Server Cyber Protection

Most home routers have a built-in firewall that is enabled out of the box. Leaving that on and making sure not to use default passwords on anything is typically enough to avoid trouble.

Thanks for the replies everyone. I am running a Linksys Velop system, so it sounds like I am in good shape.

The firewall does nothing once you've made a hole through it to your DVR service on port 8089. I'm looking for more details on the service as well. Having a port open to the world is bad design. I can use intrusion prevention services to block known bad IP space inbound, but it's still bad design. Never mind the myriad of service providers that either don't allow or upcharge for a public ip address you can use to get back to your device.

Does anyone have details on how the port 8089 access is designed and implemented?

1 Like

I believe it's an OAuth token, which is why remote access requires authenticating with Channels' servers first.

Thanks,

Yes, I get that, but that's doesn't stop someone from poking at port 8089 to find a buffer overflow bug, or some other issue that gives them elevated access or other abilities to disrupt or crash my services.

Is there a published doc somewhere I haven't found that outlines the design of the service?

Assuming it is OAuth, then yes there is.

If you are asking the developers to give you the architectural design of the DVR server, and its code to analyze yourself for errors or vulnerabilities, then I don't think you will get that information.

Thanks again, I'm familiar with oauth. It's the non-oauth traffic I'm concerned with. Sounds like I'll just have to stand up a test server and start beating on it and see what I find.

Taking a different approach, does the app work over VPN without requiring port 8089 open to the public internet? IE: Can I VPN into my network, then use the app?

You may have some issues with accessing HDHR tuners directly in that manner, but if you were to enable tuner sharing in the client, or just use the server's web interface, it shouldn't be a problem.

2 Likes

Thanks my friend. I'll do some experimenting and see what works best for me.

Any internet service can be disrupted if someone is willing to put in enough time and resources. But security measures are put in place to make things more difficult for a malicious intruder. Why is someone so interested in your DVR on port 8089?

They’re interested because it’s a web service with an open to the world via https. I can see in my IDS/IPS logs, mostly foreign countries making 1000s of attempts a day against the open port 8089. It doesn’t help that the default Splunk management port is 8089. Splunk is an enterprise class log collection tool. Gold mine if you can break into it and get to the data. It’s also the email rules port on a variety of Mac OSX server versions.

I can also see it supports TLS v1, v1.1 and v1.2. TLS v1 is not longer considered secure, the Payment Card Industry removed approval for use in June 2018. Here we sit almost 2020 and ChannelsDVR is still using it. TLS v1.1 also has known security vulnerabilities and is recommended to be disabled.

So, when folks are running this on their server, desktop or NAS, we have a risk with the security of the system and service using an port open for the world to brute force attack for eternity. Escape out of the service via some exploit and get access to the local system, hard disk storage or maybe jump to the remainder of the network. Without testing and review no one can be sure what vulnerabilities exist.

I can likely craft fancy firewall rules to limit access once I understand the data flows, which would mitigate some of this risk, but better documentation around what the service should be doing, what security protocols are in place, and other details would be helpful.

Thanks

I think you are a bit paranoid. The service is Channels DVR. I have access logs too, but don't have 1000s of attempts on port 8089 every day. Thats crazy. I think something is wrong with your network or you are misidentifying the IPs. I do have a separate auth on my Channels DVR, though.

Maybe you should consider changing the "external" port and forward that to 8089?

I don't think he's paranoid. Yes, OAuth tokens protect us from unauthorized access but I also like to minimize my attack surface with as few ports open as possible.

Have you ever queried your IP address against Shodan? Hackers use this to target servers with open ports. It'll show even port 8089. Enter your IP address to see what I mean:
https://www.shodan.io/

For example, here's a list of servers with 8089 open running the Channels DVR service:
https://www.shodan.io/search?query=channels+dvr

Those of us that also run Plex servers face the same concern.

1 Like

I am unsure what the relevance of 8089 is. If Channels DVR is listening on 8089, the DVR is the only service that can be connected to.

What port would you rather use?

Install a better firewall if you are that worried, run something like the Unifi Dream Machine and enable IPS and disable all access from foreign IPs.

Well, icsfsedod is correct. You may think of it as "only a DVR", but if compromised, everything on your network can be compromised. That said, anything exposed to the Internet should be locked down as much as possible, but still no guarantee.

2 Likes

Add to that Channels DVR runs as root on some installations, so compromising a server as root, not good...
(That's why I don't allow Channels DVR Remote Access)

2 Likes

If you're that paranoid you're already running your pertinent servers as non-root users in a single purpose container with only the single port opened. You are also probably maintaining your firewall to ensure only the necessary ports are open, and are probably running some sort of DPI and maybe something akin to fail2ban on your packet filter to maintain your blacklist, right?

2 Likes