NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

DrPee's avatar
DrPee
Guide
Jul 11, 2020
Solved

[LAN access from remote] R7000

I recently got a security camera system installed. The installers opened a few ports to allow me to view the cameras remotely. I noticed these remote access entries in my router. They're basically hitting my NVR, and would see a login screen. Is there a way that I can tell if these intruders simply got as far as the login screen, or if they were actually able to get past those and actually see the footage from my cameras?

 

[LAN access from remote] from 194.26.29.107:53715 to 10.0.0.99:8085, Tuesday, Jul 07,2020 16:33:35
[LAN access from remote] from 185.176.27.190:45639 to 10.0.0.99:8083, Tuesday, Jul 07,2020 13:31:00
[LAN access from remote] from 94.102.56.231:40950 to 10.0.0.99:8083, Tuesday, Jul 07,2020 13:15:20
[LAN access from remote] from 196.52.43.131:34247 to 10.0.0.99:8082, Tuesday, Jul 07,2020 12:08:22
[LAN access from remote] from 71.188.73.110:52261 to 10.0.0.99:8082, Tuesday, Jul 07,2020 09:18:48

  • antinode's avatar
    antinode
    Jul 11, 2020

    > [...] The installers opened a few ports [...]

     

       Does that mean port forwarding?  Actual port-forwarding rules?

     

    > [...] They're basically hitting my NVR, and would see a login screen.
    > [...]

     

       Yup.  Welcome to the Internet.  Choose good passwords.

     

    > [...] Is there a way that I can tell if these intruders simply got as
    > far as the login screen, or if they were actually able to get past those
    > [...]

     

       Not from the router.  The router records the connection, not the
    whole transaction, so I wouldn't expect to get more information from it.
    Your (unspecified) "my NVR" (or a camera itself) might keep track of
    successful connections, but that's not a router question.


       You might get fewer access attempts if you chose some less popular
    external port numbers for this stuff.  Ports like "8080" and its
    immediate neighbors are very commonly used, hence probed/attacked.
    Ports of a more odd-ball character, like, say, "930X" might get less
    attention.  A Web search for terms like:
          port  XXXX
    might offer some clues as to how any particular port ("XXXX") gets used,
    officially or unofficially.  Choosing something which is used by some
    game or other might not be stealthier than what you have now.

4 Replies

  • antinode's avatar
    antinode
    Guru
    Jul 11, 2020

    > [...] The installers opened a few ports [...]

     

       Does that mean port forwarding?  Actual port-forwarding rules?

     

    > [...] They're basically hitting my NVR, and would see a login screen.
    > [...]

     

       Yup.  Welcome to the Internet.  Choose good passwords.

     

    > [...] Is there a way that I can tell if these intruders simply got as
    > far as the login screen, or if they were actually able to get past those
    > [...]

     

       Not from the router.  The router records the connection, not the
    whole transaction, so I wouldn't expect to get more information from it.
    Your (unspecified) "my NVR" (or a camera itself) might keep track of
    successful connections, but that's not a router question.


       You might get fewer access attempts if you chose some less popular
    external port numbers for this stuff.  Ports like "8080" and its
    immediate neighbors are very commonly used, hence probed/attacked.
    Ports of a more odd-ball character, like, say, "930X" might get less
    attention.  A Web search for terms like:
          port  XXXX
    might offer some clues as to how any particular port ("XXXX") gets used,
    officially or unofficially.  Choosing something which is used by some
    game or other might not be stealthier than what you have now.

    • DrPee's avatar
      DrPee
      Guide
      Jul 11, 2020

      Thank you antinode. Very solid advice. Both on the passwords, as well as on the ports I should switch to.

       

      Yes, by opening ports I meant port forwarding. On my router firewall by default all incoming traffic was blocked previous. With the security cameras, the installer forwarded some ports with rules like.

       

      Forward incoming TCP requests on 8083 to [local IP]:8083

       

      Based on your comment I looked into my NVR, which had its own logs. Fortunately no-one was able to go through the login yet, but all the probing still makes me uncomfortable. I removed all port forwarding for now, until I figure out a better solution (remote viewing is not that important to me anyway).

       

      • antinode's avatar
        antinode
        Guru
        Jul 11, 2020

        > Forward incoming TCP requests on 8083 to [local IP]:8083

         

           Same "[local IP]" for all, or unique for each camera?  (There's no
        need to hide your private LAN IP addresses.)

         

           Knowing approximately nothing about your (unspecified) "my NVR" or
        the cameras, I can't say if all the different "808X" ports were worth
        the bother, but you can change the external port in a port-forwarding
        rule without disturbing any of the other stuff.

         

           For example, a rule like the following would do it:

                              Ports
    Protocol   External   Internal   Server IP Address
      TCP        9383       8083       [local IP]

           Then, in a web browser in the outside world, you'd use a URL like:
              http://<your_public_IP_address>:9383
        instead of:
              http://<your_public_IP_address>:8083
        which, I assume, is what you're doing now.

         

        > [...] I removed all port forwarding for now, [...]

         

           You could run the experiment with odd-ball ports, and see if there's
        any benefit.