RT-AC88U AiProtection Security Alerts

[Natey2]

I'm seeing this in my router AiProtection tab, under the Two-Way Intrusion Prevention System:

Looks like it's from some University in China, trying to access my outdoor security camera.
And other different security alerts for that camera too.
Anything I should be really worried about?

 

[kfp]

Do you really need your security camera exposed to WAN?

 

[RMerlin]

IoT devices such as cameras are notoriously bad at security - quite a few botnets are entirely based on compromised cameras.

My recommendation, if you absolutely must expose your camera to the WAN, is to expose it on a non-standard port, to reduce the amount of attack attempts. But ideally consider protecting them behind a VPN.

 

[agilani]

Exposing your camera or allowing the camera to open upnp ports is bad idea. Even better known vendors like samsung/hanwa (whatever the name of the company that bought the business) as little as this month had a ton of remote code execution vulnerabilities. I use blueiris internally and then only expose that to the outside. Better would be to only make it accessible via vpn, but then using the blue iris app would be a pain. Still not comfortable with it though. At some point I'll be segregating my IOT devices from everything else. Already replaced most of my wifi devices with zwave where i could.

 

[Natey2]

I've turned off port-forwarding.
The camera should not be visible on the WAN now.
I'll keep an eye on the logs.

Thanks!

Sent from my SM-G930T using Tapatalk

 

[Natey2]

More similar attempts in the logs on my security camera, even after I turned port-forwarding off on the router!

A port scan reveals ports 21 (FTP) and 443 (https/SSL) still open to the WAN. The former is caused (compromised?) by Asus AiDisk and the latter by Asus AiCloud (I think), both of which apparently do not heed the Asus port-forwarding setting on the RT-AC88U router.

I also found this http://www.consumer.ftc.gov/blog/2016/02/got-asus-router-home-read

The non-Asus camera is in the 8000-range (not the default port 80) ; not sure how that is still appearing on the WAN.
uPNP doing it maybe? If I turn that off, console gaming may be adversely affected.

Sent using Tapatalk

 

[kfp]

A port scan reveals ports 21 (FTP) and 443 (https/SSL) still open to the WAN. The former is caused (compromised?) by Asus AiDisk and the latter by Asus AiCloud (I think), both of which apparently do not heed the Asus port-forwarding setting on the RT-AC88U router.

Port forwarding settings is not the only way to open a port, like you said UPnP would also open ports and Asus AiCloud apparently.

Have you used the Asus app before?

 

[Natey2]

Have you used the Asus app before?

I have the mobile app installed. Now, that only works when I'm on local WiFi and not over 4G/LTE.



Sent using Tapatalk

 

[agilani]

You can create a netfilter that blocks traffic to that port under firewall. I have done that for services that i don't want externally exposed like minecraft or plex. Or disable upnp and manually setup the gaming devices with dhcp reservations and do port forwarding for them manually.

 

[kfp]

I have the mobile app installed. Now, that only works when I'm on local WiFi and not over 4G/LTE.



Sent using Tapatalk

The app used to open the web UI to WAN without notifying user, maybe that’s why.

Regarding UPnP, maybe turn off UPnP on your security cameras would be a compromise then?

 

[Natey2]

I've turned off Asus AiDisk/FTP and AiCloud. Ports 21 and 443 not visible on WAN now.
The Asus FTP has no log file! How do you tell who's trying to log in? Filezilla is much better. But it does (option) lock out all logins after a configurable # of bad attempts, requiring a manual unlock from the router admin page, and that was not triggered.

I've turned off uPNP on the D-Link camera and rebooted both camera and router. But port 80 on the camera is still port 8080 on the WAN. Now what could possibly be doing that, since port forwarding on the Asus router is off too. @kfp mentioned the mobile app...

I see an option on the camera admin page to limit IP range of allowed logins. Going to configure that next.

Last week, the attacks were using Apache exploits. Now somebody is trying Oracle Weblogic exploits on the camera. If the Asus AiProtection didn't log that, I'd be thinking everything is fine.

Thanks for all the suggestions! Securing these things is not my field of expertise...

Sent using Tapatalk

 

[kfp]

I've turned off uPNP on the D-Link camera and rebooted both camera and router. But port 80 on the camera is still port 8080 on the WAN. Now what could possibly be doing that, since port forwarding on the Asus router is off too. @kfp mentioned the mobile app...

Was this a soft reboot (clicking reboot from web UI)? Try a power cycle (either unplugging/replugging or on/off button if your model has that) instead?

Another thing to check is see if secure_mode is on for miniupnpd, it should be on by default. If it’s on you can rule out other devices/apps opening the port on the camera’s behalf.

Maybe try turning UPnP off from the router then?

 

[Natey2]

While I was trying to program the permitted IP ranges into the camera remotely, I entered the 3 sets of ranges in the wrong sequence and ended up locking myself out after the1st set, requiring a factory reset of the camera.

Good thing I had the configuration settings saved from 2 months ago to load, or it would be a real pain trying to reconfigure all the motion-detection region, IR sensitivity, storage, event triggers, etc options the same way.

While dismounting the camera, the antenna housing had become so brittle (exposed to sun over time) that it crumbled:

So now I use a segment of a big straw to house the antenna and it may not be as weather-resistant as before.

Turns out that it was a Cloud camera. Their "cloud" service (which I forgot about) for this model has no storage option, so it is more of a live online/internet view option. I disabled it and just use local recording (to internal SD card, that gets transferred to my PC almost immediately in case the camera gets stolen) with a local wifi viewer.

Anyway, I have a working outdoor security camera that is a little less weather-resistant now, the ports are still open via UPnP (not sure what is doing it), but nothing bad can connect at those ports because of the programmed IP ranges.

Sent using Tapatalk

 

[Sinner]

if a straw slides over that perfectly id go with that and a little caulk on the end and its just as weather resistant and possibly may offer better signal as the straw is much thinner than that plastic.

 

[agilani]

While I was trying to program the permitted IP ranges into the camera remotely, I entered the 3 sets of ranges in the wrong sequence and ended up locking myself out after the1st set, requiring a factory reset of the camera.

Good thing I had the configuration settings saved from 2 months ago to load, or it would be a real pain trying to reconfigure all the motion-detection region, IR sensitivity, storage, event triggers, etc options the same way.

While dismounting the camera, the antenna housing had become so brittle (exposed to sun over time) that it crumbled:

So now I use a segment of a big straw to house the antenna and it may not be as weather-resistant as before.

Turns out that it was a Cloud camera. Their "cloud" service (which I forgot about) for this model has no storage option, so it is more of a live online/internet view option. I disabled it and just use local recording (to internal SD card, that gets transferred to my PC almost immediately in case the camera gets stolen) with a local wifi viewer.

Anyway, I have a working outdoor security camera that is a little less weather-resistant now, the ports are still open via UPnP (not sure what is doing it), but nothing bad can connect at those ports because of the programmed IP ranges.

Sent using Tapatalk

Have you looked at blueiris? You can capture all of your live rtsp streams locally to a pc.

 

[Clark Griswald]

+1 for the use of Blue Iris