I'm getting out of my depth here so bear with me. I recently had someone get on my router and enter in a malicious DNS server (redirected certain URLs to phishing websites) into my DNS settings. My initial suspicion was that it was because my router was exposed to the internet for remote administration and they had simply brute force attacked my password.
A week later, the same thing happened to my father whose router is NOT exposed to the internet for remote administration. The common thread between the two of us is that we both have Hikvision cams set up for remote viewing with port forwarding on the router. My concern is that the ports we opened up gave a hacker a pathway on to our routers to change the DNS settings.
In both cases, I used 8000, 8001, 8002 ect. for Server Ports and 8090, 8091, 8092 ect. for HTTP ports which were then translated to the default ports 8000 and 80 on the cameras at their respective IP address with both TCP and UDP allowed in the rules. On the cameras themselves, I had NAT disabled.
Is this the best way to approach it? Is their an inherent vulnerability I set myself up for here that allowed the hacker on to my router?
A few more details:
- Passwords on the cameras and routers were medium strength. Not super duper but I'd still be impressed if it was as simple as a person or program guessing them. I'd buy that argument on my router, but not on my father's. His was not enabled for remote administration over the internet.
- Geographically, it is unlikely that someone simply got within wifi range, guessed the wifi key, and then got on the network that way. My place is a cabin in the woods and my father is on a farm. The IP address of the spoof DNS servers was European, not that this is a guarantee of anything.
Looking for thoughts and ideas to try and secure myself a little better the next time around.
ETA: One more thing. Tonight I tried enabling auto NAT on my cameras and connecting with HiDDNS and deleting all port forwarding on my router. This works as well. Is this a superior or inferior way of connecting remotely compared to using port forwarding on the router?
A week later, the same thing happened to my father whose router is NOT exposed to the internet for remote administration. The common thread between the two of us is that we both have Hikvision cams set up for remote viewing with port forwarding on the router. My concern is that the ports we opened up gave a hacker a pathway on to our routers to change the DNS settings.
In both cases, I used 8000, 8001, 8002 ect. for Server Ports and 8090, 8091, 8092 ect. for HTTP ports which were then translated to the default ports 8000 and 80 on the cameras at their respective IP address with both TCP and UDP allowed in the rules. On the cameras themselves, I had NAT disabled.
Is this the best way to approach it? Is their an inherent vulnerability I set myself up for here that allowed the hacker on to my router?
A few more details:
- Passwords on the cameras and routers were medium strength. Not super duper but I'd still be impressed if it was as simple as a person or program guessing them. I'd buy that argument on my router, but not on my father's. His was not enabled for remote administration over the internet.
- Geographically, it is unlikely that someone simply got within wifi range, guessed the wifi key, and then got on the network that way. My place is a cabin in the woods and my father is on a farm. The IP address of the spoof DNS servers was European, not that this is a guarantee of anything.
Looking for thoughts and ideas to try and secure myself a little better the next time around.
ETA: One more thing. Tonight I tried enabling auto NAT on my cameras and connecting with HiDDNS and deleting all port forwarding on my router. This works as well. Is this a superior or inferior way of connecting remotely compared to using port forwarding on the router?
Last edited by a moderator: