Do any of you actually use Dahua P2P for external access to your cams?

Teken

Known around here
Joined
Aug 11, 2020
Messages
1,521
Reaction score
2,747
Location
Canada
Everything in life has a degree of risk that each person will accept or not. Some people can't feel alive unless they get their high from jumping out of a perfectly working plane. There are those who simply operate in an environment that is inherently dangerous like coal miner to taxi cab driver.

There are network risks that span from minor to major and everyone tries to balance access & control.

In 2021 the general populace is under more threat than at any other time in modern history with respect to networking. When there are known and proven tools and protocols that allow a person to reduce that attack vector to a person / network.

Why, would you not use or avoid the same?? :thumbdown:

The reality is people just love easy, simple, two clicks! :facepalm:

Given modern routers offer VPN which also provides a few clicks I honestly don't see the excuse to use P2P. :wtf:

Than again when I see who these people are having only listened or read what they have to say - Security isn't top of mind. As an aside, another member had mentioned about vulnerabilities with respect to security whether that applies to a OS, hardware, software. Every nation in the world is sitting on exploits unknown to the general populace. There are countless incidence where the FBI, CIA, NSA, to China, Russia, Korea, Germany, have used the same to penetrate systems to gather intelligence or to impact a enemy.

This is why active blue and red teams exists to pen test all primary and secondary systems with the view everything is open and a threat. As of this writing China & Russia pay known hackers to find entry points from finance, Government, Infrastructure, military, to supply chain. In what people refer to the West the same is done in the guise of protecting the nation etc.

Everyone can quote me here today and that is StarLink will be (has already began) as to global tracking tool for the world. There isn't a company or country in the world that will have thousands of satellites in orbit like Elon Musk.
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
3,815
Reaction score
8,424
Location
USA, Oregon
Given modern routers offer VPN which also provides a few clicks I honestly don't see the excuse to use P2P.
I answered this is post #15. My Internet plan will not allow any open ports. Can't use OpenVPN or similar. I have an OpenVPN router sitting in my closet as a paperweight. There have been posts from time to time from others in the same situation, Starlink being the latest example.
 

Teken

Known around here
Joined
Aug 11, 2020
Messages
1,521
Reaction score
2,747
Location
Canada
I answered this is post #15. My Internet plan will not allow any open ports. Can't use OpenVPN or similar. I have an OpenVPN router sitting in my closet as a paperweight. There have been posts from time to time from others in the same situation, Starlink being the latest example.
I get it and my reply wasn't targeted at anyone here more so offering insight as to pros / cons of using the same. The reality is how much real world need is there to view a homes video feed while off site?? Now, if someone said to me

Teken, my mother is 2000 years old and is frail and I want to keep an eye on her

Sure, what can be said about something like that for a person who is limited by a ISP / technical knowledge? The same could be said as to monitoring a seasonal cabin that is hundreds of miles away. There are probably thousands of reasons for a person wanting to monitor their property say living in a high crime rate area.

Sure, go to town . . .

But, the vast majority of people don't need to have access to a video feed 24.7.365. This is really a want vs need and of all the things that are so personal which is being able to actually see inside a persons home and property. Given all of the known and unknown threats it makes little sense to offer this access to people laying in wait. :facepalm:

Again, people can and will do whatever they feel is right for them that's the beauty of living in a free society! :thumb:

Having seen first hand all of the mischief and dire consequences of video feeds getting loose on the net. Which spans from people just creeping and watching to more extreme of people getting raped and young children taken. I have absolutely no desire to help the criminal element or make it easier for them to access my home.
 

hesiod

n3wb
Joined
Aug 23, 2021
Messages
8
Reaction score
8
Location
Europe
I think nowadays there is more danger in leaving a port open on your firewall and thus expose your NVR/XVR (or any device for instance) online for everyone to bruteforce your admin password, rather than using Dahua's P2P service.
I own a IT security & cctv installation company in Europe and before moving to Dahua as main brand, we were using an unknown Taiwanese DVR/NVR brand without any P2P service, and 1 open TCP port, and most of them were hacked, even without using the standard TCP port.
Last Friday to give an example, I had one of my last customer with one of these NVR who was complaining his Internet connectivity was sometimes going down and back up at random times.
Well, when I checked the NVR, I could see some code added in the NTP server field for the NTP client service. When disconnected the NVR, everything was fine again... I didn't investigate any further and just left it disconnected, it was compromised anyway, and flashing the firmware was probably useless too.
Probably this NVR was being used to perform DDoS attacks all around the world.

Installing a VPN solution for every customer is absolutely possible, and for some customers we do use VPN concentrators in datacenters with a VPN capable router on premises, but try to explain to every customer that they need to do 2-3 things before being able to see their camera feeds. Some would get nuts.

