What settings to prevent any access to/from internet.

[longedge]

I'm just in the process of cleaning up after my router was hacked. After investigation with Netscan and Wireshark I'm fairly sure the 'infection' was via one of my IP2M-841B cameras. For now I've disconnected them both and I'm going to factory reset them. When I set them up again I want them to have absolutely no access at all to the internet either inward or outbound.

Is this possible and if so what's the best way to achieve it?

[longedge]

The 'clean up' has meant having to replace my router. Despite multiple factory resets, whatever had 'infected' it clung on and started up again as soon as I enabled wifi. I'm not going to connect my 2 x cameras again because I can't afford to run the risk of having another router trashed!

[bucktownbell]

Set the cameras on static IP outside the range of the DHCP IPa your router provides. Set the Gateway address to an IP not your router. Your cameras can't find the Internet. These cameras are rather chatty but I haven't seen anything from them that could compromise a router.

[longedge]

The first bit is already covered. My new router allocates 192.168.1.64 - 253 and the cameras are at 192.168.1.12 & 16. I'll connect one of them later today to see what happens. I'm thinking that just for extra safety I'll delete the DYNDNS settings as well. One flaw I see in this is the network discovery packets that are sent out when an unknown device is addressed, unfortunately my knowledge isn't up to the required level .

The new router is set not to respond to pings and it's amazing how many blocked attempts I'm seeing from China, Russia, Brazil. Probably been going on a long time but my recent experiences have just made me more aware and security conscious.

[longedge]

Connected the main camera with static IP 192.168.1.12. Wifi not enabled. Gateway and both DNS servers set to non-existent IP's on my network. DDNS not enabled. UPnP, SNMP and Multicast all disabled.

A scan with Nmap of 192.168.1.12 shows open ports 554,80,5000 and 49152 with services running on each port. I think this is normal.

After a scan with Netscan I found the camera has also 'grabbed' another IP 192.168.1.13 to which it responds. An Nmap scan of this second IP shows the same results as the first.

I normally use IExplore with weblive plugin with no problems but if I try connecting to the second IP I get a normal login challenge but then it continuously fails with the message to install the plugin.

I can connect to 192.168.1.13 with IPConfig apparently normally but then in the settings there it shows that it is at 192.168.1.12 ???

[savvy2]

im a long time owner of these cams. 3 -5 years.
attacked how> (pw, 1244"?) or? you never said? sorry, it happened !!!
running and open camera guest account.?
Mine are wired only, wifi turned off , antennas, pulled, after all the KRACK is real.
many router makers ended support so not KRACK patches ever. ooops, get a new on that is patched.

thanks so much on doing scans and naming ports , the manuals of these cams are useless for sure, (no spec, no details in their books )

Your firewall in your router is all you need to protect the WAN side, from the outside, why are you worried here
(wifi?> that it>? you never said) what connections you have.
We have wifi here, but is only for CELL phone backup.(keep texting working , for emergencies)
all else is here is wired giga-lan ethernet, on purpose.



try getting a CISCO RV320 router and leave the home toy routers in dust.
(I have 5 sitting in my attic junk box one is new, but zero support from D-link! )
learn that all routers are buggy, for sure newer home routers, or ones 3 years old and have 20 updates
for sure scan it to prove it is ok !! way to go.
router makers.
they fix one bug and created 3 more for sure with VPN so called fixes or worse updates (added features)
the WIFI mac + IP (dhcp assigned IP) are not the same as the wired ethernet lan IP+MAC
consider it 2 networks as it is. (as you learned) when you convert from wifi to ethernet
you see all the static or re-severed IPs are all now useless, for above reasons. (wifi dead now)
that means if really paranoid in the router block the wifi mac for that camera. as I HAVE.
that kills it dead,that wifi mac address. as a door nail (antenna unscrewed)

if you are not using camera alarms to email alarm photos then there will be no camera to internet traffic to the WAn
but you could run a home email server on the lan side and use that, but email in camera is a big danger sure.

i can see if you do remote scans are you?, do not scan from home to the wan then back into your home
this does not work unless you set up a hair pin , mode inside the router.
Or go visit friends home and scan from there? or from Pub. library, (omg Sir you cant run code here?)

that means run from web services called port scanners, to your home , only these work and is only accurate test
of your router. (sure monitoring what camera does, inside is good, and thanks very much for non 80 ports you reported,) here I will not tell other secrets not told by others.
Browsers:
most new browsers block , all raw IP (missing real DNS names) the excuse is , "banning the dark net." cute !
as do some ISP, (my ISP blocks most ports, for sure 80, but not 86,88,89 (took hard work to prove that)
I called my ISP and they said it's a secret this( waxing all security yahdah yah)
most new browsers also block ports. in many ways. above 1024, or even below. (test it see that)
I found Firefox V20 (old) and portable (cool) works perfect but ,ff V56 is NO GOOD. V20 is super good to configure many TCP-IP devices.,.
I found newest Seamonkey (mozilla) 2.49 works perfect,
not IE (IE11 is the last IE an other V. are banned on the internet every day more are)
NOT chrome (it uses IE settings so. no surprise there so if IE Fails expect chrome to fail too.)
not Edge. hopeless junk.

