I have a home security alarm system. Up until now it was monitored by a security company. I decided that I was paying a monthly fee for something that I could do myself much cheaper. All they would do in the event of an alarm was to call me to say that there had been an alarm. Maybe eventually they would call the police, but I think the whole service was kind of useless.
So, I bought a new central alarm unit with cell 'phone dial out capability, plus a separate security camera system. The security camera can be monitored using the internet although it records automatically without any intervention. I realize the internet can be very easily disconnected by any thieves, but the recording unit is hidden.
Here's the question; in order to see what's going on while I'm away from the house I plan to connect to the security camera system (DVR) remotely via smartphone. The DVR is connected to one of my router ports. Since I do not have a fixed home IP address I need to use a third party dynamic DNS service. Has anybody had any experience with these companies? I'm kind of concerned that it's like giving an open invitation for an uninvited guest to find a way into my computer.

I have a home security alarm system. Up until now it was monitored by a security company. I decided that I was paying a monthly fee for something that I could do myself much cheaper. All they would do in the event of an alarm was to call me to say that there had been an alarm. Maybe eventually they would call the police, but I think the whole service was kind of useless.
So, I bought a new central alarm unit with cell 'phone dial out capability, plus a separate security camera system. The security camera can be monitored using the internet although it records automatically without any intervention. I realize the internet can be very easily disconnected by any thieves, but the recording unit is hidden.
Here's the question; in order to see what's going on while I'm away from the house I plan to connect to the security camera system (DVR) remotely via smartphone. The DVR is connected to one of my router ports. Since I do not have a fixed home IP address I need to use a third party dynamic DNS service. Has anybody had any experience with these companies? I'm kind of concerned that it's like giving an open invitation for an uninvited guest to find a way into my computer.

2 things:

1) Using a DDNS service such as no-ip.com or dyndns is not in itself inherently unsafe (if you really want to be frightened, your router is likely being scanned once every 30 seconds or so by script kiddies whether or not you're in DNS).

2) Opening router ports to the internet is the dangerous thing. For this, make sure you research the kit you're going to expose to the internet and also the ports you're opening, so that you know you're not exposing things that are already compromised or compromisable to the internet. If possible, also choose a random port number above 1024 so that you can be less susceptible to the automated port scanning efforts of the script kiddies mentioned in #1 above.

"....a random port number above 1024.."

Above 49151

:suspect:

1) Using a DDNS service such as no-ip.com or dyndns is not in itself inherently unsafe (if you really want to be frightened, your router is likely being scanned once every 30 seconds or so by script kiddies whether or not you're in DNS).


Agreed.

2) Opening router ports to the internet is the dangerous thing. For this, make sure you research the kit you're going to expose to the internet and also the ports you're opening, so that you know you're not exposing things that are already compromised or compromisable to the internet. If possible, also choose a random port number above 1024 so that you can be less susceptible to the automated port scanning efforts of the script kiddies mentioned in #1 above.


Agree with the first phrase.

Disagree with the gist of the rest - and the "choose a random port" stuff is utter rubbish, security by obscurity is not security, and the script kiddies can easily write automated scripts to scan a whole range of ports.

The only thing you should be opening up to the internet is a VPN that terminates on your router/perimeter firewall. You then connect to the VPN and can access the network behind it with a degree of piece of mind equivalent to how much you trust the manufacturer of your router/firewall to write decent code.

Unless you really know what you are doing, you shouldn't open up direct access via NAT/PAT/PPtP/whatever to internal devices, because (a) they can be easily found (b) they probably can easily be bypassed

The alternative, if you can't be bothered with all of the above, or the mere idea of a VPN is above your technical capabilities, simply use something like Teamviewer or LogMeIn running on a PC which you can then access using appropriate client software on your remote laptop by simply entering an ID and password... no need to open ANY inbound services on your router/firewall and no need to mess around with DDNS either.

