Hack attempts right now!

[bp2008]

So thanks for some good suggestions. What about sticking a new D-Link router just before the NVR on my line. Turn off the DHCP etc. I think those can provide IP filtering and maybe even VPN services. I wonder if I could manage it remotely since it's behind another router and port forwarding to it. I can't mess with their network at all. They've got gas pump systems, POS with credit card processing, lottery machines, online business accounting stuff, and god knows what else. If I brake any of that she's gonna kill me.
Meanwhile, more attempts all last night 1 hour and 1 minute apart and they're still not in.

You're on the right track. I suggest you add a router that supports open-source firmware (tomato, dd-wrt, pfsense, whatever you like) because most open-source firmware has much more capable firewall and VPN features. Put the entire camera network on the LAN side. The client's network on the WAN side. Most routers also support remote admin access via the WAN port, but I would suggest using a VPN server built in to the router for this purpose instead as it should be more secure.

Anyway you can have them forward some ports to your router, and your router can use them for remote access, VPN, or forwarding to the NVR while enforcing a whitelist of IP addresses allowed to make the connection.

 

[bp2008]

you're making it more complicated than it needs to be by adding a 2nd router and asking for trouble with all the PoS etc. systems as you will end up with double NAT.

Replace the existing router or add a device in the network to act as your VPN endpoint.

If this guy is worth his pay, then a double-NAT isn't going to be an obstacle. Better to not be responsible for the client's entire network, only the surveillance cameras/NVR. Having his own router on-site will allow much better security (dependent of course on proper configuration).

 

[nxindy]

I guess I've configured hundred routers in 25 years. With the DHCP off and static addresses in place, could you explain the "double-NAT" situation a bit? Wouldn't my in-line router just be acting like a switch sort-of but with the filtering features. So if I leave their main router alone and remotely hit the static IP for the building, can it port 8001to my router (with the old NVR static address and port and then have my router port to the NVR with a changed static IP? Or something like that?

 

[nxindy]

And yeah, I'll be changing those port numbers to my own BTW.

 

[bp2008]

I guess I've configured hundred routers in 25 years. With the DHCP off and static addresses in place, could you explain the "double-NAT" situation a bit? Wouldn't my in-line router just be acting like a switch sort-of but with the filtering features. So if I leave their main router alone and remotely hit the static IP for the building, can it port 8001to my router (with the old NVR static address and port and then have my router port to the NVR with a changed static IP? Or something like that?

I'm surprised you have not run into this situation before. It is more complicated than that. A switch typically operates in only one network and just passes along all traffic with no firewall or NAT.

A typical router works by "routing" traffic between two networks according to a set of rules defined by the NAT (network address translator) and firewall. It is crucial that there be two networks. The untrusted public network (which normally includes the internet) is called "WAN". The trusted private network is called "LAN".

Anyway your in-line router's WAN port would need to be connected to your client's network. Your router's LAN port (one of them) will be connected to the NVR. In this way, the router truly stands in between your client's network and the NVR, and therefore it is able to control access the way you want to prevent the hack attempts. You will need to configure the in-line router's LAN so that it uses a different subnet than its WAN side, and you will also need to change the NVR and maybe the camera addresses to match. E.g. if the client's LAN subnet is 192.168.1.x then you might use 10.0.0.x for the NVR/camera network.

It would be fine to leave DHCP enabled on your in-line router. DHCP normally only offers addresses to devices on the "LAN" network, so as long as nobody plugs your client's network into a LAN port on your in-line router, it will not interfere with them.

 

[looney2ns]

No one is sc

Unfortunately, replacing their router isn't going to happen. The admin password was changed and sent to all the cameras as well. System kept working for months fine. I just had no remote admin access. I had several other logins available and they all worked under user status so it wasn't a big deal. Then the owner gave their credentials to an employee who left and I had to change it. I had to go there, reset and upgrade the firmware, and reset each camera. LTS was zero help with their password reset bullshit files that I waited 2 days for, so I had to go to each one and hard reset. 3 days on the road out of my pocket.
Forward to now. I haven't been there yet. As of this moment, the hackers are at about 100 illegal login attempts and haven't got in. I believe the new firmware from LTS Australia is much better, but not a solution. I think they're down to guessing passwords. So yeah, I'm getting the illegal login emails and trying to convince myself it is not an issue, as biggen said. But not enough to stop the alerts. I currently have 9 systems. All are port forwarded. One Dahua was hacked 2 years ago, and this posted LTS system. The rest are fine and have IP filters and I have company router privileges. They all alert me to illegal logins.

I've spent way too much time in crawl spaces and attics to be called a newb. I cut my teeth on VCR systems and a gaggle of iDview motion JPEG DVRs and 24 volt cameras. Here to learn and ask, not be scolded. Thanks.

No one is scolding you, we are trying to prevent you from getting into a worse nightmare.

 

[nxindy]

"He deserves what he gets" First time here, maybe a little sensitive. No matter. I'm getting some good help and I appreciate it a lot.

 

[nxindy]

Could I do it with this: Amazon.com: TP-Link Multi-WAN Wired VPN Router | Up to 4 Gigabit WAN Ports | SPI Firewall SMB Router | Omada SDN Integrated | Load Balance | Lightening Protection | Limited Lifetime Protection (TL-R605): Computers & Accessories

 

[Holbs]

"He deserves what he gets" First time here, maybe a little sensitive. No matter. I'm getting some good help and I appreciate it a lot.

that is my usual shock & awe WAKEUP reply message Glad you are open minded to look into things and welcome advice. Sometimes, we get folks in here with a chip on their know-it-all shoulder.

