Security - is it OK for the connections to show multiple unknown ip's as long as 0.00 time in sessions

bignose3

Young grasshopper
Joined
Jul 15, 2021
Messages
36
Reaction score
10
Location
UK
Hi,
Only just noticed that in connections that there are some unknown www & WAN IP's.
e.g. hat.census.shodan.io
teliacarrier-cust.com

Settings : I have 20 logins, usual ban after 5 attempts, release after 1 hour.
Have pretty good PW.

They all have 0:00:00 as session & 0 frames. If they had got through, would it show session time?

1) Is this simply brute force attempts that are not getting through. Is it likely specifically for BI or just hackers scanning for open ports etc.
I have windows firewall, NAT etc and port forwarding for the server PC so guess with no PW enabled could get through easy.

2) I did not have a password for local connection, I am adding now. Was this ever a risk on the local.

3) I have some local IP in the advance allow setting e.g. ^192.168.1.88. I am accessing the database from python scripts and had security issues
Which lead me to my second, more worrying point, during this time I had removed the password from admin to test the script, stupidly forgot to put back so probably did have access to my BI for 48 hours.
I have now of course changed passwords, as far as recordings, only outdoor security so nothing sensitive or of any value. Could they gain access to other stuff on the LAN via BI.

I will mention that I am logging into the remote PC (windows 10) via google RDP but image that is not related to the above, unknown www & IP's.
 

sebastiantombs

Known around here
Joined
Dec 28, 2019
Messages
11,511
Reaction score
27,690
Location
New Jersey
Two comments -


VPN Primer
 

TVille

Getting comfortable
Joined
Apr 26, 2014
Messages
672
Reaction score
1,639
Location
Virginia
The standard on here is captured in both links @sebastiantombs shared: "NEVER FORWARD PORTS".

Do folks do it? All the time.

How much of a risk is it? For a single app like BI, it is probably low, but not really known. Most of the folks who do it would rarely figure out if they had been hacked.

Here is a whole thread on it:

 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
shodan.io is one of the sites that scours the Internet looking for open ports or accessible devices and/or services and then catalogs it. It makes all of this data available for searching. Think of it as Google Search for finding things "open" on the Internet.
 

bignose3

Young grasshopper
Joined
Jul 15, 2021
Messages
36
Reaction score
10
Location
UK
Thanks for the info

Rather than getting just a lecture I would have hoped someone could have advised on the question I asked
"They all have 0:00:00 as session & 0 frames. If they had got through, would it show session time?"

I would have liked to know if someone had access to the BI videos during that time is session time was 0:0

I appreciate people are trying to help & caution & the advise to stay away from port forwarding and would not dream of putting individual camera on WAN knowing how poor there security can be but hoped BI was not too bad, it is a separate PC with just BI running.

Thanks anyway.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Thanks for the info

Rather than getting just a lecture I would have hoped someone could have advised on the question I asked
"They all have 0:00:00 as session & 0 frames. If they had got through, would it show session time?"

I would have liked to know if someone had access to the BI videos during that time is session time was 0:0

I appreciate people are trying to help & caution & the advise to stay away from port forwarding and would not dream of putting individual camera on WAN knowing how poor there security can be but hoped BI was not too bad, it is a separate PC with just BI running.

Thanks anyway.
Your concern should not be the video on your system. A minor security flaw in the blue iris web server would expose your entire PC and in turn your entire network. If someone viewed the video through the standard protocols it would show session time you can test this yourself by looking at your connections when you actually viewed video. If you don't want to use a standard VPN you should at least look at the something like zero tier. Again someone could easily have you in your videos and it would still show zero if they exploited a vulnerability that you're not aware of.
 

sebastiantombs

Known around here
Joined
Dec 28, 2019
Messages
11,511
Reaction score
27,690
Location
New Jersey
@bignose3 The point of the "lecture" is that any intrusion like that is a danger. Forwarding ports is a guaranteed way to be hacked. They don't care about your video, it just provides the "hole" for them to crawl through to hijack your system and have a look around for the good stuff, passwords, logins, SS numbers, bank account numbers, driver license numbers, you get the idea. A side benefit is that your system then becomes a bot to be used in DoS attacks. Your IP would just love that. Think about the implications, not the immediate thing which is a scan for open ports.

Cute pup by the way :)
 

Teken

Known around here
Joined
Aug 11, 2020
Messages
1,521
Reaction score
2,747
Location
Canada
In the big picture if you know a thing. You can react to a thing. As others have provided many of the great resource links it’s up to you to sit down and execute the same. The vast majority of people which includes serious industries comprise true security with convenience.

Is it because they don’t know better?!? No, the vast majority of the security administrators simply follow what Bob idiot has ordered them to do! You can’t achieve success when both arms are tied and the tools and network topology is compromised from the onset.

Anyone who is dead serious will never have their video security running on the same internal network. By default, just employing such a basic network topology concept addresses and negates several things such as attack surface, bandwidth, isolation, troubleshooting, maintenance.

When that dedicated and isolated network is deployed there’s absolutely no issues with IP conflicts, patching, uptime, hardware removal.

When you add in firewall appliance at the edge, Antivirus, VLANS, MAC filtering, etc to this basic topology. It’s literally going to take a inside job or on-site breach to access the same! There’s higher odds of being struck by a car or lightning than someone coming on site to tap into a video feed to try to gain access.

As you noted about changing passwords on the machines. That is absolutely the cornerstone of security where they exist. Passwords must be changed at intervals that can be achieved consistently while following industry best practices of only limited by whatever systems. Alphanumeric, special characters, minimum length of 12, uncommon, not recycled, and different on every network hardware from camera, switch, router, firewall, UPS, load balancer, NVR, etc.

As it relates to security cameras they should always be segmented if there are three layers. Again, this along with VLAN’s will help isolate and reduce a breach should it happen.

If all three layers of cameras are running different passwords, subnet restricted, IP, VLAN, MAC filtered, from the other two it’s going to be a long day in hell for someone on a ladder trying to access other isolated networks which aren’t even physically connected!

Given how cheap network hardware is from consumer, prosumer, to used professional enterprise. Anyone can deploy a second, third, forth network for little financial outlay.

Even if you just did a dual NIC in the BI NVR . .

Good luck!
 
Top