Illegal Login causing to stop recording

[AlexOlesh]

Hello all,

I have a very wierd situation.
NVR: DS-7604NI-K1(B), latest firmware v4.30
Connected to a TP Link router via Ethernet cable. ISP gives a dynamic IP address. Hik-Connect activated, however, the app is disabled.

The problem happens every time after somebody tries to make a remote login using the admin username. Immedately after that the following starts happening:

• the continuous recording stops
• the cameras, connected to the NVR, continue to register the motion detection alarms, that are visible in Logs
• the NVR becomes unavailable via iVMS-4500 on my Android phone
• The whole setup gets back to life only after button restart on the NVR.

The IP 35.208.251.78 has an nginx server running on Ubuntu and there is some welcoming text in Polish available via the link http://35.208.251.78/:

CO CIE BOLI, ZE RYCHU PEJA MA SZANSE UCZCIWIE ZAROBIC?
(translation to English: WHAT DOES IT HURT YOU THAT SOON PEJA HAS A CHANCE TO EARN HIS FAIR SHARE?)

The IP addr resolves to some googleusercontent.com host

Host Name for 35.208.251.78
Host Name: 78.251.208.35.bc.googleusercontent.com

Any idea how can I block such illegal login attempts? Does it help to change the default ports on the NVR? If so, then which ones? Any other ideas on how to block 'em from accessing my NVR? Could I block some specific ports in the TP Link router firewall? It is getting really annoying that some mom's hacker is just scanning the network for NVR's to attempt to access. Any other ideas on securing the network are very warmly welcomed.

Thanks!
Alex

 

[JB1970]

Start by changing the default ports (8000 server, 80 http & 554 rtsp) to something different. You'll likely never see another illegal login attempts again.

 

[AlexOlesh]

Start by changing the default ports (8000 server, 80 http & 554 rtsp) to something different. You'll likely never see another illegal login attempts again.

Thanks! I will look change them. I also may notice that this behavior has started happening only after upgrading the NVR to v4.3.005 version.
I will change the ports, block the IP of the external users via my router settings as well, and well, downgrade to v3.4.112.

If anyone will be interested in the outcomes, leave a reply here, I will update you on the progress after those actions.

 

[Dav55]

Hi,

I am also getting a lot of illegal login attempts. (100+yesterday)

What ports should I change and to what value.
Is there any impact that will make to me logging on etc?

 

[JB1970]

Hi,

I am also getting a lot of illegal login attempts. (100+yesterday)

What ports should I change and to what value.
Is there any impact that will make to me logging on etc?

In the NVR there are three ports to change - http, server and RTSP. You should change them in the Network Settings of the NVR (not the port mapping table) As long as they are above 2000 (minimum required for server port) and they don't clash with any other ports in use it's not too important.

• Well-known ports range from 0 through 1023.
• Registered ports are 1024 to 49151.
• Dynamic ports (also called private ports) are 49152 to 65535.

I tend to use three consecutive ports from the dynamic range. For instance 50000 http, 50001 server, 50002 RTSP.

How it affects logging in:

- If you're connecting to the NVR using a web browser you'll need to append the IP address with colon, port number (http://192.168.0.100:50000 for example).

- If you've previously port forwarded the standard ports (80, 8000, 554) in your router, you would need to update the port forward rule to reflect the new port numbers in use. You can ignore that however if the NVR is set up to map the port numbers automatically with UPnP

- If you use iVMS-4500 or Hik Connect to connect DIRECTLY (IE NOT using Hik Connect account) to the NVR, you would need to update the server port number in the app device page.

 

[Dav55]

Thank you - that is most helpful, I will give it a go - before I do, I've a further question.

Is there a way to tell if the Illegal attempt is from the Hik Connect software - I suspect that it is as otherwise someone would need to be on my LAN ? I don't have astatic public IP so I guess that it would be unlikely coming at my IP and then attacking the NVR?

Is that logic correct?

And assuming that my logic is correct , will changing the ports make it harder for an attacker to have a go? (as they don't know what port to try?)

 

[JB1970]

Thank you - that is most helpful, I will give it a go - before I do, I've a further question.

Is there a way to tell if the Illegal attempt is from the Hik Connect software - I suspect that it is as otherwise someone would need to be on my LAN ? I don't have astatic public IP so I guess that it would be unlikely coming at my IP and then attacking the NVR?

Is that logic correct?

And assuming that my logic is correct , will changing the ports make it harder for an attacker to have a go? (as they don't know what port to try?)

It's unlikely to be via Hik Connect as the NVRs connection is routed via the Hik Connect server. More likely your IP address has been port scanned for those commonly used ports and an attempt has been made to access it on port 80 or 8000. It doesn't matter whether your public facing IP is static or dynamic - if it is a routable IP address, accessible from the internet and a port is open, someone can attempt to connect. You can test this for yourself using Open Port Check Tool - Test Port Forwarding on Your Router When I used to use the standard ports, I saw thousands of illegal login attempts. At the time I could see the username and password combination that was attempted.

Changing the default ports just makes it less likely that those unknown ports are scanned and then attacked if seen to be open. The only illegal login attempts I see these days are due to my ham fisted use of that annoyingly sensitive on screen keyboard!