BI http web server

Hound Dog 911

Hound Dog 911

Getting comfortable
Jan 30, 2017
835
320
All the security hoopla going around I decided to do some checking on my system. If I enable http Web Server under BI, I get a crazy amount [LAN access from remote] entries in my router log. Turn off http web browser and open up BI program (not the background process that is already running) and I get zero hits on my router log. Can someone explain that to me. I am slowly learning the security end and realize it is important I need to lock this down.

Thank you for any and all help.
 
I take that back. Whenever I have the BI program on I get all kinds of LAN access from remote entries regardless if http is enabled.
 
I think it was my fault. Default DMZ server was turned on. I think I closed all the loop holes. smh Gotta learn this security stuff!
 
Hound Dog 911 said:
I think it was my fault. Default DMZ server was turned on. I think I closed all the loop holes. smh Gotta learn this security stuff!
Click to expand...

yeah putting your NVR into a DMZ is suicide, you'll see it get wailed on all day and night until someone hacks it. If you plan to access BI remotely and do not want to get on vpn every time, install stunnel on the bi machine, then the traffic is SSL encrypted.
 
It's now turned off. No more crazy ip hits. Man are you right. It was crushed. It's so much faster now. I will have to look up how to install a stunnel. I'm learning. Slowly! But I'm still learning.
 
  • Like
Reactions: hmjgriffon
Hound Dog 911 said:
It's now turned off. No more crazy ip hits. Man are you right. It was crushed. It's so much faster now. I will have to look up how to install a stunnel. I'm learning. Slowly! But I'm still learning.
Click to expand...

it's very easy, install the software, stunnel: Downloads it will generate a cert during the install, then go to C:\Program Files (x86)\stunnel\config on the BI machine, open stunnel.conf, insert this text:

[Blue-Iris]
accept = 443
connect = 80
cert = C:\Program Files (x86)\stunnel\config\stunnel.pem

delete everything else under "Example TLS client mode services" that doesn't have a semi colon. you will probably have to kill stunnel to edit the config file then run it after you make changes. installing stunnel service is also nice.

in BI you have to go to settings, web server, check off "stunnel is installed for HTTPS on port" and make sure it says 443 and BI is running on 80, otherwise modify the stunnel config accordingly.
 
Hound Dog 911 said:
And the BI app for my Galaxy S7 will be able to remote view it?
Click to expand...

correct, just make sure the app is pointing to whatever your public IP is and whatever port you have forwarded, to port 443 on the BI machine. Yeah, forgot to mention make sure you port forward to 443 and not 80 once stunnel is up.
 
No beer. Just shine and Captain Morgan. I have a buddy that home brews. He has some great recipes.
 
not even needed just to connect to an NVR or Blue Iris, so long as they do https, it's like a VPN that only goes to one IP and port, lol. but yes, I do run openVPN and it's fairly easy, especially if you have a web gui to do all the heavy lifting, generating the certs and creating the config files.
 
  • Like
Reactions: Hound Dog 911
Is one better than the other. The router supports VPN but I got this from the app.
 

Attachments

  • 20170317_210027.png
    20170317_210027.png
    155.8 KB · Views: 13
this is why I say stunnel is a hell of a lot easier if all you need to do is connect to blue iris, full on VPN is overkill unless you need to be able to get to other machines and stuff remotely on your lan.
 
You must log in or register to reply here.
Top Bottom