How insecure is port forwarding for Blue Iris if you have an incredibly strong password?

M

MrRobinHood

Getting comfortable
Nov 29, 2021
187
353
England
I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?
 
  • Like
Reactions: mat200
I think leaving any port open, even 443 for a VPN, can lead to hack attempts. I see a few "regular" tries at 443 on my router but given 128 bit encryption I'm not too worried at all. I think it's also possible to use any open port for a sideways entrance into a network but that would take some pretty sophisticated hackers, although with the way thing are going that may not be such a big stretch today.
 
  • Like
Reactions: mnerlin02131, MrRobinHood and mat200
MrRobinHood said:
I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?
Click to expand...

Hi @MrRobinHood

Great question.

SO the answer .. sort of along the lines of ..


How secure is your home to robbers if you have a key which is 1 foot long with 60 teeth?



Yes, this is sort of how you need to think of the question ..



When your lock and key are strong, but your windows to the street are open .. does not make you much more secure ..

When your house has no windows and is of brick, with a strong roof and doors .. then a strong lock helps ..


In terms of computers .. same applies .. no computer is 100% safe connected to the internet, and just because you have a great lock on the front door, .. robbers can come in through other means ..

Since most people do not live in vaults, and few computers are secure enough .. you really do not want to port forward with all the thieves and robbers out there .. some which are robo-robbers .. (*)


( * - of course if you are a IT security pro and know what you are doing, and have the time to do it .. well, then that of course is a different thing, and you probably do not listen to random people's advice on the internet .. )
 
  • Like
Reactions: MrRobinHood, sebastiantombs and SouthernYankee
Most exploits don't bother to go directly against a password or encryption. They go completely around the authorization or rely on some fundamental flaw in implementation. As we've seen for most all of the big hacks against various cams and other network devices. So it may help against routine attempts to find default passwords and easy targets but won't in the case of some vulnerability within the system whether it's at the specific server being accessed or the underlying OS/transport.
 
  • Like
Reactions: watchful_ip, alastairstevenson, MrRobinHood and 3 others
MrRobinHood said:
I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?
Click to expand...

Doesn't Blue Iris have a password lockout feature like Hikvision if you fail too many times?

Instead of using a VPN for my phone, I was thinking of just setting up windows firewall rules on an admin account (have blue iris installed on a non admin account), and restrict outbound traffic from the server to my local network. Even if they somehow take over the computer, they wouldn't be able to change that firewall rule without being an administrator.

Or set the server on a subnet that is isolated from the rest of the network through a firewall.
 
MrRobinHood said:
I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?
Click to expand...
The sites that people use like noip are scanned and clients attacked.
That is why port forwarding is bad.
Splitting the wan and giving it its own outside address is a better method of self hosting. VPNs, they are safe to a point.
 
Is it the end of the world, no.
Is it possible someone could find an attack vector on a open port. Possibly.

Is it likely, not really. Hackers and scrip kiddies go for low hanging fruit.

That being said, a VPN like wireguard is a way better option.

Edit, I should also add, if you have a capable router, drop all traffic that doest come from north america. It's not fool proof, but my router drops about 100k attempts per day. That's how many scanners are out there.
 
Last edited:
  • Like
Reactions: bigredfish
malanden said:
Is it the end of the world, no.
Is it possible someone could find an attack vector on a open port. Possibly.

Is it likely, not really. Hackers and scrip kiddies go for low hanging fruit.

That being said, a VPN like wireguard is a way better option.

Edit, I should also add, if you have a capable router, drop all traffic that doest come from north america. It's not fool proof, but my router drops about 100k attempts per day. That's how many scanners are out there.
Click to expand...

But even if you have a VPN don't you need open ports? If so how does that change anything from just having a secure password?
 
Clucky said:
But even if you have a VPN don't you need open ports? If so how does that change anything from just having a secure password?
Click to expand...

You have only one port open for everything and it requires encrypted key exchange (and a password also if you want) in order to make the connection. Also traffic between the two connections is encrypted.
 
  • Like
Reactions: malanden, bigredfish and mat200
Mike A. said:
You have only one port open for everything and it requires encrypted key exchange (and a password also if you want) in order to make the connection. Also traffic between the two connections is encrypted.
Click to expand...
Exactly what he said is why VPN port open is more secure. You can also randomize the port, making an attacher do more work.

Anything exposed to the internet is vulnerable to attack. It's just about minimizing that attack potential. If you are not a target of interest like government org or big business, most hackers aren't spending the time.

A large majority of attacks are scripts of other hackers work, looking for unpatched systems. Hence they are called script kiddies.
 
  • Like
Reactions: looney2ns, bigredfish and mat200
Clucky said:
But even if you have a VPN don't you need open ports? If so how does that change anything from just having a secure password?
Click to expand...
There is a way to do this, it's called port knocking. An example of this would be to configure a machine to listen for connection attempts on tcp port 8000 and 8002. When it receives a connection attempt on port 8000 then 8002, that machine can add a firewall rule to then allow traffic from that IP on UDP port 51820 for Wireguard. This method leaves the port you are trying to protect (port 51820 for your VPN in this case) closed to the world until your "secret handshake" is initiated.
 
They don't attack passwords usually. They use a flaw in the system to get around the password system by either getting the system to tell them the password, or circumventing it entirely and giving themselves root and control over the whoe system at the highest level. Once you port forward you annouce to the whole internet my system is here, it's this device and it's at this IP address on this port. Any hacker with any knowledge will already know the vulnerabilities of that model of camera and how to get around the password system.
 
  • Like
Reactions: MTL4
CCTVCam said:
They don't attack passwords usually. They use a flaw in the system to get around the password system by either getting the system to tell them the password, or circumventing it entirely and giving themselves root and control over the whoe system at the highest level. Once you port forward you annouce to the whole internet my system is here, it's this device and it's at this IP address on this port. Any hacker with any knowledge will already know the vulnerabilities of that model of camera and how to get around the password system.
Click to expand...

Exactly, you can think of the hackers like the Eye of Sauron and every time you port forward you are putting on the ring. The longer you wear it, the higher the probability of them getting to you. Much easier to just never put it on or at least know what you’re doing if you must.
 
You must log in or register to reply here.
Top Bottom