I wanted to know everyone's thoughts on removing the contents of the www directory in the interest of security. The source of the login page reveals version info etc by default, the 404 response header returns BlueServer either way with version info. I've looked for a way to disable the web login page with no success but was able to remove the entire contents of the www folder and retain mobile app access. Has anyone else tried this? If so any issues?
Remove www directory contents for security
- Thread starter jjp44343
- Start date
Yes, if you are this concerned about the security of the web server, you should be using a VPN and not port forwarding to BI.
If a VPN is too inconvenient (believe me, I understand if it is, lol), then use a reverse proxy server with a virtual directory path that only you know so that random scans will have no chance of even finding your BI server.
If a VPN is too inconvenient (believe me, I understand if it is, lol), then use a reverse proxy server with a virtual directory path that only you know so that random scans will have no chance of even finding your BI server.
Yes I’m going to dial that in tomorrow. Right now I have the cameras setup to a router with no WAN into a second ethernet card on BI server. The first card connects to the LAN and has internet access. I have multiple external IP addresses at my disposal so I may use one with a pfsense box for an extra layer.
mat200
IPCT Contributor
- Joined
- Jan 17, 2017
- Messages
- 13,944
- Reaction score
- 23,252
pfsense + openvpn will be a good option, far better than port forwarding
smoothie
Pulling my weight
- Joined
- Dec 19, 2015
- Messages
- 223
- Reaction score
- 178
OpenVPN on pfSense uses certificates in addition to the username and password. Plus you can use the Geo-IP filters to only allow VPN connections to you from whatever country you are in. Cap all that off with a good strong VPN password and you will be very secure.
If you want to really tighten it down you could allow the OpenVPN to only access the Blue Iris box and not the whole LAN network. You could also vLAN the Blue Iris box on its own isolated vLAN allowing access the internet (if you want it to have that) and allow the LAN to access the Blue Iris vLAN but not reverse, then allow the OpenVPN to only access that 1 IP on the Blue Iris vLAN.
Additionally if you are using a pfSense you can setup pfBlockerNG to filter out a great many unwanted connections to adware, malware, and malicious domains and IP addresses. This is the guide I used to to configure my pfSense to do so.
Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)
Also if you want to setup a pihole dns to further filter out trash Linuxincluded has a good guide for that as well.
Installing pi-hole on Ubuntu 18.04 LTS
If you want to really tighten it down you could allow the OpenVPN to only access the Blue Iris box and not the whole LAN network. You could also vLAN the Blue Iris box on its own isolated vLAN allowing access the internet (if you want it to have that) and allow the LAN to access the Blue Iris vLAN but not reverse, then allow the OpenVPN to only access that 1 IP on the Blue Iris vLAN.
Additionally if you are using a pfSense you can setup pfBlockerNG to filter out a great many unwanted connections to adware, malware, and malicious domains and IP addresses. This is the guide I used to to configure my pfSense to do so.
Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)
Also if you want to setup a pihole dns to further filter out trash Linuxincluded has a good guide for that as well.
Installing pi-hole on Ubuntu 18.04 LTS