I think the last years Dahua has been drastically improving and securing their P2P service, and most large cctv installer companies here in Europe use the P2P service, not because it happens to be easier, but more secure at some point, since there is no open ports.
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
Just like you know that Dahua has been NOT drastically improving and NOT securing their P2P service.
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
So for remote & mobile users you are saying that VPN is the only secure way?

Because opening port 37777 is even worse...
VPN is the most secure way IMO.

FYI, port 37777 (DVRIP protocol) are actually used in P2P, see PoC here.
 

Jayordon

Getting the hang of it
Joined
Mar 13, 2021
Messages
80
Reaction score
53
Location
United States
I uses P2P because I put significantly more weight in ease of use than a secure network. I want to be able to see different camera systems without having to set up a VPN at each location, add it to my phone, and switch my VPN every time I want to look at a different camera system. A VPN is definitely more secure, but it can be extremely inconvenient at times for me. For some people, a VPN is absolutely fine. They don't have other networks that they need to connect to all the time, so they can set up a VPN, turn it on, and leave it on. For me, not so much.

In addition to that, anybody who needs access to the cameras off site would need to be able to VPN in. For example, a shop owner hires 8 employees who he wants to have access to the cameras without being on site. He then needs to set up the VPN on all 8 of those employees devices. What happens if one employee is replaced? Then he has to worry about removing the VPN from that employees devices and putting it on the devices of the new employee. It's just way too much of a hassle.
 

JesseSR

Getting the hang of it
Joined
Aug 21, 2021
Messages
134
Reaction score
83
Location
USA
I'd like to have someone clarify for me... I like using the DMSS app on my Android phone. Right now, I get alerts every time an IVS event is triggered on one of my cameras. Is that using P2P to send out those alerts? For those people who are saying TURN OFF P2P, does that mean you're NOT getting alerts on your phone via DMSS? The whole point of me getting a camera system it to be alerted ASAP when my IVS rules are triggered, so if P2P is off on the cameras, I can't get alerts on my phone? That would kinda suck?
 

awonson

Pulling my weight
Joined
Feb 7, 2020
Messages
146
Reaction score
147
Location
Australia
@JesseSR , I have P2P turned off and receive DMSS IVS notifications on my iPhone. You need to allow the relevant outgoing ports on your router for it to work.

I allow the following outgoing ports for notifications and email from the NVR and camera: 587 (for GMail), 2195, 2197, 8888

when the NVR IVS notification is sent, I see in my syslog server that the following ports are used: 2195 and 8888. I also allow outgoing access to the Apple range of 17.0.0.0/8

I also have the option “Mobile Push Notification” turned on in both NVR and Cameras.

all incoming traffic to my NVR and cameras are blocked at the router and the ports above are the only ones I have opened outbound for NVR and cameras.
 
Last edited:

JesseSR

Getting the hang of it
Joined
Aug 21, 2021
Messages
134
Reaction score
83
Location
USA
Thinking out loud here.

I have a Dahua NVR. My Dahua NVR is added to my DMSS app (via the serial #). NONE of the cameras are added to the DMSS app -- only the NVR is. And I use the DMSS app to see the live video of all my cameras, through the NVR itself. I also get push notifications on the DMSS app for IVS triggers. Based on that, I would think I could turn OFF the P2P on all the cameras and still retain ALL the current functionality I have right now of a) viewing the cameras from my DMSS app, and b) getting DMSS push notifications. is that correct? And while my NVR is accessible via P2P right now, they would need to know my serial # of the unit -and- have the login credentials. Is that correct?
 

Jayordon

Getting the hang of it
Joined
Mar 13, 2021
Messages
80
Reaction score
53
Location
United States
Thinking out loud here.

I have a Dahua NVR. My Dahua NVR is added to my DMSS app (via the serial #). NONE of the cameras are added to the DMSS app -- only the NVR is. And I use the DMSS app to see the live video of all my cameras, through the NVR itself. I also get push notifications on the DMSS app for IVS triggers. Based on that, I would think I could turn OFF the P2P on all the cameras and still retain ALL the current functionality I have right now of a) viewing the cameras from my DMSS app, and b) getting DMSS push notifications. is that correct? And while my NVR is accessible via P2P right now, they would need to know my serial # of the unit -and- have the login credentials. Is that correct?
That's right. All ofy cameras have P2P disabled, but my NVR has it enabled. I get all of those features through the NVR. There's no point in having P2P on a camera and the NVR. Just one is enough
 

Perimeter

Getting comfortable
Joined
Feb 18, 2023
Messages
557
Reaction score
581
Location
Europe
I stumbled upon this thread when I tried to figure out differences in security while exposing equipment to a different degree. At first I was confused because I could access my consumer cams from the phone, yet found no open ports in my router. It turns out that P2P is responsible and works along the lines I guessed.

