Anyone with I.T. experience here?

[zbang]

BLOCK THE WHOLE COUNTRY. . . . Yeah Right!
If an IT Tech who works for me--that does that, he’d be out of work tomorrow..

And they'd have a job somewhere else the next day. It's really common (and accepted) to blackhole entire IP networks. Why would anyone from, say, Poland (or Belurus) need to connect into the customer's router? Give me a reason, any reason. I can't think of one. And yes, vpn's can mask a lot, but most hackers are lazy and go for low-hanging fruit (read- "badly protected" networks). Of course, that won't stop everything, but it'll stop a lot. (Want to be guaranteed of no network intrusions? Unplug the cable.)

My current blackhole list is
58.224.0.0/11
60.0.0.0/8
113.56.0.0/15
118.192.0.0/14
122.64.0.0/11
125.36.0.0/14
180.144.0.0/12
61.142.0.0/16
221.232.0.0/14
111.74.0.0/16
although I haven't added to it in a while and don't subscribe to any RBLs. All of those ranges were originating ssh probes into my network. (This is also why I don't take inbound ssh on port 22, that port is blackholed.)

Also, consider the business case of the customer- they might want to check the DVR from home, but that doesn't mean opening the port to the world. And they just might want to browse a web site in Poland, but if you allow outbound TCP connections, they can.

You will come to know with what I’m talking about.

BTW, I built my first Internet firewall in 1995 (BSDi and the TIS firewall toolkit); been at it a while so I have a rather good idea what you're talking about.

 

[RumRunner]

Awesome! Since I am getting replies i will elaborate further. I thought there might me other electricians that expand into i.t. sound and dmx lighting like I do!

This client has 20 of the same model dvr in different locations.

All locations have static IPs no ddns.

Client owns and manages routers. Wifi is disabled.

Only 1 out of 20 of the client's locations has this problem, they all have the same model dvr, same model router, same isp provider.

The DVRS are made by Dahua, older unit with a 2014 firmware build, no further firmware support available. I know I can buy a new dvr I just want to understand the breach.

The hack is some type of bug that turns the brightness down to 0, changes the lan ip throwing the machine offline, and renames the cameras to hacked1, hacked2, etc. Defaulting the unit easily brings it back up but the problem happens about every 3 weeks again. We can see the hack on the dvr log with an ip from poland.

Router passwords and dvr passwords have been changed, makes no difference.

It has been suggested that the bug exploits the dvr using telnet. I do not know how to disable telnet.

All Dahua DVRs standardly use port 37777 for inbound access. I have just now changed the port number and have to wait on the results. I dont know if this bug would use port 37777 or if it does something on the (free for all) port 80.

Look forward to your comments.

Before I start, what is your role in the organization. If you are the admin --you hold the authority to hand out rights and privileges of users who can make changes or settings. TELNET can only have access if you give it privileges.
If you are able to do that you got it made.

Good to know you are almost like a diversified portfolio owner with asset allocation capability. lol
You are an IT Tech, Sound and DMX Light Technician and of course Electrician. Some people I know do windows too.
No not with squeegee. lol

Perfect financial management comparatively. . . hard to lose in the stock market game. You lose some . . .but you gain some. LOL

And then you say "All locations have static IPS no ddns." Have you run this errant camera using ddns or DynDNS?
An IP camera is like a computer peripheral with a MAC Address (media access control) . . . it is also assigned properties as a member of a network.

According to your narrative "one out of twenty has this problem". The dvr or other recording devices don't have the same properties as the IP Camera. It has no MAC Address.

If all cameras have Static IP Addresses, in your network --their addresses are fixed meaning they are not changed by the router.
Compared to DYNAMIC Address that will change every time you log out and login. When you logout (sign off) the address that was assigned to you will be given to another member of the network.

Because of this constantly changing address --it makes it harder for hacker (although they can still hack you ) but they have to work a bit harder.

Having said that. . . .you can minimize unauthorized entry (if you happen to have an open port) by switching that one vulnerable camera to a DYNAMIC address.
Your DHCP will assign this for you. . . .you have no control over it.
You have to go through the setup sequence of the camera.

At least that's what I do on LINUX.

As an aside:
You don't disable TELNET. As the admin in your organization, you don't give it access to make those changes you mentioned.
In the event of unauthorized entry. . . don't leave any open port.

 

[paulengr]

BLOCK THE WHOLE COUNTRY. . . . Yeah Right!

If an IT Tech who works for me--that does that, he’d be out of work tomorrow..

It would be a mistake for you to think that you are far ahead of those MALWARES that infest our networks. . . those malware programmers are way far ahead (smarter) than users. . . and they know all about work-arounds.
They are in front of their computers twenty hours or more a day while users like us-- are on our computers around six hours at the most- - - unless someone needs a life. lol
Your idea of blocking the whole country may sound easy for a regular joe. . . but it is an urban myth.
Someone advocating this approach may not even be familiar with the fundamentals of data architecture.

