Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NAT, openDNS, IP Cameras, Ports - Questions!


  • Please log in to reply
7 replies to this topic

#1 David Ashcroft

David Ashcroft

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 PM

Posted 15 February 2015 - 10:35 AM

Hi all!

 

Just a few quick questions, i am a bit concerned over security and I really dont know how much I have to worry about at this point. The best way for me to explain this is to explain my setup and then you can let me know if it is insecure or not.

 

I currently have a server, it is not external facing and it does not need to be, it basically runs software for IP camera recordings and does some printer and file sharing, nothing heavy.

 

I have two IP cameras that until now where also not external facing. My ISP will not provide me with a static IP address so I have instead signed up with noip.com which is a DDNS for those that havent used it. The agent is installed on my server checking regularly for any changes in my public facing IP address.

 

I have a Draytek Router that I have setup Port Redirection under NAT so that basically the external facing port to access the camera is a random one (59621 for example) and when you go to my DDNS address with the correct port, the Draytek redirects it to the port and IP address internally which is different (81 with 192.168.0.248 currently).

 

I hope that all makes sense...

Are there any security risks involved with this? I litterally have the web interface for the camera at the IP address that NAT takes you to, the camera interface is also protected with an additional username and password before you can view or do anything with the camera.

 

Additionally, are there any online free tools that i can use that will scan ports etc and check for any risks in my network?

 

Thanks in advance! 

 

 

 



BC AdBot (Login to Remove)

 


#2 David Ashcroft

David Ashcroft
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 PM

Posted 15 February 2015 - 10:37 AM

Also I noticed my title I put "openDNS" i meant to put "DDNS" but i cant change it now sorry :) 



#3 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 16 February 2015 - 09:54 AM

Any time you open a port on your router there is a security risk but from your description, you've minimized them about as much as you can. So I wouldn't be overly concerned.


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#4 David Ashcroft

David Ashcroft
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 PM

Posted 16 February 2015 - 05:38 PM

Any time you open a port on your router there is a security risk but from your description, you've minimized them about as much as you can. So I wouldn't be overly concerned.

 

Thanks very much for that! :) 

 

Out of curiosity, if people found the port that was open and my DDNS, what damage could they do? Would it purely be limited to just what resides at the other end of the NAT redirection, in this case the camera, or with the right tools and knowledge could someone potentially get into the rest of my network?

 

I am not really into Network security and I should probably find out a bit more about it, but just curious at this point :)

 

Thanks! 



#5 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 16 February 2015 - 05:47 PM

To hack your network it requires the ability to execute code.  This is usually done be exploiting a unknown or known software bug.  Just any old port won't do. For example the sql slammer worm used port 1434 which was tied to the sql resolution service listener.  The unpatched sql server would then be infected and start sending out more copies of the worm to infect other unpatched sql services. 

Most likely in your case the worse that could happen is they would get to view your cameras.



#6 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 16 February 2015 - 07:25 PM

And that's if they can get the username and password. Which is why it's a good idea to change at least the password every now and then. I am sure there is a rule for how often to do it...lol but I have no idea. I change mine every few months.....but I use a password keeper and my passwords are like 20 random characters.  


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#7 David Ashcroft

David Ashcroft
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 PM

Posted 18 February 2015 - 09:28 AM

Thanks for all the help, much appreciated now that it has all been cleared up! :) 

I am the same with random passwords, LastPass all the way!!

 

Thanks again :) 



#8 Orecomm

Orecomm

  • Members
  • 265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:01:56 PM

Posted 18 February 2015 - 11:43 AM

If the source IP address viewing your camera from the outside is known (a lot of the "cloud" services run from one or a small set of access addresses) you could limit your port map to that IP range. Camera web interfaces aren't known to be the "Fort Knox" of tightly secured implementations so any little bit helps, but your current setup is about at tight as you can get it if you need to accept "incomers" from any IP. I'm not sure if the Draytek has port scan blocking, I have a script in my router that blacklists anything that hits more than a few closed or restricted ports in a short period of time, but it's usually more for entertainment (who's knocking) than serious intrusion prevention. I have cameras and an IP PBX as well as both my own and my wife's business computers here, so pretty careful. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users