anyone ever see a strange login in your log file?

User avatar
LyndMc
Posts: 36
Joined: Mon Jan 20, 2020 1:12 am
Location: Pittsburgh, PA
Contact:

anyone ever see a strange login in your log file?

Post by LyndMc » Wed Jan 20, 2021 4:39 pm

Almost every day I see attempts to hit my server, Xfinity blocks them and I have Norton running in addition to the Xfinity protection. Almost every one is from out of the US, but there is an occasional US attempt. I only have one user configured in my BI5...me. The other day I looked at the login file and I see a user that I don't recognize. I deleted the user and permanently blocked it, should I be concerned? Does that mean that they successfully logged onto my cameras? I should have screen captured the name, it looked suspicious. I'll continue to monitor that file and see if anything pops up again.
HeneryH
Posts: 402
Joined: Thu Jul 18, 2019 2:50 pm

Re: anyone ever see a strange login in your log file?

Post by HeneryH » Wed Jan 20, 2021 8:00 pm

If someone actually created a user on your BI system that would be very very bad.

Alternatively, I see lots and lots of attempts to log in and it is unlcear from the log that the attempt actually failed and zero bytes transferred.
User avatar
LyndMc
Posts: 36
Joined: Mon Jan 20, 2020 1:12 am
Location: Pittsburgh, PA
Contact:

Re: anyone ever see a strange login in your log file?

Post by LyndMc » Wed Jan 20, 2021 8:18 pm

HeneryH, I’m not sure what to think about what I saw, I should have looked closer before I deleted and blocked it. It did however show up in the log file, I’m not sure if that’s confirmation that someone was actually in, or if that was just the user name that someone used as they tried to log in 🤷‍♂️. I do seem to recall that it said 0 bits in the log.

The 0 bit thing is one thing, but that makes me think that someone actually got through Xfinity and Norton in able to even get that far. Does that mean they could browse around on my network and other devices??? 😩
HeneryH
Posts: 402
Joined: Thu Jul 18, 2019 2:50 pm

Re: anyone ever see a strange login in your log file?

Post by HeneryH » Thu Jan 21, 2021 2:59 pm

Getting to the log-in screen and not being able to log in can be distressing but not really all that terrible. If you trust the log-in screen security.

After all, your Router and Norton have to let you in. If you want to block others you'll need to configure your router and Norton to somehow recognize you from the probing bad actors.

Some choose to require VPN to get in, others think that probing is not a catastrophe.

Your choice on how much hassle you want to deal with to prevent the probing.

I have clients who log in to see their assets so I don't want the extra hassle that a VPN would burden my clients with.
MikeBwca
Posts: 698
Joined: Thu Jun 20, 2019 5:39 am

Re: anyone ever see a strange login in your log file?

Post by MikeBwca » Fri Jan 22, 2021 4:10 am

LyndMc wrote: Wed Jan 20, 2021 4:39 pm ...Xfinity blocks them and I have Norton running in addition to the Xfinity protection. ...
What protection does Xfinity give you over Norton? Or, are you referring to the Xfinity modem/router?
User avatar
LyndMc
Posts: 36
Joined: Mon Jan 20, 2020 1:12 am
Location: Pittsburgh, PA
Contact:

Re: anyone ever see a strange login in your log file?

Post by LyndMc » Fri Jan 22, 2021 4:19 am

I have an Xfinity router that has some sort of protection. I get notifications that it blocked outside attempts and it gives me info on the IP address where it originated. I’ll try and screen capture the next warning that I get. It happens almost every day.
MikeBwca
Posts: 698
Joined: Thu Jun 20, 2019 5:39 am

Re: anyone ever see a strange login in your log file?

Post by MikeBwca » Fri Jan 22, 2021 5:26 am

When I first enabled the BI Webserver, I was getting anywhere between a few and 50 login attempts to the Webserver - all failed.

BI Status/Connections will list the attempts and successful logins.

You can check the BI log - I would suggest making a copy of it. Otherwise you will get notified when it changes and ask if you want to update.

Use whatever pgm (I use Notepad++) to 'find all' on the following...
: Connected
: Login
: Logout
: AuthFailed

They will list the IP address and the UserID used to make the attempt.
The 'Connected' log entry is when a login attempt was made (I think).
The main one is 'Login'.
You'll typically see, Connected, Login, Logout with the duration.
atreyu
Posts: 24
Joined: Fri Nov 27, 2020 7:22 pm

Re: anyone ever see a strange login in your log file?

Post by atreyu » Sat Jan 23, 2021 12:21 pm

Many things to consider here. First, I would be wary of exposing your computers behind your router to the internet unless you have a decent awareness of network security. Are you port forwarding to your BI computer or is it “on the internet” through its ipv6 address? I would suggest restricting the firewall rules passing through your router to the bare minimum required.

General wisdom is to not expose your home services to the internet unless you truly need remote access. If you do, doing a VPN into your home network then accessing it “internally” is preferred. Easier to lock down that well used and studied VPN service than BI and your desktop Windows computer. A little clunky as you have to turn it on when out-and-about. One counter argument could be that opens a door to full access to your network if VPN is ever compromised. But again, a compromised BI computer could lead to the same situation.

Last, if you do want to expose it to the internet, use a random port. It’s security through obscurity (i.e. not great), but it may reduce some of the attempts.
User avatar
TimG
Posts: 836
Joined: Tue Jun 18, 2019 10:45 am
Location: Nottinghamshire, UK.

Re: anyone ever see a strange login in your log file?

Post by TimG » Sun Jan 24, 2021 9:36 am

If you do, doing a VPN into your home network then accessing it “internally” is preferred.
I used to see a lot of attempts every day to log in to my BI system. I now run OpenVPN on my router, and closed the ports. Problem gone.
Blue Iris v5.3.9.9 x64 | Win10 x64 version 20H2 | Dahua IPC-HDW5231R-ZE, Foscam R2, Ertech 4MP, Neos2, 2 analogue cameras on Euresys Picolo Pro 2 | Intel i5-3330 CPU, 16GB Ram, Multiple SSD and HD | TVMosaic.
HeneryH
Posts: 402
Joined: Thu Jul 18, 2019 2:50 pm

Re: anyone ever see a strange login in your log file?

Post by HeneryH » Sun Jan 24, 2021 4:50 pm

There are varying degrees of protection on a scale from "opening just the html port to the BI server" to a "full VPN."

It is just a matter of your comfort/nervous as to where you fall in that range. And there are things you can do in each solution to make it a little more secure.

I run BI on a machine behind a NGINX reverse proxy and have that reverse proxy to accept 80 and 443 (80 gets routed to 443), https encrypt and connect to the BI machine.

Since my BI machine is pretty up to date with security I am comfortable exposing the web port.

Others may not be.
Post Reply