dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1345

ungovernable
@cgocable.ca

ungovernable

Anon

HTTP server with login : security ?

So here is my situation:

I have CCTV cameras around my house. The system has a dedicated computer to run a web server (Geovision) so i can monitor the cameras remotely.

I have set up the system to use port 7148. When you type my IP address in a web browser, followed by the port number, you are brought to a login page. If you can get the password right you can view everything in my house including the recordings archive.

So i am a bit concerned about security. I guess someone who gets the hand on my IP address can easily bruteforce the password and then see everything in my house. I don't like that.

Is there a way i can add bruteforce protection to my webserver or my router ?

I use a $200 NetGear ProSafe FVS318N router and it has a good reputation of being highly secure. Maybe there's a way to add bruteforce protection with my router ? Problem is that i'm a newbie with networking and i don't know how to do it.

Wifi is secure. I'm just worried about bruteforce on the webserver.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

1 recommendation

Anav

Premium Member

Definitely you need to secure that connection to the server.
Can you put an SSH server on the same computer? You could SSH tunnel in remotely that way. You could also setup an L2TP VPN connection to remote in as well.

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru to ungovernable

MVM

to ungovernable
Your router appears to support VPN connections. Just use that.

ungovernable
@cgocable.ca

ungovernable to Anav

Anon

to Anav
Well i can install whatever i want on that computer

I really have no experience with SSH or VPN... Would i still be able to access the cameras through a web browser without having to install anything ?

I'm also using an android app to monitor the cameras from my tablet so i dont want to block that neither

Yes my router has VPN but i don't know how to use it :/

WireHead
I drive to fast
Premium Member
join:2001-05-09
Muncie, IN

WireHead to ungovernable

Premium Member

to ungovernable
Yes. Like cdru said, I would also use the VPN. Once connected to your VPN you will be able to route to your local subnet at home.

Simply type your local subnet IP (not the port forwarded one) and login.

Use L2TP or L2TP/IPSEC if your paranoid or harboring secrets.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Its not about harbouring secrets its about getting NOT pwned with an open unsecure setup.
(oops looks like his off the mark comment got the curved stick treatment)

ungovernable
@cgocable.ca

ungovernable to WireHead

Anon

to WireHead
like i said i have no experience with VPN and i'm newbie with the networked stuff

1) a VPN isn't free, right ? how much will it cost me ? cheapest one for light usage

2) will i still be able to access my cameras from any computer from any network without having to install anything ?

The only experience i had with VPN was using TOR... So if i understand correctly when i want to acccess my cameras from another computer at another location i will need to connect to the VPN from the browser just like when i connect to TOR ?

Sounds complicated but if i don't have any other choice...

PS: Isn't there just a way to detect incoming attacks and block them from my router so i can't get bruteforced ?

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

Your router supports SSL VPN and IPSec VPN. Both are free.
Here is how it works.
1) You disable internet access to your cameras (remove the port 7148 forwarding / firewall hole)
2) Configure either SSL or IPSec VPN (get help on that from user manual or here). For your purposes I'd suggest SSL VPN as all it needs to connect is web browser (but it has some limitations ... thought ideal for your needs).
3) The when you want to see your cameras, first you "VPN in" into your home LAN, once VPN is established you can access the cameras same way as if you were home.

ungovernable
@cgocable.ca

ungovernable

Anon

quote:
The when you want to see your cameras, first you "VPN in" into your home LAN
And how will i do that ?

Basically if i understand correctly my cameras will be disconnected from my internet at home, instead it will be connected to a VPN in another country. So the cameras will not appear when typing my real IP address, instead i will need to use the VPN IP ?
So i just have to type the VPN IP and port into my web browser and it will work ?

Btw thanks to all of you for answering my questions!

