Unifi/Ubiquiti Threat Management alerts - pointed to Blue Iris

[RobI]

No, my Ubiquiti USG is not a real firewall, but for my needs at the moment it's...acceptable. My home network is primarily Blue Iris, Roku's and various IoT devices. No 'important' devices accept my occasional laptop and phone. I'm using Andy's Dahua cameras, latest BI software, static IP from ISP, HP fully managed Procurve switches. I enabled Global Threat Management on the USG and have been monitoring the events it's picked up.

VLAN for BI is my next project however I am getting the following threat detection alerts from the Unifi system and thought the brain trust could offer something. They are all pointing to my BI server, using the BI app for outside the house intrawebs viewing, a static IP from my cable ISP on a business account, and UI3 to serve several all-in-one computers as stand alone BI monitors. My other half is not computer literate so it MUST be simple otherwise I'll be getting grief. All. Day. Long.

While I am an IT guy for the past 20 years, I'm more networking/hardware than security.

I trimmed the info slightly for simplicity:

ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution
Attempted Administrator Privilege Gain
Exploit
Source: 198.98.52.213 : 35920
Destination: 192.168.xxx.xxx : 81 (Static internal BI IP)
Protocol: http

ET DROP Dshield Block Listed Source group 1
Attack
DShield
Source: 167.248.133.17 : 28979
Destination: 192.168.xxx.xxx : 81

ET TOR Known Tor Exit Node Traffic group 56
Attack
TOR
Source185.220.101.48 : 32390
Destination: 192.168.xxx.xxx : 81

 

[alastairstevenson]

I am getting the following threat detection alerts from the Unifi system

Nothing unusual there.
Any port exposed to the internet will suffer 1 or 2 probes / scans / exploit attempts per second.

To see what you have exposed to the internet, use something line ShieldsUp! to scan your public IP address.
Use the 'All Service Ports' scan in the first instance.

GRC | ShieldsUP! — Internet Vulnerability Profiling

GRC Internet Security Detection System

www.grc.com

 

[RobI]

Nothing unusual there.
Any port exposed to the internet will suffer 1 or 2 probes / scans / exploit attempts per second.

To see what you have exposed to the internet, use something line ShieldsUp! to scan your public IP address.
Use the 'All Service Ports' scan in the first instance.

GRC | ShieldsUP! — Internet Vulnerability Profiling

GRC Internet Security Detection System

www.grc.com

Yes, I know. All systems are getting alien anl probed constantly. The management console is such that it's not popping up with thousands of port scan reports like a 'real' firewall, only the high severity ones which is what made me pay attention.

I forgot about ShieldsUp. Thanks for the reminder.

Port 81, as expected, was the only one open. I suppose the security of my network is the hands of BlueIris and my 'very' strong username/password for access. I think the fact that it specifically mentioned a "wireless IP camera exploit" surprised me. Normal port scans, yeah, whatever. Nothing can be done. I'm curious if the Chinese gov is trying to watch my chicken cams.

 

[JNDATHP]

Since you have Unifi equipment, set up a VPN to be able to view your cameras from outside your LAN.

Here is a good article on setting it up and also a profile creator for iOS devices.

https://community.ui.com/questions/iOS-L2TP-VPN-Profile-Creator/e3e1be8d-3557-47de-909d-ef46d7c2ea71