I started this thread a while ago:

I am still sorting through all the information here and elsewhere. I have already decided, that I will not use D_DNS.

I am currently trying to find a compromise in security, while understanding what I am doing and which risks I take. After reading this thread, I see four options.

Option 1:
I create a physical subnet on which the cameras and NVR reside. This subnet has no connection to the internet anywhere. The cameras would enjoy maximum safety from the net, but what about my property?
Part of the connections requires a second PowerLan network as well, doubling adapters in some locations - a waste of material and electricity.
If I connect this network to a PC with two nics, which has access to the internet on the other nic and fire up smartPSS, can I be sure that the cams don't use this program as a breach to phone home?

Option 2:
I put the cameras/NVR on my regular net too. I disable all P2P ability and deny them all internet access in my router. I need less powerline adapters and every PC in the house could access the cams. What added risk is involved now? A second person could now watch the outside too.

Option 3:
I lift the routers email restriction on the NVR and if possible allow push messages from the NVR too. How much of a risk is involved now? In return, I gain additional security for my property.

Option 4:
I also enable P2P for the NVR. Now I could view footage remotely, which would further help security of the property.

Everything is a tradeoff, as always.
 
Last edited:
Joined
Sep 21, 2017
Messages
8
Reaction score
4
Location
Australia
I stumbled upon this thread when I tried to figure out differences in security while exposing equipment to a different degree. At first I was confused because I could access my consumer cams from the phone, yet found no open ports in my router. It turns out that P2P is responsible and works along the lines I guessed.

I started this thread a while ago:

I am still sorting through all the information here and elsewhere. I have already decided, that I will not use D_DNS.

I am currently trying to find a compromise in security, while understanding what I am doing and which risks I take. After reading this thread, I see four options.

Option 1:
I create a physical subnet on which the cameras and NVR reside. This subnet has no connection to the internet anywhere. The cameras would enjoy maximum safety from the net, but what about my property?
Part of the connections requires a second PowerLan network as well, doubling adapters in some locations - a waste of material and electricity.
If I connect this network to a PC with two nics, which has access to the internet on the other nic and fire up smartPSS, can I be sure that the cams don't use this program as a breach to phone home?

Option 2:
I put the cameras/NVR on my regular net too. I disable all P2P ability and deny them all internet access in my router. I need less powerline adapters and every PC in the house could access the cams. What added risk is involved now? A second person could now watch the outside too.

Option 3:
I lift the routers email restriction on the NVR and if possible allow push messages from the NVR too. How much of a risk is involved now? In return, I gain additional security for my property.

Option 4:
I also enable P2P for the NVR. Now I could view footage remotely, which would further help security of the property.

Everything is a tradeoff, as always.
P2P on the NVR is the way to go. You get notifications, can watch live and recorded footage, and it works seamlessly without having to mess around with VPN's and other things. Like i mentioned in an earlier post every other consumer electronics device in your house thats connected to the internet phones home, and if you're ok with your smartphone (which has a lot more valuable information than your camera) doing it then you should be fine with your NVR/camera doing it.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
P2P on the NVR is the way to go. You get notifications, can watch live and recorded footage, and it works seamlessly without having to mess around with VPN's and other things. Like i mentioned in an earlier post every other consumer electronics device in your house thats connected to the internet phones home, and if you're ok with your smartphone (which has a lot more valuable information than your camera) doing it then you should be fine with your NVR/camera doing it.
It is clear that you dont have a basic understanding of the issue. The issue is not phoning home. 99% of home users do not have VLAN's setup. This means that if the NVR is compromised via the P2P connection it can then be used to collect data from your network. NVR manufactures cannon and should not ever be trusted. They have in the past and will in the future create backdoor access (intentionally or accidently). You have to be really stupid to place an NVR on your lan and use p2p.
Unless you permit it, there is no app on your phone that can do this. Moreover, your phone should be receiving monthly security updates - NVR makers not only fail to provide regular updates but they dont even patch them for many months if ever once they know about them.
 

Perimeter

Getting comfortable
Joined
Feb 18, 2023
Messages
557
Reaction score
581
Location
Europe
I just discovered that I can transmit different subnets over the same powerline network in parallel. Is a powerline network basically an unmanaged switch? Can I use an unmanaged switch with different subnets concurrently?

In any case, when doing so, I still can't reach the cam subnet from the main net, when I tried. I can only reach the cams with the second nic connected, not with the regular nic that is on the main net.

So do I retain network isolation by using shared powerline adapters?

This means that if the NVR is compromised via the P2P connection it can then be used to collect data from your network.
Just a thought: What if I attach an old router to the new one? Would stuff attached to the old router be safe from a renegade NVR then?

The issue is not phoning home.
If you don't let them P2P or open ports, why would they have to be on an isolated subnet then?
 
Last edited:
Top