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

OK, let's say that you're not home, but somewhere where you have internet access and you're using some PC (or even smartphone). You will open your web browser and punch in your home IP. You will be greeted with VPN login page where you need to login with username and password (you will set that up when configuring the VPN).
Once you're logged in, there will be secured VPN tunnel between your home and your current location. Then you will continue to access the cameras (over that established secured tunnel) and you'll get the usual password prompt from the camera's web page.

...few details depend on the VPN config and the routers capabilities, but this is it in nutshell.

You're confusing VPN with the VPN service that people use to watch foreign TV ... that's one use of it. VPN (Virtual Private Network) is generic term to create secured connections/tunnels over unsecured/untrusted network (internet in this case). VPN is between two end-points, your current location/PC and your home router in your case.

WireHead
I drive to fast
Premium Member
join:2001-05-09
Muncie, IN

WireHead to ungovernable

Premium Member

to ungovernable
It's really not that hard to setup a VPN, I'm sure you can do it. And you can even connect to it from some smart phones. It would also allow you other options as well as access to your files, storage areas, controlling a computer or other devices you may have on your network. Snap a pic, log on and print it at home if you want. Plus you can protect any secrets you may have with a curved stick. Whatever that means.
tomdlgns
Premium Member
join:2003-03-21

tomdlgns to ungovernable

Premium Member

to ungovernable
the odds of someone scanning your IP range, scanning for that open port, guessing your username and STRONG password are never going to happen.

you can setup VPN, but you will need that VPN software on all the PCs you want to view the cameras on, your mobile devices, etc...

if you use a strong password, capital letters, a few of these!@#$ and a number, nobody will waste enough time trying to crack your home cameras and archived footage.

i use geovision, if you have any questions post them or IM me.

are you using any client software to view the cameras or is everything being viewed through the web?

eibgrad
join:2010-03-15
united state

eibgrad to ungovernable

Member

to ungovernable
Doesn't TeamViewer offer some kind of VPN capability too?? Never used it myself, but recall seeing it. I'm just thinking of a way to greatly simplify the process for the OP. And you'd get remote desktop access as well (which might be sufficient in some cases). Just a thought.
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

said by eibgrad:

Doesn't TeamViewer offer some kind of VPN capability too?? Never used it myself, but recall seeing it. I'm just thinking of a way to greatly simplify the process for the OP. And you'd get remote desktop access as well (which might be sufficient in some cases). Just a thought.

are you suggesting that he use team viewer to view his cameras over the internet? that wont work, he may see the cameras and he may see some movement, but that is not how they should be viewed remotely.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

1 recommendation

Anav to tomdlgns

Premium Member

to tomdlgns
said by tomdlgns:

the odds of someone scanning your IP range, scanning for that open port, guessing your username and STRONG password are never going to happen.

you can setup VPN, but you will need that VPN software on all the PCs you want to view the cameras on, your mobile devices, etc...

if you use a strong password, capital letters, a few of these!@#$ and a number, nobody will waste enough time trying to crack your home cameras and archived footage.

i use geovision, if you have any questions post them or IM me.

are you using any client software to view the cameras or is everything being viewed through the web?

I disagree. An unencrypted user name and password being sent over the net and a terminal endpoint site available for multiple passes of an algorithm is begging to be cracked. If the camera server is at least being accessed over SSH or HTTPS or something then I concur. Heck why bother with secure FTP if what you say is correct.

eibgrad
join:2010-03-15
united state

eibgrad to tomdlgns

Member

to tomdlgns
said by tomdlgns:

said by eibgrad:

Doesn't TeamViewer offer some kind of VPN capability too?? Never used it myself, but recall seeing it. I'm just thinking of a way to greatly simplify the process for the OP. And you'd get remote desktop access as well (which might be sufficient in some cases). Just a thought.

are you suggesting that he use team viewer to view his cameras over the internet? that wont work, he may see the cameras and he may see some movement, but that is not how they should be viewed remotely.

