Menu
What's new

Check your BI logs for logins from unknown IPs

wayner

wayner

Young grasshopper
Joined
Apr 20, 2017
Messages
47
Reaction score
8
Location
Toronto
Changing your port isn't going to help as I assume the hackers can easily scan all ports on your router.

FYI - you may want to check out Shodan. It is kind of a search engine for finding out specific information on ports and services available on the internet, including your router, assuming that you are attached to the internet. Shodan reports over 18,000 hits for Blue Iris - in other words it has found 18,000 IP addresses that have the Blue Iris server running. 12,800 of those are using port 81, the rest are using other similar ports like 80, 8080, 8081. You can narrow down searches using various criteria - here is a search that returns all BlueIris connected devices in Chicago: Shodan

Note - you may have to create an account with Shodan to do searches but it is free.
 
E

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
These are great steps. Thanks for posting what you are doing to limit access. FWIW, I have been working with Ken to get a better idea of how this happened, and how to decrease future risk. Here's what I've learned so far:
  1. In the latest update, Ken has added an extra column in the 'status' connections page that now reflects the ip-reverse-lookup hostname of the IP addresses that have connected/logged in. This is great if you don't want to manually research each IP address
  2. The webserver's IP limiting filter has some peculiarities that are not clearly described in the help file. Mainly:
    1. If you add a +IP_ADDRESS, then ALL OTHER IP ADDRESSES ARE BLOCKED - essentially making it a whitelist
    2. If you add a -IP_ADDRESS, then ALL OTHER IP ADDRESSES ARE ALLOWED - making it a blacklist
    3. You should not add both + and - IP addresses. Pick one or the other.
I am still seeking clarification on the admin by-pass (^IP_ADDRESS) and how that works with existing blocked or allowed IPs. But, in theory, that is a great way to give third-party apps access to the server w/o having to embed credentials into the device.

My VERA home automation controller would no longer need any credentials - only the IP address and URL syntax to trigger the proper camera to record.

I'll post back what I find out, when I do.
 
C

Cor

Getting the hang of it
Joined
May 5, 2017
Messages
167
Reaction score
17
Where can you check this?
Is there a seperate file for this? or you use the "statistics "button on the Blue iris programm?

Thanks,
Cor
 
E

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
It has to be turned on. Go to console, click the status button. On the first tab, look at the bottom to see if/where the log is saved. You can open it from there or browse to the file location with a file browser to open it.
 
C

Cor

Getting the hang of it
Joined
May 5, 2017
Messages
167
Reaction score
17
Ok, Thanks

My VERA home automation controller would no longer need any credentials - only the IP address and URL syntax to trigger the proper camera to record.
Click to expand...
Do you have more info on this?
I use this on my vera to enable/disable cameras for example.
Code: 
luup.inet.wget("http://IPadress:port/admin?camera=Front_off&enable=0&user=xxxxx&pw=xxxxxxxxxx")
You say the user and password is not neccesary anymore?

Thanks,
Cor
 
E

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
Cor said:
Ok, Thanks



Do you have more info on this?
I use this on my vera to enable/disable cameras for example.
Code: 
luup.inet.wget("http://IPadress:port/admin?camera=Front_off&enable=0&user=xxxxx&pw=xxxxxxxxxx")
You say the user and password is not neccesary anymore?

Thanks,
Cor
Click to expand...
Possibly. The way Ken described it, if you add the IP address of your VERA to the "limit IP" field under the web server settings with a carrot symbol (^), BI should grant full admin privileges to that IP, and NOT require authentication. Thus, the same string, without UN/PW should trigger - but it's not working for me. I've asked Ken for further clarification to try and resolve this issue.
 
C

Cor

Getting the hang of it
Joined
May 5, 2017
Messages
167
Reaction score
17
Ah , Ok ...... When you succeed , can you post it here?

Many thanks,
Cor
 
E

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
Alright - so I have an update to this elevated privilege IP functionality...

It turns out for it to work the BI server must have the admin user enabled. Not just any user with admin rights, but a user called "admin". I had one, but deactivated it (unchecked) long ago since I don't use that account, and didn't want to leave it available as a security risk.

As soon as I checked it, I was able to send the URL command to the BI machine from a LAN PC that was logged out, but whose IP was elevated (^) in the webserver settings.

To test, simply add the IP of the PC client you're using, add it to the ip limit field with a carrot symbol (^) ahead of the IP. Then open an incognito browser (that has no set cookies) and send the command to the BI server: http://BISERVERIP/admin?camera=CAMERASHORTNAME&trigger

If it works, it'll immediately trigger and you'll get a text page that reads:

signal=green
profile=-1

If it doesn't work, you will be prompted for login creds. I can confirm this works with secure logon enabled!

Woohoo! Now to add the Roku's back, leaving the creds blank, and adding their LAN IPs to the whitelist.
 
DLONG2

DLONG2

Known around here
Joined
May 17, 2017
Messages
764
Reaction score
455
erkme73: The IP of the Roku device is added into the "Limit IP Access" field with the caret before it?

UPDATE: Adding the caret before the Roku IP in the BI webserver 'Limit IP Access' field resulted in a huge series of immediate logins and logouts on the 'admin' account. The preview would show the cameras, blanking and reconnecting, but trying to show the full view in the Roku app showed nothing.
 
Last edited:
E

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
Correct. And I've verified that it works. You can either leave the credentials in the Roku app or delete them - it'll work either way. Even if you have "Secure Only" turned on! Best of both worlds. The only thing is, it does seem to take a bit longer to prime the feed - maybe 5-10 seconds for an index view to come up. But once they're up, they run at about 5 FPS.
 
DLONG2

DLONG2

Known around here
Joined
May 17, 2017
Messages
764
Reaction score
455
I have a 5 user limit setting, and when I try to apply this skipped authorization IP for the Roku device, it serially logs in and out dozens of times in a minute, and then my mobile app gets an error that 'users exceeded'.
 
E

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
DLONG2 said:
I have a 5 user limit setting, and when I try to apply this skipped authorization IP for the Roku device, it serially logs in and out dozens of times in a minute, and then my mobile app gets an error that 'users exceeded'.
Click to expand...
I have not seen that. I don't have a user limit (or at least haven't changed the default setting), so I have not seen any such error. I've checked my logs, and found the IP of the Rokus but they are not logging in more than the number of times I'm changing views. Something else must be going on. Have you tried to remove the user limit to see if it still has the cyclical login pattern?
 
DLONG2

DLONG2

Known around here
Joined
May 17, 2017
Messages
764
Reaction score
455
I ended up uninstalling the Roku app because it was too flakey. It would log into admin and another user account serially about every few minutes.
 
Last edited:
You must log in or register to reply here.
Top