IP Address Filter practical experiences

[tradertim]

Hi guys. Sorry couple threads as I was back door hacked.
Does anyone have any practical experience with using the IP address Filter? I searched but not much on topic.

I am extremely frustrated with Hikvision/ the buggy software, the efforts to make maintenance of this stuff difficult.

1- What formats work e.g
192.168.0.0
192.168
192.168. *.*

2-Do you have to add the local subnet address e.g 192.168.0.0

3- I read that it breaks email? - which is pretty useless to prevent email outgoing from a camera when I want to just limit incoming from the internet

4-To cover a subnet what format is inputted e.g see 1- above?

5-what other apps are broken - is it true email outgoing breaks?

I realise another option is with router but not sure if I can do it there.
thank you guys

 

[alastairstevenson]

Hi guys. Sorry couple threads as I was back door hacked.

For your DS-2CD2x32 cameras, you can upgrade them to the backdoor-fixed 5.4.5 firmware using this method :

Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

But presumably you have enabled 'port forwarding' in order to allow the whole internet to access your cameras?
If you haven't knowingly done this - maybe UPnP is enabled on both your router and the cameras that would do this without you knowing.
If so - check the inbound access using a scanner such as ShieldsUp! - GRC | ShieldsUP! — Internet Vulnerability Profiling   - do a full port scan, not a UPnP scan.
Be surprised.
Check / change your router and camera configurations to disable UPnP
Re-check with ShieldsUp!
Be relieved.

 

[tradertim]

Hi Alastair thanks. Yip I'm rechecking the UpnP on the cameras and will disable uPnP on the router.

I have static port forwarding - because I WANT to access the views remotely, a major advantage of CCTV.

I have to find a compromise - is remote playback and remote view I use all the time at this property we are not always at.

Thanks for the link to upgrade - I've always been a bit apprehensive - with not knowing how to do it - level of effort. I spend more time than I want maintaining these dam Hikvision cameras with buggy software, and now backdoor liabilities

 

[tradertim]

My opinion of Hikvision is going down and down over the years.

IP address filter looks like it matches on EXACT IP ADDRESS NO RANGES as far as I'm aware e.g.

120.120.1.50 allows remote access but when I remove 120.120.1.50 - and have 120.120.0.0 allowed - remote access is not possible and fails.

If I find out more I will update - keen to hear of others experience - can a subnet range be added?

 

[xomiki]

I haven't tried it myself, but I assume you could make your own firmware which has a different setting for iptables config.

Another option is a VPN so that the camera itself isn't exposed on the internet but is still accessible remotely.

Yet another option is a separate switch/firewall/router that sits in front of the camera and does the blocking for you.

 

[alastairstevenson]

I haven't tried it myself, but I assume you could make your own firmware which has a different setting for iptables config.

This is true.
Hikvision are using the common Linux iptables / xtables-multi as the core - but they are processing the web GUI configuration settings in a way that limits full use of the extensive capabilities, such as specifying a network as opposed to a host.

A useful addition to start.sh after enough of a delay for it to have initialised is something like
/sbin/iptables -F
which flushes all the rules and allows access to the dropbear SSH server which is usually always running but filtered.
Other rules could also be added in their native form, but would be vulnerable to being overwritten by any web GUI IP filter config changes.