Not exactly. I mean, TV offers a VPN in addition to remote desktop. When you install TV, it specifically asks if you want to install the VPN too. I never do, I just install remote desktop. So I was wondering if this was perhaps a simple, generic VPN he could use, as long as TV was installed on both ends. I'm thinking it's like Hamachi, but of course Hamachi isn't available on mobile (AFAIK). I’m just thinking of something Hamachi-like, simple, easy for a newb. I could be completely off here, I admit. And he picks up remote desktop as a bonus.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Worth a shot eibgrad for sure!!
tomdlgns
Premium Member
join:2003-03-21

tomdlgns to Anav

Premium Member

to Anav
no problem, everyone has their opinion. it all depends on the setup/places he is going to be connecting from. i would make sure to use a user/pass that isnt used for email/banking, etc...

not sure what all the options would be for droid, ios, windows mobile.

he would have to make sure the app/VPN was configured on all those devices.

personally, i dont think his home network is a target anyone cares about, but that is just an opinion.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Hi Tom,
In general I would agree, but if it was my family on camera I would want to ensure its not visible to prying eyes of professionals or highschool hackers. Could be potentially devastating and not just on a fiscal account.
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

said by Anav:

Hi Tom,
In general I would agree, but if it was my family on camera I would want to ensure its not visible to prying eyes of professionals or highschool hackers. Could be potentially devastating and not just on a fiscal account.

sure, nothing wrong with that. and it is always good to be secure, just make sure you know what you are getting into (not you, but in general) setting up a VPN/secure connection is not very hard to do, but understand that additional steps will be needed on the client side.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Yeah I know it, pulled my hair out for a couple of days and finally have my android to NAS boxes over l2TP working problem is I have no decent thruput :-( I even lowered mss to 600 and can at least browse all the directories but either thru lte or 4g or wifi at timmies a tv show stutters orfreezes :-(((
(my isp is 50-30 so no bottleneck there.)
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

said by Anav:

Yeah I know it, pulled my hair out for a couple of days and finally have my android to NAS boxes over l2TP working problem is I have no decent thruput :-( I even lowered mss to 600 and can at least browse all the directories but either thru lte or 4g or wifi at timmies a tv show stutters orfreezes :-(((
(my isp is 50-30 so no bottleneck there.)

and that is the other thing to keep in mind when connecting in that way.

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru to ungovernable

MVM

to ungovernable
said by ungovernable :

Basically if i understand correctly my cameras will be disconnected from my internet at home, instead it will be connected to a VPN in another country. So the cameras will not appear when typing my real IP address, instead i will need to use the VPN IP ?
So i just have to type the VPN IP and port into my web browser and it will work ?

What you are asking applies when people want to mask their normal IP address, for example file trading purposes, or to appear in another location to work around some type of a geographical filter. But that's kind of the reverse of what we're looking to do.

What we're suggesting is your home network becomes what you connect into, much like what a telecommuter might do to connect to their employers office while on the road. If you are at a remote location, you enter your home's IP address (or setup dynamic DNS if you have a dynamic address). You'll authenticate securely with your router. Once you are authenticated, all your traffic will be sent through the VPN tunnel just as if it was a local computer albeit slower depending on your connection speed. This prevents people from accessing your camera(s) directly.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

1 edit

NormanS to tomdlgns

MVM

to tomdlgns
said by tomdlgns:

the odds of someone scanning your IP range, scanning for that open port, guessing your username and STRONG password are never going to happen.

A shrink told his agoraphobic patient that the odds of being eaten alive by a lion on Main Street were a billion-to-one against. As the patient approached the Bistro on Main Street to celebrate his cure, a runaway circus lion pounced from an alley, and devoured him alive.

The odds may be a billion-to-one against; but once is enough.

ungovernale
@cgocable.ca

ungovernale to Brano

Anon

to Brano
quote:
OK, let's say that you're not home, but somewhere where you have internet access and you're using some PC (or even smartphone). You will open your web browser and punch in your home IP. You will be greeted with VPN login page where you need to login with username and password (you will set that up when configuring the VPN).
Once you're logged in, there will be secured VPN tunnel between your home and your current location. Then you will continue to access the cameras (over that established secured tunnel) and you'll get the usual password prompt from the camera's web page.
Oh i see ! Now it is clear ! Awesome, it looks exactly like what i need.

