Personal computing discussed

Moderators: renee, Steel, notfred

 
carl1864
Gerbil
Topic Author
Posts: 59
Joined: Wed Dec 16, 2009 4:42 pm

IP camera running through ddns. Any security concerns.

Fri Nov 02, 2012 10:47 pm

The may be a bit of a newbie question, but I did some searching before asking, and didn't find much.

I just bought my first IP camera, and plan on using a free DDNS service so that I can access it remotely (never used a DDNS service before).

Just looking for a heads up, since these are both new to me, are there any security concerns I need to worry about?

Obviously I know to have a good password for the camera, and router, that cannot be brute forced, but passwords aside, am I opening up any other security holes? Not super concerned about anyone accessing the camera, will just be wildlife mostly, but I would be concerned if somehow if my router could be compromised, or worst case my computer being compromised by some exploit that the camera or DDNS service opens up. Do I have anything to worry about?
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: IP camera running through ddns. Any security concerns.

Fri Nov 02, 2012 11:36 pm

The DDNS should be pretty safe. The DDNS client makes outgoing connections to tell the DNS server what its current IP address is; it shouldn't expose you to any new incoming threats.

Of potentially greater concern is UPnP -- a protocol that is used to allow devices like this to automatically open ports in your router/firewall. UPnP can be exploited by malware that manages to get into your network to open ports in your router/firewall at will. My preference would be to ensure that UPnP is disabled on your firewall/router, and manually configure port forwarding for any devices or systems on your LAN that need to be accessible from outside. Note: This is not a vulnerability that is specific to IP cameras (or DDNS); it is related to having the UPnP feature enabled on your firewall/router.

Unless you have a real need to reconfigure the router remotely, don't even enable the remote management feature. The router should have a setting to restrict the admin interface to the LAN-side ports only. This eliminates the risk of an external attacker trying to brute force your router password.

Even though you're not concerned about people accessing the camera itself, keep in mind that someone could theoretically sniff the camera password if the camera's user interface uses unencrypted HTTP. So don't use the same password on the camera that you use for online banking or any other sensitive activities.
Nostalgia isn't what it used to be.
 
cheesyking
Minister of Gerbil Affairs
Posts: 2756
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)
Contact:

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 6:34 am

There is always a small risk the the camera itself might be vulnerable and would allow a hacker to use it as a stepping stone to get behind the firewall in your router. This is more of a theoretical risk than something you need to worry about though :wink:
Fernando!
Your mother ate my dog!
 
carl1864
Gerbil
Topic Author
Posts: 59
Joined: Wed Dec 16, 2009 4:42 pm

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 1:06 pm

Thanks for the replies. I do use different passwords for router, camera, etc, and I do have remote router management disabled, so those things shouldn't be an issue.

Now the upnp may be an issue. This is something I had heard about before, but never really paid attention to since I never used it. For whatever reason, this camera used a default port of 81, and I just left it at that. In my router settings I did notice that there is UPNP enabled for port 81, for the IP camera. Should I perhaps disable the upnp, and change the camera settings to port 80 or something? I do plan to read more about this in the future to get a solid understanding for it and know how to figure this out for myself, but at the moment i'm looking for a quick secure fix to get up and running fast, and learn the ins and outs later.

I've never used port forwarding or really messed with my router firewall before. Are most router firewalls pretty automatic? Although I had set up solid wpa/wpa2 encryption and mac address filtering, and have a good firewall on my pc, I've never touched any sort of port or firewall router settings before. In fact, there isn't really even a firewall tab in the router settings. There is a port forwarding tab, with upnp, dmz, etc though. I had flashed the router with Tomato firmware, which is supposed to be pretty capable.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 1:42 pm

UPnP is potentially vulnerable because it allows software running on your LAN to create port forwards (which allow outside access to your network). So if you get a malware infection, it can invite more of its buddies in.

In a nutshell, UPnP automates the setup of port forwarding but reduces security.

A more secure approach would be to disable UPnP on the router, and set up the port forward manually.
Nostalgia isn't what it used to be.
 
Captain Ned
Global Moderator
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 2:08 pm

just brew it! wrote:
A more secure approach would be to disable UPnP on the router, and set up the port forward manually.

Ayup.

That said, rural living means that I can run pretty open. If you're leeching from me you're in my driveway and there's a furry thing I live with who announces all such entries.
What we have today is way too much pluribus and not enough unum.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 4:00 pm

Captain Ned wrote:
just brew it! wrote:
A more secure approach would be to disable UPnP on the router, and set up the port forward manually.

