Remove www directory contents for security

[jjp44343]

I wanted to know everyone's thoughts on removing the contents of the www directory in the interest of security. The source of the login page reveals version info etc by default, the 404 response header returns BlueServer either way with version info. I've looked for a way to disable the web login page with no success but was able to remove the entire contents of the www folder and retain mobile app access. Has anyone else tried this? If so any issues?

 

[mat200]

I wanted to know everyone's thoughts on removing the contents of the www directory in the interest of security. The source of the login page reveals version info etc by default, the 404 response header returns BlueServer either way with version info. I've looked for a way to disable the web login page with no success but was able to remove the entire contents of the www folder and retain mobile app access. Has anyone else tried this? If so any issues?

Hi @jjp44343

Use a VPN - do NOT port forward. ( i.e. you should only allowed authorized people access to your "www" )

That should solve the issue for most folks here that use it for their home or shop.

 

[tangent]

If you want to keep it exposed without setting up a VPN, consider running an nginx reverse proxy.

 

[bp2008]

Yes, if you are this concerned about the security of the web server, you should be using a VPN and not port forwarding to BI.

If a VPN is too inconvenient (believe me, I understand if it is, lol), then use a reverse proxy server with a virtual directory path that only you know so that random scans will have no chance of even finding your BI server.

 

[jjp44343]

I ended up doing a VPN. I'm just not sure what's worse a VPN compromising my whole local network or 1 port forwarded to Blue Iris.

 

[bp2008]

If you know what you're doing you should be able to run the VPN server on the Blue Iris server and not allow connected clients to access the LAN.

 

[jjp44343]

If you know what you're doing you should be able to run the VPN server on the Blue Iris server and not allow connected clients to access the LAN.

Yes I’m going to dial that in tomorrow. Right now I have the cameras setup to a router with no WAN into a second ethernet card on BI server. The first card connects to the LAN and has internet access. I have multiple external IP addresses at my disposal so I may use one with a pfsense box for an extra layer.

 

[mat200]

Yes I’m going to dial that in tomorrow. Right now I have the cameras setup to a router with no WAN into a second ethernet card on BI server. The first card connects to the LAN and has internet access. I have multiple external IP addresses at my disposal so I may use one with a pfsense box for an extra layer.

pfsense + openvpn will be a good option, far better than port forwarding

 

[smoothie]

OpenVPN on pfSense uses certificates in addition to the username and password. Plus you can use the Geo-IP filters to only allow VPN connections to you from whatever country you are in. Cap all that off with a good strong VPN password and you will be very secure.

If you want to really tighten it down you could allow the OpenVPN to only access the Blue Iris box and not the whole LAN network. You could also vLAN the Blue Iris box on its own isolated vLAN allowing access the internet (if you want it to have that) and allow the LAN to access the Blue Iris vLAN but not reverse, then allow the OpenVPN to only access that 1 IP on the Blue Iris vLAN.

Additionally if you are using a pfSense you can setup pfBlockerNG to filter out a great many unwanted connections to adware, malware, and malicious domains and IP addresses. This is the guide I used to to configure my pfSense to do so.
Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)

Also if you want to setup a pihole dns to further filter out trash Linuxincluded has a good guide for that as well.
Installing pi-hole on Ubuntu 18.04 LTS