the weblive plugin fails in new firefox here (began at v49 or so...????)
but do know the plugin is not the same in each camera, many versions, mine are 1 to 3 years old and all fail
but not in FF version 20. if you do the firmware update (did you, you should) it updates that weblive , plugin.
I see vast posts online of folks saying camera is bad, and that old works and new does not
its not the camera its YOUR BROWSER for sure. (but the plugin may be blocked in the browers)
The newest Firefox even killing off all plugins and only allowing true , extensions, for yes, security.
all this is problematic. (for sure to basic home users) IMO


know that I'm in your boat, and we are wondering why can't AMCREST publish a document on communications
the camera is known to use 2 IP PORTs (lan +wifi)
and uses TCP and uses UDP to stream video using java-script. (js)

but there is no spec for for this in print.(that i can find, hope wrong sure)

and many routers fire walls do not allow cams to talk at all , to any lan or wan unless all ports not in the book
are open.!!! ( the better your firewall (Cisco) the more you discover this fact.
Mine I can block M.A.C's. ! I can shut down router ports. or ban ranges of macs.


the only issue here is the lack of a Amcrest simple spec.
like this
po#rt TCP or UDP {both} protocol, usage reasons all. and in going or out going? or both>?
a table simple , missing and a big time , pain



thanks very much for you port report. it got me busy, doing more scans inside,
not just outside.
simple
http://www.canyouseeme.org/


advances, mode, the more advance scans do stealth scan called SYNC.
nmap remote scans are better ! not I said REMOTE. from them to your home. (business)

the best firewall is 100% invisible and wont ping. (wifi is not it ever even broad cast turned off .)
make it so. and test it, ! remotely.

the only real danger in the camera (with no wifi)
is if login's happen in the web and someone attempts to blow up buffers, the code inside is ROM.
but sadly if they get admin login (use 12 char, passwords that use no words, only random chars)
worse:
if you get admin you can change the binaries with xzyz.bin and falsh in alien code, a very dangerous thing
the good cam wild not even allow that.
it would dictate wired, ethernet and a rom burn (flash EEPROM it is) to burn a new wrong. only this is safe,

did you allow admin? from web side?
or pw like "bob jones" or worse.
best is to use Lastpass, and click generate secure pass word, ! a win.

one other thing bad on many devices is not having 2 things
1 pw allowed every 10 seconds. (i silly simple delay , childs play in code to do)
this slows PW hackers, way down. but a 4 digit pw is hopeless, here. (1235 or "password" as a password"?
and strike 3,trick guessed wrong 3 times, goes to sleep for 15min? or as you want !~!!
my sons a white hat hacker, (@ major bank)
too bad we dont have folks like that testing this camera, (with wifi off, and what are the dangers of the Guest account form the web side)
and for sure the admin account is rad hard, pw, impossible to guess, in say 10 years. 15min a loop.

one more security hole, turn off FTP in the Camera, do not use it. nor have FTP ports open to your HOME.
the silly page there, has no disable (box) you must put nulls in each line there. then it be dead.
if must FTP then use a VPN tunnel


do you run this? did?
https://nmap.org/zenmap/

sorry for long post but you seem very active in complex security, (a life time learning subject)

[savvy2]

topic 2: (not ports)
the internet attacks are endless. been so for years.. and worse BOTNETs. (do not become a home for these)
did you know a 2001 virgin CD load of XP with no HW firewall gets infected as it installs, ?
never run PCs lacking a hardware fire wall.
nor on each PC, (now it is 2 tier protected)

does nothing at all if you , read email attachments or click links in same)
nor clicking any web site pages with (bad scripts or exe or other binaries) aka, drive by attacks. like ransomeware.

i run some forums.
and we had to block 4 countries. you just named 2 of the 4) (blocked at the lowest levels of OSI)

[savvy2]

Discovered open port 443/tcp on

Discovered open port 88/tcp on

Discovered open port 888/tcp on
end. tcp scans

[savvy2]

deep zen nmap deep scans show
4444/udp open|filtered krb524

10000/udp open|filtered ndmp

18485/udp open|filtered unknown

20217/udp open|filtered unknown

23679/udp open|filtered unknown

28122/udp open|filtered unknown

36108/udp open|filtered unknown

51972/udp open|filtered unknown

52503/udp open|filtered unknown

wow.

[savvy2]

all on 1
FI-9805P, external IP cam, (with new flashed Firmware !) NOV 2017 latest (amcrest (foscam).