Wondering if anyone can advise me please?
Looking at BI5 "Status messages" today I see a dozen of so "strange" IP addresses with Server" and "Connected". Do I assume that these are from hackers of one kind or another? Some addresses are 2.42.36.113; 172.104.67.101 as examples.
Under "Status Connections" I see a couple of IP addresses which, as I did not recognise them, I have permanently blocked.
Does everyone suffer like this or am I being singled out?
TIA.
Random IP addresses
Random IP addresses
BI v 5.3.x.0 x64 as a service on Windows 10 Pro 1909 - i7-8700 @ 3.20GHz with 32Gb RAM
Mix of 8 IP POE cameras
Mix of 8 IP POE cameras
Re: Random IP addresses
Do you have a port open through your firewall for remote access? If so you may want to consider deleting that exception and setting up a VPN server on your firewall to connect to first for remote access.
Re: Random IP addresses
Very interested in your network setup allowing that to happen. Can you share your BI Web Server settings (including the Advanced tab) ** OF COURSE OMIT YOUR IP ADDRESS(ES) **
Then also, do you have port forwarding set up on your router? How did you get your BI Web server to be accessible?
Then also, do you have port forwarding set up on your router? How did you get your BI Web server to be accessible?
Blue Iris 5.8.9.x | Server 2022 VM | Xeon E5-2660 v3 @ 2.60GHz - 16 Cores | 24GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
Re: Random IP addresses
terk, Matts1984,
Many thanks for comments. I do have port forwarding set up for BI and, as of yet, no VPN. I hope that my web server and advanced screenshots will be attached. I use a static IP address from my ISP.
Hope this makes sense.
Thanks for any help.
Many thanks for comments. I do have port forwarding set up for BI and, as of yet, no VPN. I hope that my web server and advanced screenshots will be attached. I use a static IP address from my ISP.
Hope this makes sense.
Thanks for any help.
- Attachments
-
- 200530_Web_Server.jpg (99.83 KiB) Viewed 10531 times
-
- 200430_Advanced_Web_Server.jpg (101.45 KiB) Viewed 10531 times
BI v 5.3.x.0 x64 as a service on Windows 10 Pro 1909 - i7-8700 @ 3.20GHz with 32Gb RAM
Mix of 8 IP POE cameras
Mix of 8 IP POE cameras
Re: Random IP addresses
Dewcal,
So the bottom line is yes, the IPs you're seeing are other addresses on the internet hitting your system. For anything publicly reachable, this is no surprise. Your external address is scanned regularly (by "good" and bad guys). So then the step forward is how to limit/protect from that since you obviously want to reach your server when you're not at local to it. There are a couple paths forward and all depend on how complicated you want to make it!
Option #1
You can leave the port forwarding as is on your router and tweak some settings to help (not eliminate) noise and unwanted traffic. Since you won't be coming from a known static address, you cannot simply create a firewall rule or the BI "Limit IP Addresses" since you don't know what those will be. Your WAN connections are not using STunnel which would give you a better level of encryption - that decryption on your server however will cost you CPU cycles (not sure to what extent) but this could also result in a reduction of some of the basic scripted scans hitting you. The "auto-ban IPs after..." it's your call but I bet you could lower that if you don't fat finger your password. Maybe cut it down to 3? You have it set to never release (I'm assuming thats what happens with that box unchecked) which if you've been operating with that, I wouldn't change. X-Forwarded-For doesn't really help with security but could help with logging, probably no gain here. I'd recommend enabling Strict-Transport-Security headers, not required but it's the current web standard. Limit Logins is set to 99. Do you ever envision that many connections being required? I have mine set to 10 (it's really only ever me and my wife) and in reviewing it, I'll probably drop to 5. It's easy enough since it's working now to make little changes and test them as you go to ensure you don't break your access. Another idea is to change the port number you use on your router to forward the traffic. "Security through obscurity" is bad practice generally but we're not talking a big mission critical enterprise. The reality is that hiding this on a less used port will lower the likelihood that the internet will hit you day and night.
Option #2
Configure a VPN solution. There are plenty of posts on here and I know many members do this. I do not and have not personally gone through this so I don't have a ton to offer.
