Who is watching you? Russian website puts local cameras online
- Thread starter james99
- Start date
@nayr... well all righty then. First, thanks for the response. Clearly, there's much I don't know. You've given me lots of terms to google. LOL.
Open source firmware? Didn't even realize that was a thing! It may not be necessary? I have an Asus n66u. I was pretty impressed with the stock firmware. Lots of cool stuff in there, realtime graphs, client lists, dual band setup, and yes, even VPN. Two different servers, PPTP and OpenVPN. If I do upgrade the firmware, what features do you recommend?
Looks like all outbound traffic is allowed, so there is that. The only rules I can set are a url filter, keyword filter and the ipv6 firewall which actually allows inbound specific ip/cidr, local IP and port. Is that where the open source firmware would shine? Is it normal for a router to have firewall specific rules for ipv6? I see no mention anywhere for ipv4.
Open source firmware? Didn't even realize that was a thing! It may not be necessary? I have an Asus n66u. I was pretty impressed with the stock firmware. Lots of cool stuff in there, realtime graphs, client lists, dual band setup, and yes, even VPN. Two different servers, PPTP and OpenVPN. If I do upgrade the firmware, what features do you recommend?
Looks like all outbound traffic is allowed, so there is that. The only rules I can set are a url filter, keyword filter and the ipv6 firewall which actually allows inbound specific ip/cidr, local IP and port. Is that where the open source firmware would shine? Is it normal for a router to have firewall specific rules for ipv6? I see no mention anywhere for ipv4.
Last edited by a moderator:
nayr
IPCT Contributor
the OSS firmware definitely have more features, check em out
http://www.dd-wrt.com/wiki/index.php/Asus_RT-N66U
https://gist.github.com/joshenders/3941269
Try to see if you can setup a L2TP+IPSec VPN and if not do the OpenVPN
http://www.dd-wrt.com/wiki/index.php/Asus_RT-N66U
https://gist.github.com/joshenders/3941269
Try to see if you can setup a L2TP+IPSec VPN and if not do the OpenVPN
copex
Getting the hang of it
this may be less of a learning curve http://asuswrt.lostrealm.ca/ and you can jump in to iptables that will allow you to control incoming and out going traffic
Agent Smith
n3wb
- Joined
- Jun 30, 2016
- Messages
- 2
- Reaction score
- 0
The keyword here is add a password! Use something strong too. If you port forward chose a port that is non-standard and well above 10000. Like 27634 or 42396. If you feel the need to add a firewall, get an ITX computer with dual NICS, add 2GB more of RAM and use Sophos or Untangle. But a password should be good enough. Can't hack the password can' t get the feed. This goes for baby monitors and anything else you send through the Internet.
nayr
IPCT Contributor
in a perfect world, however many contain vulnerabilities that can bypass the password.. and none encrypt the password for the video stream, so if your on public wifi you just told everyone within range your password.
these things are not designed to be on the internet or the'd not allow login over unencrypted connection and they would not allow weak passwords to be set, dont be this guy ^^ use a VPN.
example, here was a massive 25k camera botnet attacking the internet.. all from a backdoor in the software, not weak passwords: http://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml
IPCameras are always on, usually have decent bandwidth, no locally logged in users, and will have a few handfull of hosts avilable on the network to spread the load.. the ideal drone in a botnet.
PSPCommOp
Getting the hang of it
I just learned this a day or two from @fenderman. I've been out of the PC game for awhile since i moved to Mac. Coming back to Windows has really brought back memories... some good and some bad. Thanks for the information and advice @nayr, its always great to see your icon commenting since theres always some good info for noobs like myself just getting back into this.
Just one question with regards to that VPN stuff. If I close those ports for BI, but set up the VPN and access it remotely (I'm working an RT-AC68P so it was pretty easy to set up), can i just connect with the OpenVPN app and then open BI and access the live feed? Is it really just that simple (and more secure then open ports)?
Last edited by a moderator:
I'm going through the same thing at the moment. Setting up a VPN on an RT-N66U (on the advice of nayr). Yes, it is that simple! Open a connection, and your connection is secure. Data transmitted is secure. However, be aware... I've seen several people thinking they were secure after "setting up VPN" and they were talking about setting the router up as a VPN client. Router MUST be setup as a VPN server.
<edit> I should mention, I only JUST started learning about this myself. I'm no expert.
Last edited by a moderator:
PSPCommOp
Getting the hang of it
Yup this was me, Fenderman set me straight and I'm good now. Worst part was the client certificate for the VPN. Kept getting errors and finally figured it out after about 30 minutes of swearing up and down while trouble shooting... and it wasn't even necessary haha.
You weren't the only one Yes, client is the part giving me problems too. You're saying setting up a CA and issuing certificates isn't necessary? I thought that was the whole point.
My understanding is that the CA authenticates the public keys. May I infer, from your claim that they aren't necessary, perhaps because the administrator (me) is able to authenticate the public key physically, in person? That would make sense. If that's wrong, please advise. I'm going to take another look at this based on that assumption.
Yes, client is the part giving me problems too. You're saying setting up a CA and issuing certificates isn't necessary? I thought that was the whole point. My understanding is that the CA authenticates the public keys. May I infer, from your claim that they aren't necessary, perhaps because the administrator (me) is able to authenticate the public key physically, in person? That would make sense. If that's wrong, please advise. I'm going to take another look at this based on that assumption.
PSPCommOp
Getting the hang of it
Mine automatically generated them for the server if I'm not mistaken. I was having a problem getting the right opvn file loaded for the client. I finally figured it out but now I don't even need it.
Last edited by a moderator:
rotorwash
Getting the hang of it
I wanted to jump on this thread with another reason to properly secure your camera. One of the primary vectors of the Krebsonsecurity DDoS attack that happened recently were hijacked IoT (Internet of Things) systems. Think wifi enabled thermostats, etc. This article below describes how over 25,000 CCTV cameras were hijacked and used in a DDoS attack. It's not just about preventing others from viewing your camera feeds (which is creepy).
http://www.securityweek.com/thousands-cctv-devices-abused-ddos-attacks
http://www.securityweek.com/thousands-cctv-devices-abused-ddos-attacks
Inigo
Young grasshopper
- Joined
- Oct 2, 2016
- Messages
- 63
- Reaction score
- 18
Thanks. I was wondering which cameras were involved in the DDOS. I have been considering some gray market Hikvision cameras, but the security aspects have me quite worried. The article mentions that the cameras that could be identified were from, "[FONT="]Provision ISR, Q-See, QuesTek, TechnoMate, LCT, Capture, Elvox, Novus and Magtec[/FONT]", so the Hikvision may not have been part of it or just weren't identified.
nayr
IPCT Contributor
dont matter if they are or not, dont put the cameras directly on the internet..
Inigo
Young grasshopper
- Joined
- Oct 2, 2016
- Messages
- 63
- Reaction score
- 18
Good point.
slowhand23
Young grasshopper
- Joined
- Sep 8, 2016
- Messages
- 43
- Reaction score
- 2
Anyone have a link that details how to set up the VPN and necessary equipment/software? Thanks!
PSPCommOp
Getting the hang of it
Google it based on your router. There are plenty of tutorials on YouTube as well.
Sent from my iPhone using Tapatalk