Illegal log in attempt on NVR question
- Thread starter Vandoe
- Start date
CCTVCam
Known around here
- Sep 25, 2017
- 2,830
- 3,709
Be aware, strengthening your password is a good idea but uiltimately if you port forward you're making it easy for anyone to get in.
Goggle isn't the only search engine out there. Hackers use Shodan which basically shows up millions of entries that google and similar engines hide. Every single device connected to the internet that isn't correctly hidden shows and can be found in one of the OSINT search engines. Not only the device, but what it is, it's location etc. So someone out for no good could search cameras and your location eg florida, in which case every single camera attached to the internet in florida would show up. Click on yours, and it shows you exact location to as close as is possible and your IP address and port. From there, the hacker has everything they need to get started. So far as passwords are concerned, passwords won't stop a hacker because as Alastair explained above, cameras have vulnerabilities than enable hackers to either bypass logins entirely rendering your passwords useless, or alternatively there are vulnerabilites where they can command the camera to tell them your login and password! In which case they just then login in using it. No matter how strong your password is, it's no use if it can be bypassed or reveals itself. What you need is a VPN but not the paid for type. One that runs on your router locally and enables you to set up a secure remote connection with your phone app. This then hides your router / cameras presence on the internet so it cannot be detected by search engines, even using OSINT, and does not reveal it's IP / port address. In addtion, to enter the router, the hacker if they can find it by other means would have to break the VPN encryption which would take a very long time with a building sized super computer so is very very unlikely.
In simple terms therefore:
Port Forwarding - Router shouts I'm here connect to me and reveals everything needed to do that ie IP address, open ports etc.
VPN - Router hidden, IP hidden, from search engines and internet generally, doesn't respond to pings or port scans, any adverse remote connection to it via the VPN route requires breaking the encryption.
Goggle isn't the only search engine out there. Hackers use Shodan which basically shows up millions of entries that google and similar engines hide. Every single device connected to the internet that isn't correctly hidden shows and can be found in one of the OSINT search engines. Not only the device, but what it is, it's location etc. So someone out for no good could search cameras and your location eg florida, in which case every single camera attached to the internet in florida would show up. Click on yours, and it shows you exact location to as close as is possible and your IP address and port. From there, the hacker has everything they need to get started. So far as passwords are concerned, passwords won't stop a hacker because as Alastair explained above, cameras have vulnerabilities than enable hackers to either bypass logins entirely rendering your passwords useless, or alternatively there are vulnerabilites where they can command the camera to tell them your login and password! In which case they just then login in using it. No matter how strong your password is, it's no use if it can be bypassed or reveals itself. What you need is a VPN but not the paid for type. One that runs on your router locally and enables you to set up a secure remote connection with your phone app. This then hides your router / cameras presence on the internet so it cannot be detected by search engines, even using OSINT, and does not reveal it's IP / port address. In addtion, to enter the router, the hacker if they can find it by other means would have to break the VPN encryption which would take a very long time with a building sized super computer so is very very unlikely.
In simple terms therefore:
Port Forwarding - Router shouts I'm here connect to me and reveals everything needed to do that ie IP address, open ports etc.
VPN - Router hidden, IP hidden, from search engines and internet generally, doesn't respond to pings or port scans, any adverse remote connection to it via the VPN route requires breaking the encryption.
Okay I disabled all UPNP in my NVR as well as my Xfinity x8 router/modem. Then did the shields up testing as suggested. Everything came back good other than saying I did respond to a ping.
I looked in all settings in my router and could not find anything about VPN. So not sure what my options are in that area. Attached is my router info
Attachments
Can anyone tell me what I can expect to see in the future with UPNP disabled? Will devices not connect easily now or something? I assumed it serves some purpose I wasn’t aware of. Just so I know what to expect if I run into an issue
CCTVCam
Known around here
- Sep 25, 2017
- 2,830
- 3,709
Or you could momentarily turn upnp back on, connect your device and then re-disable upnp. Slightly more risky but the chances of it co-inciding with a hacking attempt are very low if it's on for eg less than 1 minute. Slight risk is there though. Always best to check your network map and see what's connected anyway and make sure you can identify everything in there and that nothing has an external ip.
alastairstevenson
Staff member
It would have been more interesting to do the ShieldsUp! inbound vulnerability check before making any configuration changes, then you could see what ports UPnP had opened without your explicit configuration of the router.
Then disable UPnP and recheck to confirm there is no longer any inbound access.
Presumably though you'll no longer see any illegal login attempts on the NVR.
It's not ideal that the router responds to a ping from the internet, though it's not a big problem.
What would be a problem though is if 'Allow remote router configuration' was enabled - though that would likely have been spotted by ShieldsUp!
Maybe check the router configuration menus to be sure.
I can enable it again to do as you suggested.
I did see remote log in on the router and it was disabled. Not sure if that’s the same thing.
Mike A.
Known around here
- May 6, 2017
- 4,142
- 6,946
Most routers won't disable ports that have already been opened using UPnP if you later turn it off. Turning it off will stop future opening but it's not retroactive. Once a port has been opened, it stays open.
I don't like ShieldsUp a lot. It can give a false sense of security. It doesn't by default scan everything so unless the ports are common service ports or below 1056 it's not going to show up in the scan. Also only does TCP, not UDP. There used to be some better free ones out there but all that I knew have gone to paid services now. Better to use nmap or similar scanner from another machine/outside connection.
alastairstevenson
Staff member
Agreed, up to a point.
Power-cycling the router after UPnP has been disabled will close any ports that it had opened.
So should I not enable UPnP to scan it again?
or if I do just power cycle the router afterwards?
good sign, I have not had any log in attempts since disabling it. I was getting them nightly
alastairstevenson
Staff member