Option #3
I'm assuming you're using a consumer grade (or ISP provided) all in one modem/router/access point thingamajig. You may be limited to it's functionality however it is clear it at least allows for port forwarding and maybe it allows for further control? I personally do not use my ISPs (Comcast/Xfinity) device at all, largely because - I've seen historical performance issues with them, I don't fully trust them (out of the box Xfinity offers their own SSID that any customer can join using your router as a hotspot - they claim this will not affect your performance), and biggest of all I do not want to pay their monthly rental rate which over time really adds up. Instead I use a freely licensed firewall product I manage on my own. This isn't a forum for that vendor so I don't want to turn it into a sales pitch BUT the product allows me to create a Web Application Firewall, forward the traffic, does SSL termination with a trusted certificate, etc and I can enforce tighter restrictions. This is potentially the most involved but I'm pretty happy with it. I've never seen an IP I didn't want connecting to my server (firewall also does Geoblocking which isn't a perfect concept but it helps) and I'm still easily able to use my BI app on my phone or access from a web browser - assuming I don't go to China or North Korea
Option #4
I'm sure there are other options but I think these first 3 are the most likely path. Just didn't want to say it's my way or the highway!
So the bottom line is yes, the IPs you're seeing are other addresses on the internet hitting your system. For anything publicly reachable, this is no surprise. Your external address is scanned regularly (by "good" and bad guys). So then the step forward is how to limit/protect from that since you obviously want to reach your server when you're not at local to it. There are a couple paths forward and all depend on how complicated you want to make it!
Option #1
You can leave the port forwarding as is on your router and tweak some settings to help (not eliminate) noise and unwanted traffic. Since you won't be coming from a known static address, you cannot simply create a firewall rule or the BI "Limit IP Addresses" since you don't know what those will be. Your WAN connections are not using STunnel which would give you a better level of encryption - that decryption on your server however will cost you CPU cycles (not sure to what extent) but this could also result in a reduction of some of the basic scripted scans hitting you. The "auto-ban IPs after..." it's your call but I bet you could lower that if you don't fat finger your password. Maybe cut it down to 3? You have it set to never release (I'm assuming thats what happens with that box unchecked) which if you've been operating with that, I wouldn't change. X-Forwarded-For doesn't really help with security but could help with logging, probably no gain here. I'd recommend enabling Strict-Transport-Security headers, not required but it's the current web standard. Limit Logins is set to 99. Do you ever envision that many connections being required? I have mine set to 10 (it's really only ever me and my wife) and in reviewing it, I'll probably drop to 5. It's easy enough since it's working now to make little changes and test them as you go to ensure you don't break your access. Another idea is to change the port number you use on your router to forward the traffic. "Security through obscurity" is bad practice generally but we're not talking a big mission critical enterprise. The reality is that hiding this on a less used port will lower the likelihood that the internet will hit you day and night.
Option #2
Configure a VPN solution. There are plenty of posts on here and I know many members do this. I do not and have not personally gone through this so I don't have a ton to offer.
Option #3
I'm assuming you're using a consumer grade (or ISP provided) all in one modem/router/access point thingamajig. You may be limited to it's functionality however it is clear it at least allows for port forwarding and maybe it allows for further control? I personally do not use my ISPs (Comcast/Xfinity) device at all, largely because - I've seen historical performance issues with them, I don't fully trust them (out of the box Xfinity offers their own SSID that any customer can join using your router as a hotspot - they claim this will not affect your performance), and biggest of all I do not want to pay their monthly rental rate which over time really adds up. Instead I use a freely licensed firewall product I manage on my own. This isn't a forum for that vendor so I don't want to turn it into a sales pitch BUT the product allows me to create a Web Application Firewall, forward the traffic, does SSL termination with a trusted certificate, etc and I can enforce tighter restrictions. This is potentially the most involved but I'm pretty happy with it. I've never seen an IP I didn't want connecting to my server (firewall also does Geoblocking which isn't a perfect concept but it helps) and I'm still easily able to use my BI app on my phone or access from a web browser - assuming I don't go to China or North Korea
Option #4
I'm sure there are other options but I think these first 3 are the most likely path. Just didn't want to say it's my way or the highway!