Ayup.

That said, rural living means that I can run pretty open. If you're leeching from me you're in my driveway and there's a furry thing I live with who announces all such entries.

That doesn't protect you from malware that has already managed to get inside and tries to manipulate the router through UPnP to open ports. But at that point you're already in trouble...
Nostalgia isn't what it used to be.
 
Captain Ned
Global Moderator
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 4:06 pm

just brew it! wrote:
Captain Ned wrote:
just brew it! wrote:
A more secure approach would be to disable UPnP on the router, and set up the port forward manually.

Ayup.

That said, rural living means that I can run pretty open. If you're leeching from me you're in my driveway and there's a furry thing I live with who announces all such entries.

That doesn't protect you from malware that has already managed to get inside and tries to manipulate the router through UPnP to open ports. But at that point you're already in trouble...

Don't use UPnP. Just don't worry about SSID hiding or all of the other bits. Plenty of loggers set up in case I'm wrong, though.
What we have today is way too much pluribus and not enough unum.
 
cheesyking
Minister of Gerbil Affairs
Posts: 2756
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)
Contact:

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 4:29 pm

carl1864 wrote:
In my router settings I did notice that there is UPNP enabled for port 81, for the IP camera. Should I perhaps disable the upnp, and change the camera settings to port 80 or something? I do plan to read more about this in the future to get a solid understanding for it and know how to figure this out for myself, but at the moment i'm looking for a quick secure fix to get up and running fast, and learn the ins and outs later.

Actually rather than switching to port 80 you might consider moving to a high port number (say above 10000). This makes the device slightly harder to find and will give you a degree of protection from hackers on the off chance that the camera was found to have an easily exploitable vulnerability (like that cockup trendnet had).

This doesn't really give you more security it just reduces the nuisance of script kiddies constantly rattling your locks, so to speak.
Fernando!

Your mother ate my dog!
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 5:53 pm

From my personal experience (I have several IP camera setups for both our houses and for business location) I'd say regular setup using ddns is pretty safe... I've never had any unauthorized access to any of the setups. If you want to feel more safe - just change the password for camera access every month or so, and maybe disable the remote administration function, also use HTTPS access (if the camera supports it) instead of "standard" non-encrypted one.
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
carl1864
Gerbil
Topic Author
Posts: 59
Joined: Wed Dec 16, 2009 4:42 pm

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 7:07 pm

Thanks for all the responses, I appreciate the input. So I've also been reading on the web about upnp, ports, and port forwarding, but there are some things I'm just a bit confused about. Perhaps I'm misunderstanding or doing this wrong, since I definitely don't have a full comprehension at this point.

1. So I did disable UPNP, which was previously set up on port 81. I expected the camera to stop functioning at this point, until I manually configured port forwarding. However as soon as I login to my cameras local IP address 192.168.1.111:81 , it still works just fine. Why is this?

2. I had enabled port forwarding for port 81 to go to the camera address 192.168.1.111. I then went to whatismyip to find out my current public ip address. I typed in my current public adress, with port 81. for example we will just say it was 123.123.123.123:81 . I had expected to see the cameras login screen, thinking the request going to port 81 of my ip address, would be forwarded to the camera, since I have port forwarding setup for that port. However instead I get nothing but a timeout.

Can anyone tell me what I'm doing wrong, or what misunderstanding i'm having?
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: IP camera running through ddns. Any security concerns.

Sat Nov 03, 2012 7:19 pm

carl1864 wrote:
2. I had enabled port forwarding for port 81 to go to the camera address 192.168.1.111. I then went to whatismyip to find out my current public ip address. I typed in my current public adress, with port 81. for example we will just say it was 123.123.123.123:81 . I had expected to see the cameras login screen, thinking the request going to port 81 of my ip address, would be forwarded to the camera, since I have port forwarding setup for that port. However instead I get nothing but a timeout.


Did you set up port forwarding correctly? For example, did you put the same port number for both WAN port and your camera's "local IP" port in your router? Did you select correct protocol in port forwarding (TCP/UDP... better select "both" if such option exists and you don't know which one exactly your camera needs)? Make sure no other application uses this port...

It should look something like this in your router (obviously my port number and "local IP" address are different):
Image
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 10:14 am

carl1864 wrote:
1. So I did disable UPNP, which was previously set up on port 81. I expected the camera to stop functioning at this point, until I manually configured port forwarding. However as soon as I login to my cameras local IP address 192.168.1.111:81 , it still works just fine. Why is this?

