How insecure is port forwarding for Blue Iris if you have an incredibly strong password?

[MrRobinHood]

I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?

 

[sebastiantombs]

I think leaving any port open, even 443 for a VPN, can lead to hack attempts. I see a few "regular" tries at 443 on my router but given 128 bit encryption I'm not too worried at all. I think it's also possible to use any open port for a sideways entrance into a network but that would take some pretty sophisticated hackers, although with the way thing are going that may not be such a big stretch today.

 

[mat200]

I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?

Hi @MrRobinHood

Great question.

SO the answer .. sort of along the lines of ..


How secure is your home to robbers if you have a key which is 1 foot long with 60 teeth?



Yes, this is sort of how you need to think of the question ..



When your lock and key are strong, but your windows to the street are open .. does not make you much more secure ..

When your house has no windows and is of brick, with a strong roof and doors .. then a strong lock helps ..


In terms of computers .. same applies .. no computer is 100% safe connected to the internet, and just because you have a great lock on the front door, .. robbers can come in through other means ..

Since most people do not live in vaults, and few computers are secure enough .. you really do not want to port forward with all the thieves and robbers out there .. some which are robo-robbers .. (*)


( * - of course if you are a IT security pro and know what you are doing, and have the time to do it .. well, then that of course is a different thing, and you probably do not listen to random people's advice on the internet .. )

 

[Mike A.]

Most exploits don't bother to go directly against a password or encryption. They go completely around the authorization or rely on some fundamental flaw in implementation. As we've seen for most all of the big hacks against various cams and other network devices. So it may help against routine attempts to find default passwords and easy targets but won't in the case of some vulnerability within the system whether it's at the specific server being accessed or the underlying OS/transport.

 

[wittaj]

BI is great, but it doesn't have the millions of users like other programs, so a vulnerability could be sitting there longer before it is realized than say with Windows. And we shut off anti-virus for BI, so.....follow that path - port forward is not a good idea...

 

[Clucky]

I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?

Doesn't Blue Iris have a password lockout feature like Hikvision if you fail too many times?

Instead of using a VPN for my phone, I was thinking of just setting up windows firewall rules on an admin account (have blue iris installed on a non admin account), and restrict outbound traffic from the server to my local network. Even if they somehow take over the computer, they wouldn't be able to change that firewall rule without being an administrator.

Or set the server on a subnet that is isolated from the rest of the network through a firewall.

 

[tangent]

Just use TailScale or ZeroTier

 

[tech_junkie]

I realise you shouldn't be using port forwarding, and I'm not, but I'm curious as to how big of a risk in reality it really is if you're using a very long randomly generated password?

Does leaving port 81 open only leave you open to brute force password attacks? Or does it create additional risks or vectors into your windows machine through potential Blue Iris or Windows bugs?

What's the weakest point when using this method?

If you have a 50 character long random password from a password manager that would take decades to brute force, are you then actually relatively safe?

The sites that people use like noip are scanned and clients attacked.
That is why port forwarding is bad.
Splitting the wan and giving it its own outside address is a better method of self hosting. VPNs, they are safe to a point.

 

[malanden]

Is it the end of the world, no.
Is it possible someone could find an attack vector on a open port. Possibly.

Is it likely, not really. Hackers and scrip kiddies go for low hanging fruit.

That being said, a VPN like wireguard is a way better option.

Edit, I should also add, if you have a capable router, drop all traffic that doest come from north america. It's not fool proof, but my router drops about 100k attempts per day. That's how many scanners are out there.

 

[Clucky]

Is it the end of the world, no.
Is it possible someone could find an attack vector on a open port. Possibly.

Is it likely, not really. Hackers and scrip kiddies go for low hanging fruit.

That being said, a VPN like wireguard is a way better option.

Edit, I should also add, if you have a capable router, drop all traffic that doest come from north america. It's not fool proof, but my router drops about 100k attempts per day. That's how many scanners are out there.

But even if you have a VPN don't you need open ports? If so how does that change anything from just having a secure password?

 

[Mike A.]

But even if you have a VPN don't you need open ports? If so how does that change anything from just having a secure password?

You have only one port open for everything and it requires encrypted key exchange (and a password also if you want) in order to make the connection. Also traffic between the two connections is encrypted.

 

[malanden]

You have only one port open for everything and it requires encrypted key exchange (and a password also if you want) in order to make the connection. Also traffic between the two connections is encrypted.

Exactly what he said is why VPN port open is more secure. You can also randomize the port, making an attacher do more work.

Anything exposed to the internet is vulnerable to attack. It's just about minimizing that attack potential. If you are not a target of interest like government org or big business, most hackers aren't spending the time.

A large majority of attacks are scripts of other hackers work, looking for unpatched systems. Hence they are called script kiddies.