Blue Iris 5.8.9.x | Server 2022 VM | Xeon E5-2660 v3 @ 2.60GHz - 16 Cores | 24GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
Re: Random IP addresses
Matts,
Many thanks for comprehensive reply. I will start with option 1 and reduce figures as suggested. While my home has a fixed IP address, I never know where I will be checking in from...
I actually use a Draytek router which is way too clever for me..... I have to approach it in bite size chunks but (so far) has not let me down.....
So will try #1 and see where I go from there - again many thanks for the education.
Many thanks for comprehensive reply. I will start with option 1 and reduce figures as suggested. While my home has a fixed IP address, I never know where I will be checking in from...
I actually use a Draytek router which is way too clever for me..... I have to approach it in bite size chunks but (so far) has not let me down.....
So will try #1 and see where I go from there - again many thanks for the education.
BI v 5.3.x.0 x64 as a service on Windows 10 Pro 1909 - i7-8700 @ 3.20GHz with 32Gb RAM
Mix of 8 IP POE cameras
Mix of 8 IP POE cameras
Re: Random IP addresses
Random IP's: This is why I closed the port, and set up OpenVPN. I must say that it's relatively easy if you have an Asus router running Merlin firmware, but otherwise is very complicated. It made it easier for me that i had previously tried and failed to run OpenVPN on my server, so when it came to running it on the router it seemed easy 
Forum Moderator.
Problem ? Ask and we will try to assist, but please check the Help file.
Problem ? Ask and we will try to assist, but please check the Help file.
Re: Random IP addresses
To see all connection attempts, search the BI logs for ': Connected'.
To make sure there have no successful logins, search the BI logs for ': Login'.
The #1 option has two parts... Using the 'Limit IP Addresses' and using firewall rules. Which are you going to use?
What firewall do you use?
I had the same issue way back. I'd get several connection attempt (none successful) a day. Some days there would be up to arounf 30-50! I would ban then, or leave them banned. I tried added 'Limit' rules in the webserver. For example banning all 3. ip address.
I think the simplest way to use 'Limit IP addresses' is by adding your internal network ip address '+192.168.1.*, ' sd the first rule. All other ip address are denied by default (page 144 of the BI help). You would have to also add your cell phone ip address/range, and any other remote site you may use. This would also deny all those connection attempts without needing to ban them.
What I ended up doing, is to add rules to my Norton firewall to only allow specific ip addresses/range. This includes IP's of local network, BI update server, SMTP servers that I use in BI, my mobile phone, IP's used for mobile push, Smart Home Sentry, and, globalsign. I broke them up into 8 separate rules to make it easier to manage & test * implement.
When I did this, connection attempts stopped to the BI Webserver.
I also write a simple bat file to search the BI logs for various categories, including connection attempts, and, successful connections.
To make sure there have no successful logins, search the BI logs for ': Login'.
The #1 option has two parts... Using the 'Limit IP Addresses' and using firewall rules. Which are you going to use?
What firewall do you use?
I had the same issue way back. I'd get several connection attempt (none successful) a day. Some days there would be up to arounf 30-50! I would ban then, or leave them banned. I tried added 'Limit' rules in the webserver. For example banning all 3. ip address.
I think the simplest way to use 'Limit IP addresses' is by adding your internal network ip address '+192.168.1.*, ' sd the first rule. All other ip address are denied by default (page 144 of the BI help). You would have to also add your cell phone ip address/range, and any other remote site you may use. This would also deny all those connection attempts without needing to ban them.
What I ended up doing, is to add rules to my Norton firewall to only allow specific ip addresses/range. This includes IP's of local network, BI update server, SMTP servers that I use in BI, my mobile phone, IP's used for mobile push, Smart Home Sentry, and, globalsign. I broke them up into 8 separate rules to make it easier to manage & test * implement.
When I did this, connection attempts stopped to the BI Webserver.
I also write a simple bat file to search the BI logs for various categories, including connection attempts, and, successful connections.
-
Thixotropic
- Posts: 744
- Joined: Wed Sep 04, 2019 7:20 pm
- Location: Low-Earth Orbit
Re: Random IP addresses
Would you be willing to share that BAT file?
Blue Iris 5.x x64 | Windows 10 Pro x64 | 16GB RAM | i7-7700 3.6 GHz | 1TB HDD | 2TB RAID NAS | 9 Cameras | Almost Dual NIC | 2KVA UPS