01304 827609 info@use-ip.co.uk Find us

Illegal Login alerts from my Hikvision NVR?

newbie2468

Active Member
Messages
44
Points
8
Today I received an alert from my NVR to say that I had an illegal login, I ran a search through the NVR software from 2018 to todays date and the only illegal login luckily was today showing their I.P. address as 83.229.83.81 I searched for this online and it gave me the details of a company named OMC computers and communication otherwise know as Kamatera based in the Netherlands.
Could someone explain what this means and what do I need to change as regards my settings?
Today I have upgraded the NVR firmware to the latest release.

Many thanks
 
It's likely hacker bots randomly probing IP addresses on the internet. I used to get a lot of those until I changed my default ports.
 
Hi @newbie2468

Step 1 onwards in this guide explains how :)
Are they using my ‘admin’ password to gain access?
 
Are they using my ‘admin’ password to gain access?
An "Illegal Login" error is an "Attempted" login. So someone is trying a username (almost certainly "admin") and various passwords. If you have a strong password you should be o.k. assuming there are no HikVision vulnerabilities now or in future...

But to cut down on the number of hacker attempts at the very least you should change default ports. But only way to stop altogether is to ensure your device is not accessible to anyone in the world on the internet.
 
An "Illegal Login" error is an "Attempted" login. So someone is trying a username (almost certainly "admin") and various passwords. If you have a strong password you should be o.k. assuming there are no HikVision vulnerabilities now or in future...

But to cut down on the number of hacker attempts at the very least you should change default ports. But only way to stop altogether is to ensure your device is not accessible to anyone in the world on the internet.
Should i be changing my 'server' or 'HTTP' port?
 
Should i be changing my 'server' or 'HTTP' port?
.....also that's interesting that it's an 'attempted' but failed login, what is it that triggers the alert, a different I.P. address, too many failed attempts to login or something?
 
I suspect the NVR will log the alert for every attempted login with an invalid password. If you yourself type the wrong password I think it will log the alert. You can try it and see.

But what is your use-case? Do you really need these ports open to the world for your own use? Do you access your server and/or web interfaces from all sorts of remote locations or via your mobile phone when out and about? Or do you only access from a single remote location?

You should block any ports you don't need (generally a router will block all ports so if some are open to the world then usually that means someone has specifically opened/forwarded ports on the router). You should block any ports you don't need.

And if you do have ports open then all those should be changed from the default. You might be able to achieve this on your router and leave the HikVision config alone if your router can do port forwarding (NAT).

Changing ports does not really improve security and will not stop others on the internet accessing your equipment if they try port scanning etc. But it probably will cut down on the number of attempted logins.
 
I suspect the NVR will log the alert for every attempted login with an invalid password. If you yourself type the wrong password I think it will log the alert. You can try it and see.

But what is your use-case? Do you really need these ports open to the world for your own use? Do you access your server and/or web interfaces from all sorts of remote locations or via your mobile phone when out and about? Or do you only access from a single remote location?

You should block any ports you don't need (generally a router will block all ports so if some are open to the world then usually that means someone has specifically opened/forwarded ports on the router). You should block any ports you don't need.

And if you do have ports open then all those should be changed from the default. You might be able to achieve this on your router and leave the HikVision config alone if your router can do port forwarding (NAT).

Changing ports does not really improve security and will not stop others on the internet accessing your equipment if they try port scanning etc. But it probably will cut down on the number of attempted logins.
Hi, yes i ran a search today from the NVR log and it shows about six attempts to log in from one IP address all at the same time with just a few seconds gap between them and then a similar attempt from a different IP address.
I like to view the cameras on my mobile and occasionally replay footage whilst away on the mobile too, that's about all.
I've checked my ports on the router and only one open is the one i created for the CCTV and the port firewall is set to default: ' Allow all outgoing connections and block all unsolicited incoming traffic. Games and application sharing is allowed.'
My password is very strong, will this alone stop anyone from accessing my NVR and cameras or can they gain access some other way?
 
