What's new

Need advice on how to handle security camera

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

rick155

Occasional Visitor
Hi all,

in my small home network I have a security camera that is programmed, when it's motion triggered, to send an email using Gmail and save a video to my local NAS.

I would like to be sure that camera is able to send email but not to connect to anything else as I am aware that these security cameras try to reach outside servers (sometimes NTP, sometimes not)

I am thinking about two possible ways to do that but I would prefer to hear experts' opinion first

method 1:

restrict WAN access to security camera (Asus Network map -> client list -> Block Internet Access)
However this will also prevent camera from contacting Gmail server to send email notification, so I was thinking to install a mail server on my local NAS.
This way the security camera will not need WAN access and the email will be handled by NAS, but I am concerned that I might close a security concern and open another one: is running a mail server on local NAS secure?
I know, for example, hosting a website on local NAS is no-no for several reasons, is it the same for a mail server? What are the possible risks?

method 2:

use Firewall -> Network Services Filter GUI and create a rule for security camera ip so that everything else than STMP port is blocked (in case of Gmail should be 465).
However I would like to further restrict by limiting also the destination address, the problem is that I can't put smtp.gmail.com, I need a specific IP (or IP range)
How can I create a rule so that that IP camera can only reach Gmail server?
This still will not prevent camera to be hacked and send data outside, but it's better than nothing.

If you think there could be a better way to solve my problem, feel free to suggest
 
1. Setting up a mail server is a lot of work. Can you explain why “it’s a no-no”? Not sure what you mean there. Of course more software = more bugs, but with proper configuration it is fine to host a web server on your NAS depending what you’re using for.

2. That’s not what the Network Services Filter is for.

General advice for securing IoT devices, in order of importance:
- make sure non of its ports are open to WAN (via UPnP or port forwarding)
- put it on another subnet so it can’t connect to other devices on your network (use a guest network or set up VLANs)
- filter WAN access incase the firmware contains a backdoor or malware that wants to phone home (maybe just relying on outbound IP filtering would be good enough, using AiProtect or Skynet)

As for your particular question, block all outbound except for the IP for smtp.google.com. You’ll have to play around with how your DNS respond to it so it doesn’t give several different IPs for smtp.google.com (or maybe you can specify the email server with an IP and just not worry about DNS?)
 
Thanks for the answer kfp

regarding point 1. I think I didn't express myself well, I mean I have read that hosting a website on a local NAS is usually a bad idea because, since it must be reachable from outside, can be exploited in different ways thus breach the security of your local network.

Of course if it properly configured it should not create problems, but in general the opinion that I can see from lots of use is "not a good idea, because ... NAS hosting a website should be kept separate from your entire network"

On my NAS it's possible to install a mail server, not sure how complicated is to configure everything because I have never done it before.

Q1) Is a mail server on NAS something that can be considered a security risk?

regarding point 2. UPnP and port forwarding are disabled and, from outside, ports are not visible.
I have a Asus AC68U, I don't think I can set VLAN but I can set up a guest network (which should separate IP camera from the rest of the network).

Just other three questions:

Q2) if security camera is on guest network, it is not going to be able to save video on NAS, unless I also put NAS in guest network, right? That however will mean my local pc will not be able to reach NAS and that is a problem
Q3) Will security camera on guest network still be able to phone back home?

Q4) regarding restricting WAN access, how can I find the specific IPs from DNS? Is there a command I can run from cmd to see which IP are coming from a DNS query?

Thanks again
 
Q2) if security camera is on guest network, it is not going to be able to save video on NAS, unless I also put NAS in guest network, right? That however will mean my local pc will not be able to reach NAS and that is a problem
Q3) Will security camera on guest network still be able to phone back home?

You can do this. You need to control access using ACLs, access control lists, in the switch or router. The Cisco SG300 switches will do this as I am doing it. There is a thread on this site on how to set it up under my user name.
 
Q1) If all the mail server is doing is send out emails, and has no incoming traffic from the WAN then it should be alright (relative to hosting a web server like you said).

