Nighthawk Armor detected & blocked exploit an exploit attack on LT SECURITY camera from.....
Hello,
Hoping someone can help me understand the multiple notifications I get on a daily basis from Netgear Armor Security running on my router.
Network Attack Blocked: NETGEAR Armor has detected and blocked an exploit attack on LT SECURITY camera from 210.180.127.227
The IPs being block are different 95% of the time. When I run an IP LOOKUP TOOL they register back to somewhere in China, Korea or Russia, sometimes in the US. Its great that Armor Security is blocking these threats but its also very concerning. I like to ensure my home network is protected the best way possible. Any suggestions on what I can do?
My Home Network:.
Nighthawk AX11000 Tri-Band WiFe 6E Router (RAXE500), running on firmware v1.0.8.70
LTS 4 channel NVR (LTN8704Q-P4)
4 x 4MP network matrix IR turret cameras (CMIP1042-28M)
Re: Nighthawk Armor detected & blocked exploit an exploit attack on LT SECURITY camera from.....
If you have a security camera that is directly accessible from the WAN (e.g., someone tiping in your WAN IP address, will see a login page for your camera, then it will frequently be scanned by various bots, including ones that feed into searchengines such as shodan, where if you have a default password, the camera willbe effectively added into a wall of shame like directory.
Other groups will simply have bots do discionary attacks on any server they find while continuously scanning the IPv4 address space. There is not much that can be done about them since it happens in every country, and through the nature of bots, as well as other infected systems, the device launching the attack, may simply be someone who clicked on a malicious ad and got their system infected, and now their PC is part of a bot network being used to attack others.
Netgear Armor will block behavior such as that, e.g., if someoneis trying to do a dictionary attack, but really, such devices should not be set to have a web UI visible via your WAN IP address, instead, you should be using the VPN server in the router to access the device.
To test, if the web UI for your cameras are exposed on the WAN side, try using a smartphone, that is connected to LTE and not WiFi, then type in the WAN IP address of your home connection, and see if it brings up the web UI or a login page of any device on your LAN (try both http and https).
If the device does not offer a simple way to prevent such access, then use the service blocking function in the RAXE500's web UI to disable access to those ports that the web UI is hosted on.
Appreciate you answering and shedding some info on my situation.
I only access my security camera network via it's app (LTS Connect) installed on my iPhone. But after reading your response I confirmed it's accessible via its external IP address (Web UI) and a login page for the camera NVR ( I am not using a default PW ) comes up. I guess that explains the constant notifications from Netgear Armor stating threats were blocked.
Do these bots only target security cameras? Should I be concerned with other devices within my home network? (Ring Doorbell, Nest Cams?)
Would you kindly help me understand how to set the Web UI not to be visible via my WAN IP address and how to leverage the routers VPN to access my cameras? or how to use the service blocking function of the RAXE500's we UI to disable access to those ports that the web UI is hosted on?
Re: Nighthawk Armor detected & blocked exploit an exploit attack on LT SECURITY camera from.....
On the RAXE500, if a specific device does not allow you to disable its web UI, or if it is using UPnP to forward the web UI port, and offers no way to turn it off, then service blocking will be your only option.
To make the most effective use of it, first make sure the NVR has a static LAN IP. You can do that by:
Go to the Advanced tab.
Go to Setup.
Go to LAN Setup.
Scroll down to the "Address Reservation" section.
Click on "Add".
Select your NVR from the list.
Click on the "Add" button near the top of the page.
If possible make note of which IP the NVR is using.
The above will allow you to more reliably do service blocking.
To do the service blocking:
While in the Advanced tab, click on "Security".
Click on "Block Services".
Click on "Add".
Set the start and ending port to 80.
Under the "Filter Services For" section, select "Only This IP Address".
Under "Service Type/User Defined" give it any name you want.
Type in the last 3 digits for the LAN IP of the NVR.
Click on the "Add" button on the bottom of the page.
Click on Apply.
If the NVR is aet to also allow web UI access via HTTPS, then repeat steps 3 to 9 but using port 443 instead of 80.
If you are unsure which port it is using, or if other devices are forwarding ports for their web UIs, you can also check the following section.
Advanced tab> Advanced Setup> UPnP. and see which ports the NVR is having forwarded. Ignore any ports related to what would be needed for the mobile app to function, as blocking them will prevent the app working remotely.
For your NVR, page 37 of the user manual http://www.ltsecurityinc.com/amfilerating/file/download/file_id/1937/ mentions one UPnP setting, if it also handles the port forward related to the web UI, if it does, then that may allow you to disable WAN access to the web UI without the need for the service blocking function.