 

[Holbs]

depending on how far down the rabbit hole you go... could also look into the Ubuiti router lineup. i've heard good things about their security appliance that comes in around $70 or so. I know my Ubiquiti UDM has a fantastic router, many different option for VLANS & subnets, and most importantly...comes with it's own built in RADIUS VPN server. I believe other folks here have made reviews on this item somewhere.

 

[nxindy]

The Ubiquiti looks good, but a little costly. BTW, The hackers appear to have given up for the time being after about 150 tries. Not changing my plans to harden the security, but I think it does say one thing, get your LTS firmware from the LTS Austalian site. And I'm including a firewall appliance in every quote going forward.

 

[RBurn]

The Ubiquiti looks good, but a little costly. BTW, The hackers appear to have given up for the time being after about 150 tries. Not changing my plans to harden the security, but I think it does say one thing, get your LTS firmware from the LTS Austalian site. And I'm including a firewall appliance in every quote going forward.

what was you ultimate solution? VPN or router before NVR?
Also, I assume your admin password is strong. I had the same issue where Q-see went out of business and I had to get my system up (not commercial) and used port forward. Good thing Q-see (dahua rebrand) locks admin account after 3 attempts, I checked it once in a while and it was locked…. So someone was knock at the door. Like mentioned above this goes on all day with the main modem router. I do not use that account for remote viewing so it’s was not an issue. Not a great place to be but the vpn is really the best way to secure it , I’d like to know if you added that or a another router.

 

[nxindy]

Despite knowing better and all the correct advice, I have found that the Australian firmware updates and super strong password have made it seemingly impenetrable. I have seen them try hundreds of times through the illegal login emails and NO ONE has gotten into it in months. Doesn't stop them from trying, but they eventually give up. Some after two tries. Some after days and they are kept out. May they eventually get in? Of course everyone here says it's just a matter of time. I will be going with a hardware solution when I have time, but the location is quite far away and I'll probably wait till some other type of maintenance is required there. I have been installing Montavue systems (Dahua) over the last few months and using the P2P function. Running on the P2P access was very slow for me a few years ago. Depended on upload speeds at the venue etc. But I have found using the P2P instead of port forwarding is a lot faster than it used to be. One factor to consider is that these new clients are only watching with there Mobile devices. I'm the only one hitting them with a computer wanting full rez video and adjusting settings. I can put up with a little slowness As long as they are happy with the speed they are getting on their phone, they don't care about anything else. They don't even know the difference. They are 12000 series Dahua NVRs with 5MP cameras at 25fps. So even though there's a lot more data moving through the systems than a few years ago, the P2P feed seems plenty adequate for phones and the picture is just great with a lot more digital zoom available.

 

[Holbs]

I mostly discourage the use of P2P for most folks. However, I do recognize it has it's place. In this situation, applicable for temporary purposes until the customer or yourself find the solution.
Before thinking P2P is the forever answer, best to research pro's & con's of P2P.

 

[fenderman]

Despite knowing better and all the correct advice, I have found that the Australian firmware updates and super strong password have made it seemingly impenetrable. I have seen them try hundreds of times through the illegal login emails and NO ONE has gotten into it in months. Doesn't stop them from trying, but they eventually give up. Some after two tries. Some after days and they are kept out. May they eventually get in? Of course everyone here says it's just a matter of time. I will be going with a hardware solution when I have time, but the location is quite far away and I'll probably wait till some other type of maintenance is required there. I have been installing Montavue systems (Dahua) over the last few months and using the P2P function. Running on the P2P access was very slow for me a few years ago. Depended on upload speeds at the venue etc. But I have found using the P2P instead of port forwarding is a lot faster than it used to be. One factor to consider is that these new clients are only watching with there Mobile devices. I'm the only one hitting them with a computer wanting full rez video and adjusting settings. I can put up with a little slowness As long as they are happy with the speed they are getting on their phone, they don't care about anything else. They don't even know the difference. They are 12000 series Dahua NVRs with 5MP cameras at 25fps. So even though there's a lot more data moving through the systems than a few years ago, the P2P feed seems plenty adequate for phones and the picture is just great with a lot more digital zoom available.

This is very unfortunate for your customers. The password strength is completely irrelevant as most of the hacks circumvent the password. The the device was in fact hacked you may not get an illegal login email. Here is a dahua p2p vulnerability from May of 2020. Consider the timeline between the hack being disclosed to dahua until they got they asses in gear to patch it. If you are putting your clients at risk because you or they are lazy, then at the very least you need to disclose it.

Bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials

https://github.com/mcw0/PoC/blob/master/Dahua-3DES-IMOU-PoC.py @bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials 1. Dahua DES/3DES (broken) authentication implementation and PSK 2. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM...

ipcamtalk.com

 

[CCTVCam]

Not a password guess in sight:

 

[Gargoile]

"He deserves what he gets" First time here, maybe a little sensitive. No matter. I'm getting some good help and I appreciate it a lot.

Patience Grasshopper... once one removes the data packets from the hand will you then become the master.