Question about risk with port forwarding

[Euly]

Hi, I have a number of Dahua cameras that are currently on my local home network. My neighbor would like me to allow him to view my camera's streams, but I hesitate for a couple reasons which I'm hoping someone on here can provide me a more comprehensive and reasonable assessment. My primary hesitation is my concern for the vulnerability of my cameras, which I have not changed the default usernames/passwords (because they are local and only accessed by me). I am somewhat familiar with networking, but how much of a risk would it be to have the cameras port-forwarded with default usernames/passwords, but with no associations outside the network, such as embedded in a website. I would give my neighbor a simple link or set up an app on his phone myself.
My fear is someone port sniffing my network, finding the cameras, and bricking the cameras or changing the passwords.
Could I use uncommon ports for forwarding or would that not matter?

Thank you, in advance.

 

[khx73]

Change the defaults right away. Not doing so is a very bad idea.

If you are going to give him access, do at least these things:
- Change the default port numbers for the services he'll access.
- Make a separate account on the camera(s) with read-only access, and give him only that account to use.
- Consider limiting the forwarding access to his IP, which will likely be a range of IPs.

 

[Euly]

Thank you for the reply. I'm wondering about the risk of intrusion by the ports being discovered. I just don't know how common the threat is of non-commercial networks being port sniffed.
I trust my neighbor, so I'm not concerned about him giving out my IP address to random people. I would set up a read-only account though, just so he wouldn't have the chance to accidentally change a few settings. My outside network-footprint is fairly small. I don't host a website or anything, so no static IP. Other than hosting Steam games for friends occasionally, my online activity is relatively inconspicuous.

 

[Michelin Man]

Having any ports open is a risk of itself. However, you need to have them open if you want to have any outside access to your network.

Sure you can change the typical port numbers with something else. It would make it harder for someone who is specifically trying to get in and knows your IP address. Like you said ports can be sniffed. So if someone really wants to find out whats behind the wall they can. Making it as hard as possible is a good thing. Just like security in general.

Definitely change default password and if possible usernames. There's heaps of unsecured cameras out there that are made public for people to see. Many of these people don't even know they are being watched.

 

[Euly]

Thank you for the help. When I forward the ports, I'll change the default passwords and create a view-only account. Thank again.

 

[bennuss]

On a ny decent router you can limit the incoming port request ip to his. Even if he has a dynamic they dont change very often and once you know how to change it it only take 30 seconds