I suppose that the VPN login will be impossible to bruteforce ? If someone attemps to crack the login he will be locked out after a few failed attemps ?

Ok so where do i start to get my own L2TP VPN ?
quote:
It's really not that hard to setup a VPN, I'm sure you can do it. And you can even connect to it from some smart phones. It would also allow you other options as well as access to your files, storage areas, controlling a computer or other devices you may have on your network. Snap a pic, log on and print it at home if you want. Plus you can protect any secrets you may have with a curved stick. Whatever that means.
How can i know if i will still be able to use Geovision smartphone app to access my cameras from a tablet ?
quote:
the odds of someone scanning your IP range, scanning for that open port, guessing your username and STRONG password are never going to happen.
I'm more concerned about going to a forum or something, someone logging my IP and then knowing i have cameras, then bruteforcing the password.
quote:
you can setup VPN, but you will need that VPN software on all the PCs you want to view the cameras on, your mobile devices, etc...
I'm confused, someone else above you said i don't need VPN software and that i can just use any computer in the world and type my IP address, then i just have to login without installing anything.
quote:
are you using any client software to view the cameras or is everything being viewed through the web?
Web. I'm using client software only on my samsung tablet.
quote:
Doesn't TeamViewer offer some kind of VPN capability too?? Never used it myself, but recall seeing it. I'm just thinking of a way to greatly simplify the process for the OP. And you'd get remote desktop access as well (which might be sufficient in some cases). Just a thought.
Tried a similar software (VNC) and i wasn't able to view my cameras. Anyway, i suppose that those programs can be bruteforced as well.
quote:
personally, i dont think his home network is a target anyone cares about, but that is just an opinion.
Yes it is. Let's just say i am involved in political activism and ennemies over the internet care a lot about knowing my real identity, especially a picture of me and my home.
quote:
sure, nothing wrong with that. and it is always good to be secure, just make sure you know what you are getting into (not you, but in general) setting up a VPN/secure connection is not very hard to do, but understand that additional steps will be needed on the client side.
If the "additional step" is just another login through a web browser, not a problem.

if the additional step is to install some kind of programs on the client side that want to view the cameras, then this is a problem.

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

said by ungovernale :


I suppose that the VPN login will be impossible to bruteforce ? If someone attemps to crack the login he will be locked out after a few failed attemps ?

Anything is possible. Depending on how sophisticated the VPN server is, it should either lock out the account or lock out the IP. But check with the router's documentation.

Ok so where do i start to get my own L2TP VPN ?

Start on page 8 here: »www.downloads.netgear.co ··· 2012.pdf

How can i know if i will still be able to use Geovision smartphone app to access my cameras from a tablet ?

You try it and see? Most apps should work as the packet encapsulation is done at a lower level on the network stack, so it should be transparent.

I'm more concerned about going to a forum or something, someone logging my IP and then knowing i have cameras, then bruteforcing the password.

Probably a unlikely concern, but not completely unreasonable either.

I'm confused, someone else above you said i don't need VPN software and that i can just use any computer in the world and type my IP address, then i just have to login without installing anything.

That is likely incorrect. Most modern OSes, smartphones, and tablets will have some type of a VPN client installed. However it will take a bit of configuring. You probably won't be able to sit down at a kiosk at a cafe or library and connect though as it would require making configuration changes to the computer. But if you had a laptop or a smartphone and connected via wifi or cellular, you would be able to use it (presuming VPNs weren't blocked).

Yes it is. Let's just say i am involved in political activism and ennemies over the internet care a lot about knowing my real identity, especially a picture of me and my home.

