet, tor, or similar

 

[erkme73]

You might want to only allow access from certain white listed ip ranges like full class a or b ranges that belong to your isp / cell carrier. You could still get attempts from those ranges for a botnet, tor, or similar

I tried that using the IP limit of the webserver - but apparently -*.*.*.* blocks everything and no longer allows for anything ahead or behind it.

For example: -*.*.*.*, +172.*.*.*

That should block everything except IP starting with 172. It blocks everything. Have you found a better or working way of doing that?

 

[tangent]

I tried that using the IP limit of the webserver - but apparently -*.*.*.* blocks everything and no longer allows for anything ahead or behind it.

For example: -*.*.*.*, +172.*.*.*

That should block everything except IP starting with 172. It blocks everything. Have you found a better or working way of doing that?

I would use rules on your router or windows firewall not in blue iris itself.
For example you might allow connections from 73.0.0.0 and 88.0.0.0 if those were class a blocks used by your ISP in your state.

 

[DLONG2]

I heard that the problem with white-listing IPs is with the cell phones which may be using the BI app, as their IPs change.

 

[erkme73]

I heard that the problem with white-listing IPs is with the cell phones which may be using the BI app, as their IPs change.

I have my Filezilla FTP server blocking all but my whitelisted IPs. I'm quite liberal when it comes to allowing ranges. So if my incoming IP is 172.*, I'll open the entire octet. I have 25 or so octets that I've allowed, and between them, I have no more blocks when I want in - cell phone, home ISP, or family/friends. It's not precise, but nearly all of the attacks have come from off-shore.

 

[Jareds]

I see server logins from the ui2 log with different ips but I never really knew why. Why would I be seeing this? It's not any IP that should be logging in. Thanks in advance.

 

[erkme73]

I see server logins from the ui2 log with different ips but I never really knew why. Why would I be seeing this? It's not any IP that should be logging in. Thanks in advance.

According to Ken, "connected" means someone ends up on the login page. It doesn't mean they are necessarily attempting to log in - as it could be a webbot. However, if you see "Login" then that means someone entered correct credentials (and you'll see what username was used).

Plug in the IP addresses into a look up service like this to find out where they're coming from. If you see LOGIN with a username in your list, you're in the same boat I was in. No more free-balling.

 

[Jareds]

It doesn't ever show credentials it just shows login from server with an IP.see attached from app log. It almost always has a different IP. this one is from freaking turkey so I know it's not benign. There is absolutely no way for anyone or program to figure out my passwords. They are all bigger that the alphabet. Plus it's a the server logging on not a user. Seems fishy to me.

 

[fenderman]

It doesn't ever show credentials it just shows login from server with an IP.see attached from app log. It almost always has a different IP. this one is from freaking turkey so I know it's not benign. There is absolutely no way for anyone or program to figure out my passwords. They are all bigger that the alphabet. Plus it's a the server logging on not a user. Seems fishy to me.

connected does not mean login...it will show connected when someone hits the web page...its inevitable if your port forward.

 

[erkme73]

It doesn't ever show credentials it just shows login from server with an IP.see attached from app log. It almost always has a different IP. this one is from freaking turkey so I know it's not benign. There is absolutely no way for anyone or program to figure out my passwords. They are all bigger that the alphabet. Plus it's a the server logging on not a user. Seems fishy to me.

Ah, you're looking in the app. Go to the PC hosting the server. open the console, go to status, and then click view log. It should be a text file saved somewhere on the PC. That has much more information than what is shown on the app.

 

[erkme73]

That IP (85.104.123.188) is from Turkey. Same IP range that was hitting (and logging in) on mine. Persistent. And just to confirm, you definitely don't want to make assumptions that they're in. They may just be probing. Get that text file, load it into notepad++ and search on the IP address (in whole document). It provides a great macro and micro view of the attempts and whether they were successful.

The length and strength of your password is great for thwarting (or slowing down) brute-force attacks. But if they're able to lift your password from some non-secure sign in packet-capture, then all the letters in the world won't help.

 

[Jareds]

I'm still on port 81 which I need to change to something different. The only reason I haven't is because it's bookmarked in 8 other people's computers at work. I will have to go around and change em all. I guess its time. I hear the attempts go way down if you pick a high port.

 

[erkme73]

Initially changing the port to anything other than what it has been will cause a decrease in activity (just due to bots knowing the current port). But eventually as your router is scanned for open ports, it'll probably resume. I bumped mine, and I haven't had a single connection in 24 hours. Ultimately, the connections are harmless unless they're excessive (brute force attacks) or they manage to actually login. I bit the bullet and had to send people the new URL to get in to the shared camera groups.

I am curious to see what you find in your text logs.

 

[Jareds]

I will post the log tomorrow before noon The server is at work and I'm laying on my couch. Lol. I'm interested too because I haven't looked at the text logs before but I know I checked the log to file checkbox a month or two ago.

 

[DLONG2]

It would be ideal If the "Limit IP Access" feature would then present the login page to allowed IPs only, and some other non-login 'sorry-charlie' page for all other IPs. Not sure how a locally-spun homepage would need to be written which would work, and in what language . . .

Edit: I guess I was thinking the 'homepage' feature was the front login page. I'm unclear on how BI would direct traffic based on an IP address.

 

[erkme73]

I'd rather it not respond at all. That way the bots and hackers would move on being none the wiser.

 

[erkme73]

I'd rather it not respond at all. That way the bots and hackers would move on being none the wiser.

ETA: False alarm... Was looking at the wrong date. Still not hits at all.
-----
Just had my first new "Connected" on the new port. From Mexico... 189.231.255.99. Chihuahua City. I need to build a wall...

 

[tommyboy]

I just posted in another thread, but use the Windows Firewall to set IP allows, or use your firewall if it has the capabilities. I was able to find the IP blocks of Verizon Wireless after a few google searches, and it's been working solid for me and a friend.

 

[tommyboy]

I just posted in another thread, but use the Windows Firewall to set IP allows, or use your firewall if it has the capabilities. I was able to find the IP blocks of Verizon Wireless after a few google searches, and it's been working solid for me and a friend.

Here are the Verizon Wireless IPs from my firewall:

network-object 174.128.0.0 255.128.0.0
network-object 66.174.0.0 255.255.0.0
network-object 69.82.0.0 255.254.0.0
network-object 69.96.0.0 255.248.0.0
network-object 70.192.0.0 255.192.0.0
network-object 97.128.0.0 255.128.0.0​