Modems, Routers, Switches and Repeaters etc belong to the lowest and least intelligent components of a network. . . they are the HARDWARE PART.

In order for you to have control over the network. . . you need to have a solid knowledge of the OSI Model (Open System Interconnect) and the Six-Layer Data Link and Physical Layers that comprise the OSI.

The “blocking the whole country” approach is replete with nonsense. No one can stop a user with malevolent intention by using a VPN (virtual private network).

VPN can mask someone’s IP address. . . .and he can make an entry by using a server that will look like the hacker is located in Nairobi or Puerto Rico without anyone knowing it.
In the case of Poland. . . keep in mind that these countries in Eastern Europe overlap in internet services.
The hacker doing this malicious stuff may not even be located in Poland.

What you see on your screen advertising in Slovakia would show on a website in the Czech Republic because of their close proximity for example. . . so you don’t really know where the hacker is coming from.

Blocking Poland will also block Belarus from gaining access--and you as a user as well.
Have you been cruising the Danube where you spend days in countries like Bulgaria, Romania, Hungary and on to Austria and Germany?

You will come to know with what I’m talking about.

It doesn’t stop someone from using a VPN but a lot of garbage comes from certain areas of the world. It is pretty hard to block much of anything if you are in say the US but it works pretty good in smaller countries. But the best approach is to block everything and only unlock the specific ports and preferably IPs that you have to unlock. This reduces your attack surface (vulnerability) considerably. Then require some kind of protocol change to get from one layer to the next. For instance don’t allow telnet access directly. You must VPN in or remote into a server to be able to use telnet.

 

[zbang]

The dvr or other recording devices don't have the same properties as the IP Camera. It has no MAC Address.

If the DVR (or IP camera) is on an Ethernet network, it most assuredly has a MAC address- that's how Ethernet nodes are identified.

Compared to DYNAMIC Address that will change every time you log out and login. When you logout (sign off) the address that was assigned to you will be given to another member of the network.

What is this "logout"? Broadband connections seldom, if ever, disconnect; they're considered always-on (or "nailed-up").

DHCP servers will offer the same IP address to a given MAC as used previously unless specifically configured not to. IME most broadband ISPs operate that way since they don't oversubscribe their IP pool (dial-up and on-demand connections might use a smaller IP pool since they're not always-on). This is also true (default config) for the vast majority of SOHO and residential routers/firewalls. (The DHCP lease process has a part where the client requests a specific address. When the lease is up, the client asks for the current IP and the server usually says "Sure".)

Oh, and TELNET?? That's been default-disabled on most systems for a very long time; ssh replaced it for cli/shell connections. The telnet client is still useful for testing HTTP and SMTP servers if you like manually typing the protocols.

 

[Todd0x1]

All Dahua DVRs standardly use port 37777 for inbound access. I have just now changed the port number and have to wait on the results. I dont know if this bug would use port 37777 or if it does something on the (free for all) port 80.

Here's your problem.

Things like DVR/NVRs should NEVER be exposed directly to the internet. They are way too insecure and provide an attack vector by which other devices on the network can be compromised (someone gets into the DVR then from within the dvr they have unfettered access to the rest of the network). The DVRs should be behind the firewall with upnp disabled and VPN used for remote access. We use the ubiquiti edgerouters and run openvpn on them for this purpose.

 

[zbang]

This is another place where a picture would have been worth at least 20 posts .

(The Edgerouter is great- real equipment, good software, inexpensive, etc. I even use one at home.)

 

[Todd0x1]

I'll also add that alot of these IP cameras are communicating with servers located in China for no apparent reason. I have observed it on two different brands. Best practice is to place the camera system on its own vlan, block internet access it that vlan (except maybe for NTP if you're not running internal NTP server) and configure inter vlan routes as necessary.

 

[zbang]

Best practice is not to use cameras that try to communicate with external servers, and it seems like a lot of the cheaper ones do. But yes, if they want to "phone home", block that (vlan, separate LAN, firewall rules, etc). I had to reject some otherwise nice PTZ cameras because of that.

BTW, this is another reason not to use Ring doorbells- they sent the video to external servers which are then available to law enforement org's without notice or (usually) a warrant.

 

[Todd0x1]

BTW, this is another reason not to use Ring doorbells- they sent the video to external servers which are then available to law enforement org's without notice or (usually) a warrant.

Then there's this https://www.justice.gov/usao-ndtx/pr/adt-technician-pleads-guilty-hacking-home-security-footage

Everyone thinks im nuts for not using the cloud connected IOT devices and services. I'll own my hardware and access to it thanks.

 

[hbiss]

Furthermore, why would anybody want a camera in their bedroom pointed at their bed connected to the cloud??

-Hal