Put your tin foil hat back on. No one cares THAT much about you (sorry to burst your bubble). Home internet connections are vulnerable though as they are frequently port scanned and common username/password combinations are attempted. I use to run a ssh server on port 22 that would constantly get attacked with common usernames/passwords. Ditto for a SQL server that was internet facing for a short period.

If the "additional step" is just another login through a web browser, not a problem.

if the additional step is to install some kind of programs on the client side that want to view the cameras, then this is a problem.

I know of no VPN clients that are established by logging in to a webpage. There are some options (WHS for instance) that will allow you to connect to a remote desktop session via a webpage, and THAT is running from inside the network, but that's not the same. If someone knows of a web-enabled VPN client, I'll stand corrected.

Another option depending on the server and what it's software supports is an intrusion detection system. That may not be a reasonable option for you to setup based on your experience level.

If accessing it from any computer via a web browser, "security through obscurity" may be your only reasonable option. Change the username (if possible) and password from the defaults. Use a secure strong password. Run on an uncommon port, or better an uncommon secured port with HTTPS. Only forward the ports you must need. Keep the server up to date and patched. Cross your fingers and/or pray to a deity of your choice.

ungovernale
@cgocable.ca

ungovernale

Anon

Trust me, there ARE serious reasons why people would want to get my identity, and i don't feel explaining why. It has been attempted many times during the past, and one time someone even managed to find my real IP address. Hopefully i didn't have the server running at this time or else it could have been hacked.
If i didn't have concerns about it i wouldn't be here asking for security.

The server is already running on an uncommon port but it can easily be found if someone scans my port.

So if I understand correctly, the client would need to do the following procedure to connect to my VPN:
»www.groovypost.com/howto ··· -client/

I think it wouldn't be that hard. I remember doing it sometimes when i bought a steam game that was meant for russia, i had to connect to a VPN in order to download it from Steam.

Now let's just hope it isn't too hard to get it configured on android...
quote:
What you are asking applies when people want to mask their normal IP address, for example file trading purposes, or to appear in another location to work around some type of a geographical filter. But that's kind of the reverse of what we're looking to do.
Actually, my ONLY concern is that if someone knows my IP, the person could easily find out that i have a cameras webserver by scanning my port. If the cameras doesn't appear on my IP, then it could be a solution, and i wouldn't have to mess with setting up a special connection everytime i want to view the cameras on a client.

I just want the cameras to either NOT appear on my IP address, or make it nearly impossible to bruteforce my password

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

Regarding the VPN clients:
L2TP and IPSec VPN require VPN client.
Windows, Android, iOS they all have L2TP client built in so all you need is to configure it.

SSL VPN can be without VPN client it reverse proxy mode (this mode has limited functionality, but is perfectly sufficient for your needs, all you need is browser assuming the security cameras are viewed through browser too). Or SSL VPN in full tunnel mode requires client which is typically not provided with any standard OS but the VPN vendor (in your case Netgear) might/should provide one (for free or $).

What device will you be mostly connecting from? Your own device that you carry with you (then L2TP is probably better)? Or random PC (in that case SSL VPN in reverse proxy would be probably better as you don't have to configure anything on the PC)?

ungovernable
@cgocable.ca

ungovernable

Anon

quote:
SSL VPN can be without VPN client it reverse proxy mode (this mode has limited functionality, but is perfectly sufficient for your needs, all you need is browser assuming the security cameras are viewed through browser too).
Good, so i guess i will go this way. What is the difference between SSL VPN and L2TP ? Will i still be protected against bruteforce attacks ?

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

Type of VPN does not have anything to do with authentication.

If you use passwords you will be vulnerable to the brute force attack. That said, if the controls are correctly set (i.e. good password, longer delay allowed between login tries) you can minimize the risk.
Alternatively you can use certificates instead of passwords (if your router supports it). Using certificates will mitigate brute force attack but adds little bit of complexity to the setup (i.e. generating and maintaining the certificates).
Many VPN gateways allow for both, certs and passwords ... all depends on what the Netgear is capable of.