Blue Iris

I haven't seen any login attempts since I turned the web server off.

No need to run it since we're all basically just sitting at home 95% of the time. No need to login from the kitchen.

What if you hear a 'bump in the night'? Nice to be able to use your phone to see what's going on, instead of getting out from under the covers.

I guess the real question is why would you put the BI server on the internet? Many years ago I put a very secure Linux box on my DMZ and within a few days someone broke into it and changed the root password. After that I realized its practically impossible to lock anything down that is internet facing. I lock down most machines on the internal network too. Its a bit of a hassle, but probably worth the effort. -Bill

bigbillsd wrote: ↑Sat Feb 27, 2021 12:39 am Many years ago I put a very secure Linux box on my DMZ and within a few days someone broke into it and changed the root password.

This can't be true or the entire internet would be hacked all of the time.

To you question as to why anyone would do that?

There is one very good reason. Allowing access to the video without requiring the user to VPN into the network.

HeneryH wrote: ↑Sat Feb 27, 2021 3:27 pm This can't be true or the entire internet would be hacked all of the time.

We wish, for the last 10 years of my IT career I managed/supported eCommerce systems for a large multinational with all their north and south American businesses. We got hacked almost daily. It was so bad we had to implement the ASM module on our bigips. That was a nightmare to maintain as we had hundreds of internet facing apps, ASM is basically a layer 7 firewall that you sniff all the incoming traffic and all the outgoing traffic allow good traffic in and keep the bad traffic from passing either way. If someone wants into your systems there is NO way you can keep them out. Firewalls are pretty good, but not even close to perfect. -Bill

If you got hacked daily then you suck. Sorry for being blunt.

Having server on a DMZ would be like tying your front door key on a string to the handle of the outside door lock (IMO).

atreyu wrote: ↑Sat Jan 23, 2021 12:21 pm Many things to consider here. First, I would be wary of exposing your computers behind your router to the internet unless you have a decent awareness of network security. Are you port forwarding to your BI computer or is it “on the internet” through its ipv6 address? I would suggest restricting the firewall rules passing through your router to the bare minimum required.

General wisdom is to not expose your home services to the internet unless you truly need remote access. If you do, doing a VPN into your home network then accessing it “internally” is preferred. Easier to lock down that well used and studied VPN service than BI and your desktop Windows computer. A little clunky as you have to turn it on when out-and-about. One counter argument could be that opens a door to full access to your network if VPN is ever compromised. But again, a compromised BI computer could lead to the same situation.

Last, if you do want to expose it to the internet, use a random port. It’s security through obscurity (i.e. not great), but it may reduce some of the attempts.

This post introduced an idea that hadn't passed my mind; obtaining the VPN-given IP from the BI pc and logging in via that IP while still at home.

I'm thinking about the best/safest way to get remote BI UI3 access while keeping my VPN on. I'm thinking now: 2 nic cards on the BI pc, one nic card connects internally to a PoE switch running the cameras. The other BI pc nic runs the VPN and goes out to the "main" network managed switch that keeps the BI pc contained within its own VLAN as it goes to the network firewall, and then out to the main gateway router.

If I set the location on the BI pc, then record that IP on my Android app, I might be able to get tunneled access to my UI3 feeds. By keeping the VPN kill switch on, it would stop traffic as soon as the VPN (which is set as a "service") stopped for whatever reason. It could probably be useable for days/weeks at a time, until the BI pc restarted for whatever reason, -and it does, about every two or three weeks. At least then I'd know that the pc restarted and to check things. And, yeah, I should probably have it on a ups to begin with.

I'm just wondering how all this would work with with the network firewall handling incoming traffic, as I don't want to mess with my 100% don not trust rules too much. I'm wondering if I'd have to frequently 'console-in' to the firewall command line OS and deal with the changing VPN-assigned IP.

When connected to VPN just hit refresh on the global web server tab. There's your WAN address for UI3. You can restrict or enable connections from any IP or range of IP addresses. Wouldn't that work?