Hosting your own email server this way has its own nuances though:
- You might have to constantly fight with IP reputation lists so the email you send out doesn’t end up in spam folders
- You implicitly trust whoever packaged the mail server software (for example Synology Comminity packages)

Q4)
Code:
nslookup smtp.google.com

If I were you this is probably I would do:
- put security camera to guest network
- add an iptables rule so camera can save to NAS
- use a new gmail account (not your main one) or ISP smtp to send the emails
- add iptables rules to restrict camera WAN access
 
Last edited:
No need for a full-featured mail server, it could be just an SMTP relay, or a very basic SMTP server, with your upstream server configured as a smarthost.
 
Thanks Coxhaus, Kfp and RMerlin

You can do this. You need to control access using ACLs, access control lists, in the switch or router. The Cisco SG300 switches will do this as I am doing it. There is a thread on this site on how to set it up under my user name.

I have an Asus AC68U using stock firmware. I am not very familiar with ACL so I am reading about it, but it seems I will need to load a custom firmware for that, correct?


Q1) If all the mail server is doing is send out emails, and has no incoming traffic from the WAN then it should be alright (relative to hosting a web server like you said).

Hosting your own email server this way has its own nuances though:
- You might have to constantly fight with IP reputation lists so the email you send out doesn’t end up in spam folders
- You implicitly trust whoever packaged the mail server software (for example Synology Comminity packages)

Q4)
Code:
nslookup smtp.google.com

If I were you this is probably I would do:
- put security camera to guest network
- add an iptables rule so camera can save to NAS
- use a new gmail account (not your main one) or ISP smtp to send the emails
- add iptables rules to restrict camera WAN access

The NAS I am using (Asustor) has an official mail server app that they develop directly, so I assume if they wanted to do something nasty they would have done on the original sw running on the NAS.
However you raised a good point: if these emails get in the Gmail spam folder, once I mark (from Gmail account) as NOT-spam, shouldn't this avoid future problems or I am always at risk of these notification emails getting filtered?

Also in order to set iptables I need to connect via SSH, correct? Can I do this with stock firmware on Asus AC68U?

No need for a full-featured mail server, it could be just an SMTP relay, or a very basic SMTP server, with your upstream server configured as a smarthost.

Would that potentially be a risk since I will be running the mail server on the NAS, since it will need to communicate outside to send emails, thus potentially exposing NAS?
Is it better (more secure) a solution with iptables as indicated above or SMTP server? My goal is to block security camera (will probably need to install a second one) from communicating to outside but, at the same time, being able to send notification emails when camera is motion triggered
 
If your sole purpose for the email server is for IP camera notifications then this should be relatively safe:

- block all WAN access of the cameras (using iptables or guest wifi/ebtables)
- allow ARP, DHCP, NTP between cameras and router
- allow SMTP between cameras and NAS

Regarding spam, yeah that should be fine.
 
Would that potentially be a risk since I will be running the mail server on the NAS, since it will need to communicate outside to send emails, thus potentially exposing NAS?

Since it would solely be outbound connections, your NAS wouldn't be exposed in any way. No need to forward any port in your firewall (assuming all your clients will be within the LAN).
 
- block all WAN access of the cameras (using iptables or guest wifi/ebtables)

So are all cameras that allow mobile apps to access them over non-local-wifi a security compromise?

Sent using Tapatalk
 
Things to remember for handling security camera:

1. Place cameras appropriately for the viewing area.
2. Consider your lighting.
3. Place CCTV cameras to monitor hidden entry points.
4. Watch the front door.
5. Use the appropriate security cameras for their application.
6. Protector hides your cables.
7. Install only outdoor surveillance cameras outdoors.
8. Stick with wired security cameras.

Smart home tools
 
Last edited:
One of the first things to take into consideration when choosing the best CCTV system for your home is if you want a camera that can work independently, or if you want to create a system (either now or in the future) that includes multiple cameras. Things to remember for handling wireless security camera:

  • Internet protocol (IP) cameras are digital and connected to the internet
  • Connect to a Wi-Fi network and can be accessed via a compatible device
  • Access the camera from anywhere in the world with an internet connection
  • Store data on the cloud or a micro SD card (a portable chip)
  • No need for professional installation
  • Apps used to accompany device and perform tasks e.g. change view, set alerts
  • Some may offer additional features e.g. a regular/security light
 
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top