I've known illegal login attempts fill the system logs, over 2000 attempts, in a few hours. Every incorrect username/password attempt will log an entry. The attempts tend to stop when you change the default ports (80, 8000, 554) to something different. Only forward ports in the router that you need to for access - that's the server port and RTSP port. The http port is only needed for browser access. I forward mine for my convenience to access settings.

A strong password may prevent someone from successfully logging in to your NVR but nothing can prevent someone from attempting to hammer it with user and password combinations if they see open ports. The only way to stop that is to use a VPN whereby your mobile device will connect to your router via an encrypted tunnelled connection and effectively be part of your local network even when you're away from home. However although you would be able to connect to your system using its local IP address that way, it couldn't connect to the Hik-Connect service. Without using the service you cannot receive push notifications if you want them.

You have to balance perceived security versus convenience. Just never leave the ports at their default.
 
I've known illegal login attempts fill the system logs, over 2000 attempts, in a few hours. Every incorrect username/password attempt will log an entry. The attempts tend to stop when you change the default ports (80, 8000, 554) to something different. Only forward ports in the router that you need to for access - that's the server port and RTSP port. The http port is only needed for browser access. I forward mine for my convenience to access settings.

A strong password may prevent someone from successfully logging in to your NVR but nothing can prevent someone from attempting to hammer it with user and password combinations if they see open ports. The only way to stop that is to use a VPN whereby your mobile device will connect to your router via an encrypted tunnelled connection and effectively be part of your local network even when you're away from home. However although you would be able to connect to your system using its local IP address that way, it couldn't connect to the Hik-Connect service. Without using the service you cannot receive push notifications if you want them.

You have to balance perceived security versus convenience. Just never leave the ports at their default.
Is the user name ‘admin’ a default, can this be changed and if so this should make signing in harder??
 
Is the user name ‘admin’ a default, can this be changed and if so this should make signing in harder??
HikVision don't allow you to disable the admin user! I have said here before here it's a terrible security choice by them. And to top it off the password length limit is only 16 characters!

The best you can do is set all user passwords to the most complicated/obscure password possible within the (frankly poor) password length limit.
 
I've known illegal login attempts fill the system logs, over 2000 attempts, in a few hours. Every incorrect username/password attempt will log an entry. The attempts tend to stop when you change the default ports (80, 8000, 554) to something different. Only forward ports in the router that you need to for access - that's the server port and RTSP port. The http port is only needed for browser access. I forward mine for my convenience to access settings.

A strong password may prevent someone from successfully logging in to your NVR but nothing can prevent someone from attempting to hammer it with user and password combinations if they see open ports. The only way to stop that is to use a VPN whereby your mobile device will connect to your router via an encrypted tunnelled connection and effectively be part of your local network even when you're away from home. However although you would be able to connect to your system using its local IP address that way, it couldn't connect to the Hik-Connect service. Without using the service you cannot receive push notifications if you want them.

You have to balance perceived security versus convenience. Just never leave the ports at their default.
Can you choose ‘any’ number for a port or can you only select from a series of numbers?
 
Can you choose ‘any’ number for a port or can you only select from a series of numbers?
I think ports go from 1 to 65535

Some are common to certain things, others are just used by whoever for whatever. As long as it does not clash with other network traffic on your network you could probably use whatever port. I usually use something quite high in the registered port range.

See: List of TCP and UDP port numbers - Wikipedia
 
I think ports go from 1 to 65535

Some are common to certain things, others are just used by whoever for whatever. As long as it does not clash with other network traffic on your network you could probably use whatever port. I usually use something quite high in the registered port range.

See: List of TCP and UDP port numbers - Wikipedia
I had a go at changing the port which was successful however my browser wasn’t finding the Hikvision log in page when I typed in my IP address in the browser.
 
I had a go at changing the port which was successful however my browser wasn’t finding the Hikvision log in page when I typed in my IP address in the browser.
For example, if you changed your http port from 80 to 50000 and your ip address was 192.168.0.1 you would need to use an address and specify port number in this format:

 
Thank you to everyone who took the trouble to respond to my problem here, it is very much appreciated.
I have successfully changed my settings and all appears to be in order. I'm sure your help will give my system a lot more protection from the illegal hackers now.
 
Back
Top