Steps for good internet-exposed security on Hikvision DS-7300 series DVR

[AveryFreeman]

Hello,

I am trying to keep a new DVR we just purchased from having the admin account locked out basically as soon as we put it online

Our issue:

We have several people who view our CCTV system remotely. We put the standard ports, e.g. 80, 443, 554, 8000 and 10554 on the net with access from any IP (our firewall can only limit access to either 1 IP or all IPs)

Our current DVR has already had the admin account locked out due to people trying to hack the system. AFAIK they have not been able to get in, but due to failed password attempts the admin lockout has prevented us from doing any further modifications of the network settings, etc. without physically being at the computer, presenting a major inconvenience and stifling a lot of our plans

Consideration:

People currently using the system are in some cases elderly, unappreciative of change and in some cases not technically inclined. Changing from default ports, etc. will require meeting with each person to give them proper new settings

We were planning on getting a new DVR anyway, and now it just arrived, but I wanted to go through a checklist to see in which ways we can keep this problem from happening in the future.

Here are some of the ideas I have so far:

At the gateway/firewall level:

1) set up syslog server to record log of IPs accessing network on CCTV-access ports, geo-locate IPs and block if suspicious
2) Change DDNS name - hackers already know our current name and can do a port scan to find new open ports

On DVR:

1) Change admin name - if hacker doesn't know to enter 'admin' for username, makes one point harder (is this even possible?)
2) Add a second (or third) admin account in case of primary admin lockout
3) Change all standard ports to be above 10000 - just make them random strings of numbers between 10001 and 65535

What do people think of these ideas, and are there any obvious steps I am overlooking?

 

[philipellis]

Hi

First thing to say is that I'm a CCTV newbie (and will be asking for advice myself on this forum) but I do know a bit about networks.

My responses to your first two question are:
1) Discovering and blocking "problem" IP addresses is going to be a never ending task. It seems to me that by the time you find out that an IP is attacking you, your admin account will already be locked and you'll still have to go through the pain of unlocking it. I guess you could "pre-authorise" a range of address that included the UK only. That would limit your exposure but wouldn't be a guarantee.
2) I'd be pretty sure that your hackers are just running through ranges of IP addresses rather than DDNS names. Changing the DDNS name wouldn't help in this scenario.

Your further questions:
1) This would seem sensible, if it's possible.
2) This would also seem sensible.
3) This might help but pointing a browser at a non-standard port might confuse your non-tech savvy users.

None of this seems particularly helpful, I'm afraid, but I thought you might benefit from the opinion nonetheless.

 

[Digilec]

Avoid opening ports. what about a VPN?

If you changed admin name, multiple failed logins with the wrong username would surely still lock out the account?

 

[AveryFreeman]

Hi

First thing to say is that I'm a CCTV newbie (and will be asking for advice myself on this forum) but I do know a bit about networks.

My responses to your first two question are:
1) Discovering and blocking "problem" IP addresses is going to be a never ending task. It seems to me that by the time you find out that an IP is attacking you, your admin account will already be locked and you'll still have to go through the pain of unlocking it. I guess you could "pre-authorise" a range of address that included the UK only. That would limit your exposure but wouldn't be a guarantee.
2) I'd be pretty sure that your hackers are just running through ranges of IP addresses rather than DDNS names. Changing the DDNS name wouldn't help in this scenario.

Your further questions:
1) This would seem sensible, if it's possible.
2) This would also seem sensible.
3) This might help but pointing a browser at a non-standard port might confuse your non-tech savvy users.

None of this seems particularly helpful, I'm afraid, but I thought you might benefit from the opinion nonetheless.

Re: What I did when configuring the new DVR,

Yes, you're right - changing the DDNS name did not appear to help - I still get hack attempt emails all the time.

Range of ports isolated to a particular locality does not seem possible on our model DVR, it only has user+MAC address isolation AFAIK. Range of allowable IPs not possible using our firewall, unfortunately.

I changed the 'server' port from 8000 to a random 5-number choice which I thought made some improvement, when I changed it back to 8000 is when I started noticing hack attempt emails from the DVR - although, I should note that I fixed the email notification configuration at the same time I changed the port back to 8000, so the random-number port may have created no improvement at all.

The good thing about changing the 'server' port is it didn't appear to have an effect on our elderly people's existing configurations

I changed the HTTP/S ports which has appeared to have mostly circumvented the 'admin lockout issue', since attempted hackers can no longer access the the DVR's web portal through standard ports 80 and 443.

This was not an issue for our users since they were all using either the iPhone or Windows 10 app, which don't appear to need the HTTP/S ports. In any event, I think they are savvy enough to understand putting a colon and a number at the end of a URL.

Note: About admin lockout, it is *exceedingly easy* on my model DVR to cure this using the hikvision device SDK (We're using the turbo 1.0 DS-7332HGHI). We used the 64-bit Windows version on our old DVR once we upgraded and it worked like a charm: SDK - Download - Hikvision

I can't even remember exactly what I did, I just fumbled through the menus and presto - could log in as admin again.

Thanks for the response, it's always helpful to have more ideas and experiences floating out there to hopefully help us and others who might be experiencing similar issues Yay, noosphere...

 

[AveryFreeman]

Avoid opening ports. what about a VPN?

If you changed admin name, multiple failed logins with the wrong username would surely still lock out the account?

Welp, can't change the admin name so scratch that off the list

Can isolate it to a MAC address - the restaurant owner just decided nix the idea of remote administration and limit it only to viewing, so it became a non-issue in our scenario.

A VPN would be ideal except for two things:

1) No real interest in investing in a system that can handle that kind of encoding+throughput (we're talking 32x1080p cameras for up to 6-7 users at a time) when the worst we have are annoying emails (and I'm the only person who bares the brunt of those)

I suppose we could throw a moderately-equipped desktop with pfSense at the problem but it'd create another box to wrangle

2) Another thing we'd have to configure at the client side, which would involve a considerable drive to some places, upwards of 2-3 hours, and then committing to driving back in the event of a mis-configuration or other issue.

They understand how the DVR works - to an extent - a VPN I think is way above their heads.

But it's an interesting idea, and I think barring the obvious pitfalls, a preferable solution overall if I can make it uber-easy to adopt and get change-resistant people to buy-in. I might explore it further down the line and present it after extensive personal testing.