Menu
What's new

Dahua/Imou Security

J

jime1051

n3wb
Joined
Nov 13, 2017
Messages
4
Reaction score
2
How is your network being compromised by the installation of these cameras when just using Blue Iris and not using the Cloud apps that come with the cameras? What precautions are possible to prevent issues?
 
wittaj

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,994
Reaction score
48,741
Location
USA
If your cameras IP addresses are on the same IP address range of your internet, then the cameras are able to phone home and people can hack into them.

Do not port forward your router.

Do not have your cameras go through the router.

Turn off UPnP and P2P.

Use a Dual NIC in your BI computer. Have all cameras go to one NIC with one IP address range. The second NIC is where your internet and a diffferent IP address range is. Or use a VLAN.

Use OpenVPN to access your BI when away from home.

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...
ipcamtalk.com ipcamtalk.com

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...
ipcamtalk.com ipcamtalk.com
 
T

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,413
Reaction score
2,811
Location
USA
I have my CCTV devices set up on their own VLan. Devices on that VLan do not have access to the internet, period. Additionally, my camera's cannot communicate with anything except the BI computer. Even if they try to "phone home" they will not be able to.

My firewall actively suppresses outside connections (as all firewalls should) with the exception of my VPN (noted below). I have also set up a additional rules based on geo locations that will block all connections outside of a very specific region. This is redundant/ overkill and shouldn't really be needed, but it was easy enough to set up and is simply an extra layer of protection (ie - it isn't the main way to block traffic into my network).

I have set up a VPN that I use to access my home network when I am away from home. I can access my BI computer and feeds via this VPN the same way I would if I was on my local home network. However using a VPN is a much more secure way of allowing an outside connection to your network.
 
Holbs

Holbs

IPCT+ Member
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
The Automation Guy said:
I have my CCTV devices set up on their own VLan. Devices on that VLan do not have access to the internet, period. Additionally, my camera's cannot communicate with anything except the BI computer. Even if they try to "phone home" they will not be able to.

My firewall actively suppresses outside connections (as all firewalls should) with the exception of my VPN (noted below). I have also set up a additional rules based on geo locations that will block all connections outside of a very specific region. This is redundant/ overkill and shouldn't really be needed, but it was easy enough to set up and is simply an extra layer of protection (ie - it isn't the main way to block traffic into my network).

I have set up a VPN that I use to access my home network when I am away from home. I can access my BI computer and feeds via this VPN the same way I would if I was on my local home network. However using a VPN is a much more secure way of allowing an outside connection to your network.
Click to expand...
I have similar setup. However, I allow NTP to a local time server (Chrony on Home Assistant). Always wondered which is the worse scenario: allow cameras to talk to public internet NTP server or to open NTP ports across VLAN subnets. It's nice to have 1 NTP server handling all time codes all across the network. But now I wonder if I should just put another NTP server on the Blue Iris Windows machine just for BI and camera purposes only, alleviating the need to open NTP ports across the network.
I did ask Ken (author of Blue Iris) if NTP server could be in the works for future Blue Iris's....he just laughed and said naw :)
 
T

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,413
Reaction score
2,811
Location
USA
Holbs said:
I have similar setup. However, I allow NTP to a local time server (Chrony on Home Assistant). Always wondered which is the worse scenario: allow cameras to talk to public internet NTP server or to open NTP ports across VLAN subnets. It's nice to have 1 NTP server handling all time codes all across the network. But now I wonder if I should just put another NTP server on the Blue Iris Windows machine just for BI and camera purposes only, alleviating the need to open NTP ports across the network.
I did ask Ken (author of Blue Iris) if NTP server could be in the works for future Blue Iris's....he just laughed and said naw :)
Click to expand...
Now that you mention it, I think I actually allow the BI computer access to the NTP service on the firewall itself (firewall rule allows the computer to access to UDP port 123 only on the firewall). I can double check that, but I think that is what I decided to allow.
 
You must log in or register to reply here.
Top