1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-AC88U AiProtection Security Alerts

Discussion in 'ASUSWRT - Official' started by Natey2, Jun 28, 2018.

  1. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    14
    I'm seeing this in my router AiProtection tab, under the Two-Way Intrusion Prevention System:
    upload_2018-6-28_20-18-55.png

    Looks like it's from some University in China, trying to access my outdoor security camera.
    And other different security alerts for that camera too.
    Anything I should be really worried about?
     
  2. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    Do you really need your security camera exposed to WAN?
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,592
    Location:
    Canada
    IoT devices such as cameras are notoriously bad at security - quite a few botnets are entirely based on compromised cameras.

    My recommendation, if you absolutely must expose your camera to the WAN, is to expose it on a non-standard port, to reduce the amount of attack attempts. But ideally consider protecting them behind a VPN.
     
  4. agilani

    agilani Senior Member

    Joined:
    Nov 30, 2012
    Messages:
    454
    Exposing your camera or allowing the camera to open upnp ports is bad idea. Even better known vendors like samsung/hanwa (whatever the name of the company that bought the business) as little as this month had a ton of remote code execution vulnerabilities. I use blueiris internally and then only expose that to the outside. Better would be to only make it accessible via vpn, but then using the blue iris app would be a pain. Still not comfortable with it though. At some point I'll be segregating my IOT devices from everything else. Already replaced most of my wifi devices with zwave where i could.
     
  5. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    14
    I've turned off port-forwarding.
    The camera should not be visible on the WAN now.
    I'll keep an eye on the logs.

    Thanks!

    Sent from my SM-G930T using Tapatalk
     
  6. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    14
    More similar attempts in the logs on my security camera, even after I turned port-forwarding off on the router!

    A port scan reveals ports 21 (FTP) and 443 (https/SSL) still open to the WAN. The former is caused (compromised?) by Asus AiDisk and the latter by Asus AiCloud (I think), both of which apparently do not heed the Asus port-forwarding setting on the RT-AC88U router.

    I also found this http://www.consumer.ftc.gov/blog/2016/02/got-asus-router-home-read

    The non-Asus camera is in the 8000-range (not the default port 80) ; not sure how that is still appearing on the WAN.
    uPNP doing it maybe? If I turn that off, console gaming may be adversely affected.

    Sent using Tapatalk
     
  7. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    Port forwarding settings is not the only way to open a port, like you said UPnP would also open ports and Asus AiCloud apparently.

    Have you used the Asus app before?
     
  8. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    14
    I have the mobile app installed. Now, that only works when I'm on local WiFi and not over 4G/LTE.



    Sent using Tapatalk
     
  9. agilani

    agilani Senior Member

    Joined:
    Nov 30, 2012
    Messages:
    454
    You can create a netfilter that blocks traffic to that port under firewall. I have done that for services that i don't want externally exposed like minecraft or plex. Or disable upnp and manually setup the gaming devices with dhcp reservations and do port forwarding for them manually.
     
  10. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    The app used to open the web UI to WAN without notifying user, maybe that’s why.

    Regarding UPnP, maybe turn off UPnP on your security cameras would be a compromise then?
     
  11. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    14
    I've turned off Asus AiDisk/FTP and AiCloud. Ports 21 and 443 not visible on WAN now.
    The Asus FTP has no log file! How do you tell who's trying to log in? Filezilla is much better. But it does (option) lock out all logins after a configurable # of bad attempts, requiring a manual unlock from the router admin page, and that was not triggered.

    I've turned off uPNP on the D-Link camera and rebooted both camera and router. But port 80 on the camera is still port 8080 on the WAN. Now what could possibly be doing that, since port forwarding on the Asus router is off too. @kfp mentioned the mobile app...

    I see an option on the camera admin page to limit IP range of allowed logins. Going to configure that next.

    Last week, the attacks were using Apache exploits. Now somebody is trying Oracle Weblogic exploits on the camera. If the Asus AiProtection didn't log that, I'd be thinking everything is fine.

    Thanks for all the suggestions! Securing these things is not my field of expertise...

    Sent using Tapatalk
     
  12. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    Was this a soft reboot (clicking reboot from web UI)? Try a power cycle (either unplugging/replugging or on/off button if your model has that) instead?

    Another thing to check is see if secure_mode is on for miniupnpd, it should be on by default. If it’s on you can rule out other devices/apps opening the port on the camera’s behalf.

    Maybe try turning UPnP off from the router then?
     
  13. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    14
    While I was trying to program the permitted IP ranges into the camera remotely, I entered the 3 sets of ranges in the wrong sequence and ended up locking myself out after the1st set, requiring a factory reset of the camera.

    Good thing I had the configuration settings saved from 2 months ago to load, or it would be a real pain trying to reconfigure all the motion-detection region, IR sensitivity, storage, event triggers, etc options the same way.

    While dismounting the camera, the antenna housing had become so brittle (exposed to sun over time) that it crumbled: [​IMG]
    So now I use a segment of a big straw to house the antenna and it may not be as weather-resistant as before.

    Turns out that it was a Cloud camera. Their "cloud" service (which I forgot about) for this model has no storage option, so it is more of a live online/internet view option. I disabled it and just use local recording (to internal SD card, that gets transferred to my PC almost immediately in case the camera gets stolen) with a local wifi viewer.

    Anyway, I have a working outdoor security camera that is a little less weather-resistant now, the ports are still open via UPnP (not sure what is doing it), but nothing bad can connect at those ports because of the programmed IP ranges.

    Sent using Tapatalk
     
  14. Sinner

    Sinner Senior Member

    Joined:
    Sep 30, 2017
    Messages:
    296
    Location:
    Canada
    if a straw slides over that perfectly id go with that and a little caulk on the end and its just as weather resistant and possibly may offer better signal as the straw is much thinner than that plastic.
     
  15. agilani

    agilani Senior Member

    Joined:
    Nov 30, 2012
    Messages:
    454
    Have you looked at blueiris? You can capture all of your live rtsp streams locally to a pc.
     
  16. Clark Griswald

    Clark Griswald Regular Contributor

    Joined:
    Sep 21, 2015
    Messages:
    143
    Location:
    USA
    +1 for the use of Blue Iris