Thank you all for the comments, very much appreciated.
Mixture, one reason I wasn't keen on the idea of using Teamviewer or similar was that I don't normally leave my PC running when away from home; the remote access would go directly from the internet (via my router) to the DVR. My concern of course, particularly with my limited knowledge, was that when I did have the PC running that somebody could enter it via the new router port. Incidentally, with my ignorance of the significance of settings, the present router port number I chose was 81; probably not very clever!
Thanks .... Jim

Disagree with the gist of the rest - and the "choose a random port" stuff is utter rubbish, security by obscurity is not security, and the script kiddies can easily write automated scripts to scan a whole range of ports.
If you've ever dissected port scans, the *vast* majority of them scan known ports.

If you've ever dissected port scans, the *vast* majority of them scan known ports.

Still security by obscurity is still not a concept worth promoting though. Just setup the services properly on the standard ports.

For example, I run a number of SSH services set up on the standard port 22. But they are correctly setup with public key authentication, so I don't care about port scans because I know they'll be dropped by SSH if they try to connect. The logs are also easily filtered out.

The other problem with non-standard ports is you can easily run into filtering issues... WiFi hotspots for example might only allow a subset of common ports.

But then you knew all that already..... :E

Still security by obscurity is still not a concept worth promoting though. Just setup the services properly on the standard ports.

For example, I run a number of SSH services set up on the standard port 22. But they are correctly setup with public key authentication, so I don't care about port scans because I know they'll be dropped by SSH if they try to connect. The logs are also easily filtered out.

The other problem with non-standard ports is you can easily run into filtering issues... WiFi hotspots for example might only allow a subset of common ports.

But then you knew all that already..... :E

Of course, but it's still a good technique to deploy irrespective of the security aspects. I learnt this when trying to tackle VoIP QoS issues and noticed port-scan frequencies of known ports giving rise to a DoS scenario.

Besides, a home network arguably has far fewer reasons to keep someone out as most of the time there's simply nothing there to get into.

Besides, a home network arguably has far fewer reasons to keep someone out as most of the time there's simply nothing there to get into.

Depends whose home network it is... :cool:

But you still need to do your bit for the greater internet. Stop your home network from becoming a zombie and involved in DDoS attacks and spam.

Hi JimR,

I had a setup like that at my old house. I have yet to set it up for my new house. I would echo the comments about security above because my logs used to show hundreds of break in attempts a day from all over the world.

I used a small business broadband account with fixed IP addresses, but they are getting more difficult to get as the pool of IPv4 addresses is exhausted and a lot of the off the shelf kit will not work with Ipv6 yet.

It is important to set up a DMZ to isolate your home network from the 'outside' bits of the system. So your existing router becomes the outside router and the dvr plugs into that and you need a second router (without adsl modem) as the inside firewall and all your home pcs attach to that.

The system worked really well and I was able to monitor 4 cameras in real time from my phone/ laptop/ office PC.

You can build your own system from an old PC and I would recommend the free zoneminder software which runs on linux.

HTH

EG

I stopped logging port scans because there were so many of them.

My old router showed "Total Stealth" on the ShieldsUp! test on all ports up to 9999 (and a few above). The new router scored a "fail" on Port 443: that's the port it uses for VPN, and the security behind that is very tight - nothing is going to get through, although the Dear Hackers may spend time trying.

Thanks EG. Not really sure why I need a second PC since the DVR has the required IP app and DDNS IP update software built in.
Anyway, seems to be working well!
PS: I do need to upgrade from XP soon though.
(runs for cover from Mixture).

Hi JimR,

I had both a commercial dvr and a home made one using zoneminder. The second was far more reliable. You do not need two, but from experience that when you need to check the system it is sods law that that is the moment it decides to freeze up.

Good luck

EG

Still security by obscurity is still not a concept worth promoting though. Just setup the services properly on the standard ports.

No, it's a trivial way to eliminate 99% of attacks, and give you a good chance of surviving next time there's a zero-day attack on SSH or whatever other protocol you're running on those ports.