Network Video Recorder: Illegal Login

[Travieso]

Greetings Everyone,

Last night I got a few emails notification of Illegal Login, I searched my records and there was a total of 14 attempt logins, This worried me so I Immediately change My password and moved to a different HTTP Port, This morning I Woke up and had a total of 5 Incidents, Only ones connected/remotely connected to the NVR is me and my wife, I asked her yesterday if she tried to connect to the server and she said No, My question is... Is someone really trying to hack into my NVR? Any pointers What I should look for? How do I protect myself, I Only have HIK-DDNS Server activated I turned everything off, like EZVIZ Cloud P2P, ETC.. I checked the report and I had a weird Email of 10.81.144.XXX I looked it up and it said it's an internal IP Address.

Can I assign only my Computer To remotely log into the NVR or a trusted IP Address or MAC address ?

Any help is Appreciated..

 

[khx73]

Most important thing..change password from default (and pick a good one).. second.. don't use the default port. You've got those both covered now anyway.
That IP address IS an internal private IP..but its most likely spoofed.. so doesn't mean much.
You sure it was a HTTP login failure, or was it on the SDK port (usually 8000 I think). That's the port that client software connects on such as Hik's IVMS.
I see random scans on port 8000 hit my firewall quite often.... more background noise of the net.. not likely anyone actively trying to hack *your* NVR - just automatic scans people run across the net looking for low-hanging fruit.

 

[Travieso]

<IHere is one of them, How Im I able to tell if Its a 8000 Port or a HTTP Login?

D>36</ID><OperationTime>2015-11-08 17:03:41</OperationTime><MajorType>Exception</MajorType><MinorType>Illegal Login</MinorType><RemoteOperator>admin</RemoteOperator><LocalOperator/><RemoteHostAddress>10.198.183.1</RemoteHostAddress><ChannelName/><Description/>

 

[khx73]

To the best of my knowledge, the HTTP service of the NVR doesn't post exceptions like that. The SDK port definitely does.
I just tried both on my own and that is what happened... no exception messages from bad HTTP logins... but they DO come from bad client software (SDK, port 8000) logins.

This is interesting too:
While testing this.. I have found that the reported IP address is not correct if the connection came in through NAT from the outside world - it appears to report some completely unrelated IP that has nothing to do with where it actually came from.
If from inside my LAN, it reports the private IP source correctly.
Luckily my firewall logs the actual IPs attempting to connect to that port...

Odd.

 

[Travieso]

yeah, I'm stumble also, This is not making sense to me, lacks information, If you dont mind me asking what type of router/firewall do you have? I poked around my Router and I wasn't able to get any info either, as of right now everything seems okay, I haven't gotten any more illegal attemps logins

How do you search for (SDK Port 8000) Logins which btw I did change also.

 

[khx73]

Mine is a custom built linux based router/firewall... I can define specific logging of whatever I want on it. You won't be able to get the same logging features out of most store-bought routers.

However, not to worry..now that you've changed the default port from 8000 to something else, you should be fine.

How are you able to connect to your NVR from the outside world? Did you port forward for that or let the NVR do everything automatically with Hik-DDNS and UPNP?

 

[Travieso]

I Port forward My public IP address, Although I don't have a Static IP address, For whatever reason my ISP has never changed my IP Address, I've had the same IP address for the past 11 months... Im also able to hit it with HIK-DDNS, What Linux/firewall are you running you got me thinking now, In the past I've ran P-Fense and untangle firewall, I Like the GUI from Untangle Better. I Have a spare machine that i Could crank open and wouldnt mind running something custom again.. Only thing that worries me is WiFi Range, I have quite a few Wifi Connection going around the house. Maybe a ubiquiti wifi Access point Should do the trick?

 

[khx73]

I'm using a RHEL based setup..(CentOS), customized firewall/routing set up with iptables. Can be as complex or as simple firewall/routing/logging as you care for. Any linux distro should be similar.
I've heard good things about the Ubiquiti stuff. You could always turn your exiting wifi router into an access point after setting up the linux.

 

[NVR]

For whatever reason my ISP has never changed my IP Address, I've had the same IP address for the past 11 months...

I was discussing this with a friend, IP addresses are changing less often for whatever reason, his hasn't changed in 6 months even after rebooting his router. Which normally was a way to get a new IP.

 

[gwminor48]

I think a lot of isp's are using what they call "sticky" ip's. You don't get a different ip unless you replace the router.

 

[bp2008]

I think a lot of isp's are using what they call "sticky" ip's. You don't get a different ip unless you replace the router.

I've had the same IP for 5 years despite it being "dynamic". I upgraded routers two times and each time the ISP gave me a different IP, so I cloned the MAC address from the previous router and then they gave me my old IP back. Some router firmware doesn't have the ability to override the MAC address but some do and that is the secret to making your "sticky" ip follow you around.

 

[alastairstevenson]

I think a lot of isp's are using what they call "sticky" ip's. You don't get a different ip unless you replace the router.

Lol! Yes, it makes satisfying those agency / law enforcement traffic and connection queries so much easier.
Imagine the complexities of matching up varying IP addresses with exact timing and accounts and connections over months and years.
Simplified at a stroke after some fairly straightforward infrastructure updates.

 

[Travieso]

Lol! Yes, it makes satisfying those agency / law enforcement traffic and connection queries so much easier.

This is what I immediately thought about When my IP Address wasn't changing, I'm sure they do this for a reason to Track peoples uses, I just hope I don't get a Bandwidth Cap.

 

[khx73]

I'm pretty sure this is normal behaviour for the DHCP service that is handing out those IPs, which is based on MAC addresses. I believe normal DHCP server behaviour is to hand out the same IP, assuming it is still available, to the same MAC requesting it. DHCP clients (you) will request the same one it had perviously by default..and the server will honor it as long as it's available.
DHCP "release" and "renew" signals can be sent to the server... If you issue a DHCP Release, you tell the server you are done with the IP, and it can consider it free to issue to someone else. Whether it happens that way depends on the server's configuration and load. More info at https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol .

 

[alastairstevenson]

That's certainly true for regular DHCP, on a single LAN segment.
But it's not typically how ISPs have operated historically.
That's why there are so many DDNS services out there now on the internet, for when people want to have a known address for their remote access.
The time was when you'd pay a little more for a fixed IP address, usually a business-class service.

 

[NVR]

Ip addresses used to change with every reboot, and you couldnt hold the same one for longer then a month. Soon they'll start selling Dynamic IP services.

 

[bp2008]

Ip addresses used to change with every reboot, and you couldnt hold the same one for longer then a month. Soon they'll start selling Dynamic IP services.

LOL

Hopefully IPv6 takes over before then because that set of addresses is practically inexhaustible so everyone could have their own stupidly large set of addresses to choose from (if the standards authorities and internet providers accomodate). IPv6 supports 340282366920938463463374607431768211456 addresses and I'm not even joking.

 

[Travieso]

That's certainly true for regular DHCP, on a single LAN segment.
But it's not typically how ISPs have operated historically.
That's why there are so many DDNS services out there now on the internet, for when people want to have a known address for their remote access.
The time was when you'd pay a little more for a fixed IP address, usually a business-class service.

Yup and this is why, I have set up DDNS Service on my NVR and my Router, Im able to hit my router anywhere I am, for this same reason, Even though I haven't used it yet.. I typically log in with my "sticky" ip lol