This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I recently got a security camera system installed. The installers opened a few ports to allow me to view the cameras remotely. I noticed these remote access entries in my router. They're basically hitting my NVR, and would see a login screen. Is there a way that I can tell if these intruders simply got as far as the login screen, or if they were actually able to get past those and actually see the footage from my cameras?
[LAN access from remote] from 194.26.29.107:53715 to 10.0.0.99:8085, Tuesday, Jul 07,2020 16:33:35 [LAN access from remote] from 185.176.27.190:45639 to 10.0.0.99:8083, Tuesday, Jul 07,2020 13:31:00 [LAN access from remote] from 94.102.56.231:40950 to 10.0.0.99:8083, Tuesday, Jul 07,2020 13:15:20 [LAN access from remote] from 196.52.43.131:34247 to 10.0.0.99:8082, Tuesday, Jul 07,2020 12:08:22 [LAN access from remote] from 71.188.73.110:52261 to 10.0.0.99:8082, Tuesday, Jul 07,2020 09:18:48
Does that mean port forwarding? Actual port-forwarding rules?
> [...] They're basically hitting my NVR, and would see a login screen. > [...]
Yup. Welcome to the Internet. Choose good passwords.
> [...] Is there a way that I can tell if these intruders simply got as > far as the login screen, or if they were actually able to get past those > [...]
Not from the router. The router records the connection, not the whole transaction, so I wouldn't expect to get more information from it. Your (unspecified) "my NVR" (or a camera itself) might keep track of successful connections, but that's not a router question.
You might get fewer access attempts if you chose some less popular external port numbers for this stuff. Ports like "8080" and its immediate neighbors are very commonly used, hence probed/attacked. Ports of a more odd-ball character, like, say, "930X" might get less attention. A Web search for terms like: port XXXX might offer some clues as to how any particular port ("XXXX") gets used, officially or unofficially. Choosing something which is used by some game or other might not be stealthier than what you have now.
Does that mean port forwarding? Actual port-forwarding rules?
> [...] They're basically hitting my NVR, and would see a login screen. > [...]
Yup. Welcome to the Internet. Choose good passwords.
> [...] Is there a way that I can tell if these intruders simply got as > far as the login screen, or if they were actually able to get past those > [...]
Not from the router. The router records the connection, not the whole transaction, so I wouldn't expect to get more information from it. Your (unspecified) "my NVR" (or a camera itself) might keep track of successful connections, but that's not a router question.
You might get fewer access attempts if you chose some less popular external port numbers for this stuff. Ports like "8080" and its immediate neighbors are very commonly used, hence probed/attacked. Ports of a more odd-ball character, like, say, "930X" might get less attention. A Web search for terms like: port XXXX might offer some clues as to how any particular port ("XXXX") gets used, officially or unofficially. Choosing something which is used by some game or other might not be stealthier than what you have now.
Thank you @antinode. Very solid advice. Both on the passwords, as well as on the ports I should switch to.
Yes, by opening ports I meant port forwarding. On my router firewall by default all incoming traffic was blocked previous. With the security cameras, the installer forwarded some ports with rules like.
Forward incoming TCP requests on 8083 to [local IP]:8083
Based on your comment I looked into my NVR, which had its own logs. Fortunately no-one was able to go through the login yet, but all the probing still makes me uncomfortable. I removed all port forwarding for now, until I figure out a better solution (remote viewing is not that important to me anyway).
> Forward incoming TCP requests on 8083 to [local IP]:8083
Same "[local IP]" for all, or unique for each camera? (There's no need to hide your private LAN IP addresses.)
Knowing approximately nothing about your (unspecified) "my NVR" or the cameras, I can't say if all the different "808X" ports were worth the bother, but you can change the external port in a port-forwarding rule without disturbing any of the other stuff.
For example, a rule like the following would do it:
Ports
Protocol External Internal Server IP Address
TCP 9383 8083 [local IP]
Then, in a web browser in the outside world, you'd use a URL like: http://<your_public_IP_address>:9383 instead of: http://<your_public_IP_address>:8083 which, I assume, is what you're doing now.
> [...] I removed all port forwarding for now, [...]
You could run the experiment with odd-ball ports, and see if there's any benefit.
You're right, I wasn't trying to hide my internal IPs, just make it easier to read. I know very little about this topic. Your first response give me the pointers to read up more and educate myself.
To answer your question about my NVR, I have 4 security cameras that plug into the NVR directly. These 4 cameras are not visible to the outside world, in fact not even within my LAN. I can only access them through the NVR (and the NVR is visible locally and externally on 8083).
I do have an additional IP camera that plugs directly into my router (I think, though now I am wondering where is it getting its power from) and is visible on the LAN, and the outside world on a different port (8701).
At some point I may run the experiment with oddball ports to see if that lightens the probing load. For now, when I thought more about it, I came to the conclusion that for a layperson like me making my devices visible outside is more trouble than it's worth. In 15 years of having a home network, this was the first time I looked at my router logs (or even realized there is such a thing).
But thank you. You've been more helpful than you realize.