Because when you access it from inside your network it doesn't go through the port forward. Port forwarding only affects access from outside your LAN (i.e. from the rest of the Internet). To access it from inside your network you do indeed need to use the 192.168.x.x address.

carl1864 wrote:
2. I had enabled port forwarding for port 81 to go to the camera address 192.168.1.111. I then went to whatismyip to find out my current public ip address. I typed in my current public adress, with port 81. for example we will just say it was 123.123.123.123:81 . I had expected to see the cameras login screen, thinking the request going to port 81 of my ip address, would be forwarded to the camera, since I have port forwarding setup for that port. However instead I get nothing but a timeout.

If you want to test the port forwarding you need to do it from outside your LAN, i.e. from a friend's house, a public WiFi hotspot, or from work (if your employer allows you to do stuff like that and doesn't block outgoing connections on port 81 at their own firewall). Keep in mind that the password can easily be sniffed if you use a public hotspot.
Nostalgia isn't what it used to be.
 
carl1864
Gerbil
Topic Author
Posts: 59
Joined: Wed Dec 16, 2009 4:42 pm

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 1:01 pm

I believe I have the port forwarding set up correctly. My router has ports labeled as EXT and Int ports (rather than the port range, and local port, in the image), but I have them both set to 81, protocol is set to both, the local ip is set to my cameras local IP, and I made sure to save changes, and make sure port forwarding is on. I triple checked this.

I found my WAN IP first, then opened up Tor, which sends the data through a proxy, and tried going to my local ip, port 81, through the proxy, but it just times out. That should work right? Since going through the proxy basically makes it as if I'm outside my network.

I did a bit of searching and it seems a few people (not many though) may have had problems port forwarding with tomato firmware. Wondering if its a router firmware issue.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 1:30 pm

carl1864 wrote:
I found my WAN IP first, then opened up Tor, which sends the data through a proxy, and tried going to my local ip, port 81, through the proxy, but it just times out. That should work right? Since going through the proxy basically makes it as if I'm outside my network.

You should be trying to connect to your WAN IP through the proxy, not your local IP. Is that what you meant to say, or were you trying to connect to the 192.168.x.x address through Tor?
Nostalgia isn't what it used to be.
 
carl1864
Gerbil
Topic Author
Posts: 59
Joined: Wed Dec 16, 2009 4:42 pm

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 1:38 pm

No, I was connecting to the wan IP through Tor, I typed 123.123.123.123:81 (of course it was my real wan IP, from whatismyip,rather than the 123's). That was a typo.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 5:19 pm

I dunno about your router, but there are some that also require some settings modification in "Firewall" section for working port forwarding... Not sure about Tomato and other modded firmwares, never used them. :-?
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 5:56 pm

Just to rule out the possibility that it is a problem with the proxy, try having a friend connect to it from outside without using a proxy.

It is also possible that your ISP blocks incoming connections on low-numbered ports. Try setting up the forward to use a high-numbered port (say, 12400) on the WAN side, forwarding that to 81 on the local side (camera). As noted previously, this will also help discourage script kiddies from poking at the camera since it won't be visible to the Internet on its standard port number.
Nostalgia isn't what it used to be.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 6:14 pm

just brew it! wrote:
Just to rule out the possibility that it is a problem with the proxy, try having a friend connect to it from outside without using a proxy.

That, or you can use your smartphone or tablet (if you have one) using cellular connection (disable WiFi on them).
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
carl1864
Gerbil
Topic Author
Posts: 59
Joined: Wed Dec 16, 2009 4:42 pm

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 6:35 pm

Good ideas, but no luck.

Theres no firewall setting in tomato firmware, documentation says its all automatic.
Tried forwarding a high number port 12400 to port 81, and then accessing my WAN port 12400 from my smartphone (wifi turned off), but just times out.

Even updated to the latest tomato firmware, and also checked my modem status to see if it had any sort firewall or anything going, but all its firewall settings were turned off. Running out of ideas, almost ready to try a different router, I do have an old one laying around somewhere.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: IP camera running through ddns. Any security concerns.

Sun Nov 04, 2012 9:33 pm

Have you tried asking in Tomato firmware forums how to do port forwarding with particular version? Also, maybe try flashing the router manufacturer's firmware back to your router and try using it for port forwarding... Also, read your camera's manual again - perhaps it needs more ports forwarded to it (for example, it might use one port for video streaming and different one for its login and control interface).
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On