Illegal Login on Hikvision NVR

[Rammy329]

Im hoping someone can help me. I have a Hikvsion NVR. I recently changed the passwords to the admin and the one I normally log in with. I have been getting illegal login attempts on the admin remotely. On Wed there were five attempts made at a time when I wasnt even home and had not checked the cameras on the app.
I also see where it will say Operation, but nothing is listed as to what operation is being performed.
Sometimes after I do check the logs, it will say Operation, showing me as the one checking the logs, and the next line will say ARM?
I need to know what to do to keep someone from trying to log in. Today, about fifteen minutes after I had watched playback, I saw an illegal login attempt in the logs. Is whoever trying to log in also know when Im not on the computer?Im very nervous and upset about this.
The IP address from the consistant one is 192.168.1.98.

Any help or suggestions will be greatly appreciated.

 

[SantiagoDraco]

I'm not familiar with your NVR but one thing you should do is disable the Admin account, if you can, and use a new account (with a username known only to you) and a strong password. I assume your NVR will allow this. Be sure to make a new account that has admin privilages before disabling the default account.

Another method to protect the NVR access is to use a VPN instead of port forwarding to the NVR, if you are. Also be sure you are not port forwarding to the cameras themselves.

 

[58chev]

Unfortunately there is no way to disable the admin account on Hikvision NVR. (stupid on their part)

If you are using port forwarding, disable... That is how someone id trying to get into your NVR.

VPN is safer alternative. OR you could do like I have done and that is no outside access for my NVR.

 

[tangent]

The IP address from the consistant one is 192.168.1.98

That's an address on your local area network. Shouldn't be hard to figure out what it is and why it's connecting to the camera.

Don't forward ports on your router.

 

[tangent]

Something on your network has been compromised. Whatever .98 is has a virus on it more than likely.

Certainly could be a virus, could also be a piece of software you installed to view your cams but it has an invalid password.

 

[cutterman]

FWIW the Hik NVR's log the private, internal IP address of the potential hacker not the public IP (more stupidity). I verified this by connecting from work and deliberately entering wrong PW. If you have a device on your network with the .98 address check for compromise as mentioned above.

 

[tangent]

FWIW the Hik NVR's log the private, internal IP address of the potential hacker not the public IP (more stupidity). I verified this by connecting from work and deliberately entering wrong PW. If you have a device on your network with the .98 address check for compromise as mentioned above.

I'd expect it might log the router's ip address. To the camera the traffic appears to come from the router and not the internet.
Router's can also get hacked and attack other things.

 

[cutterman]

That's what I thought. For a short time I had port 8000 forwarded and was getting occasional illegal login alerts. In all cases the logged IP was an assortment of private addresses. Same thing when I tested it from work.

 

[nuraman00]

That's what I thought. For a short time I had port 8000 forwarded and was getting occasional illegal login alerts. In all cases the logged IP was an assortment of private addresses. Same thing when I tested it from work.

What did you do about the illegal login attempts?

 

[cutterman]

I set up a VPN

 

[nuraman00]

I set up a VPN

How do you view the camera feeds on your phone, through the VPN?

 

[cutterman]

Yes. I use OpenVPN app on an iPhone which makes the secure connection. Then I use the iVMS-4200 app set to local IP of NVR. Works great.

 

[Rammy329]

I'm not familiar with your NVR but one thing you should do is disable the Admin account, if you can, and use a new account (with a username known only to you) and a strong password. I assume your NVR will allow this. Be sure to make a new account that has admin privilages before disabling the default account.

Another method to protect the NVR access is to use a VPN instead of port forwarding to the NVR, if you are. Also be sure you are not port forwarding to the cameras themselves.

Hello:

Sorry I havent replied til now. Having some personal things needing attention. I have changed all the passwords on nvr as well as changed the ssid and passwords on that. Was still getting illegal login attempts from the .98 ip.
I have unplugged the cable from the router so now cannot view cameras on ivms at all now.
Since I do not know how to disable the port forwarding, thats all I know to do to keep them from being hacked.

 

[Rammy329]

Unfortunately there is no way to disable the admin account on Hikvision NVR. (stupid on their part)

If you are using port forwarding, disable... That is how someone id trying to get into your NVR.

VPN is safer alternative. OR you could do like I have done and that is no outside access for my NVR.

Hello

I just unhooked the cable from the router. I only hook it up when I need to save video on my computer thru the ivms client software.

Rammy

 

[Rammy329]

I set up a VPN

I looked at vpns but not sure how to set one up. I liked that I could check in on my house with them being online but if I have to keep them unhooked from the router, then so be it. I only plug them in when I need to adjust the angle or save video.
Beats running up and down a ladder ten times til you get the view right.

Rammy

 

[Rammy329]

Unfortunately there is no way to disable the admin account on Hikvision NVR. (stupid on their part)

If you are using port forwarding, disable... That is how someone id trying to get into your NVR.

VPN is safer alternative. OR you could do like I have done and that is no outside access for my NVR.

Thats what I decided to do. Since I do not know how to disable port forwarding, I just onhooked the ethernet cable from the router. I have changed the pswrds twice and ssid twice and was still getting login attempts, which tells me its my neighbor.

Rammy