This should by no means be considered an expert guide to web security; it is just a summary of my efforts to protect my own network, given my interest in building a web camera (mainly to watch cats). Here’s what I’ve learned.
It occurred to me that forwarding open ports to the Internet might pose a security issue.
I found the following steps offered some reassurance and were relatively simple
Uncomplicated Firewall (UFW) allows ports to be closed on the device.
sudo apt install ufw
sudo ufw allow 22
#SSH, for control and configuration on the LAN
sudo ufw allow 5900
#VNC, best used through an SSH tunnel (5900:127.0.0.1:5900)
sudo ufw allow 8081
sudo ufw allow 8080
#camera configuration in browser (optional)
#all other ports are disabled by default with ufw,
#port must be either allowed, or can be turned off
#with "deny "
sudo ufw enable
sudo ufw status
Fail2ban blocks IP addresses that display suspicious activity, i.e., multiple
failed attempted to log in.
sudo apt install fail2ban
sudo nano /etc/fail2ban/jail.local
This creates a file that will supercede the default settings. The most hackable
ports will presumably be 22 (SSH) and 46 (VNC).
Add the following to jail.local
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = -1
This will permanently ban any ip address that fails to login after 3 ties
(you can modify this).
Configure VNC and Motion
I’m not aware of any way to use fail2ban to ban failed VNC login attempts
(or failed attempts of 8080 and 8081), but you can configure VNC to accept only localhost logins (do this with the “Options -> Expert” menu by setting “localhost” to “True” in the RealVNC VNC Server). Presumably 8081 (camera)and 8081 (camera control) can be made less vulnerable by using a strong password
for access, which can be set in the /etc/motion/motion.conf file.
sudo nano /etc/motion/motion.conf
Look for the “Live Stream Server” section. Set up these options:
# The mini-http server listens to this port for requests (default: 0 = disabled)
# Quality of the jpeg (in percent) images produced (default: 50)
# Output frames at 1 fps when no motion is detected and increase to the
# rate given by stream_maxrate when motion is detected (default: off)
# Maximum framerate for stream streams (default: 1)
# Restrict stream connections to localhost only (default: on)
# Limits the number of images per connection (default: 0 = unlimited)
# Number can be defined by multiplying actual stream rate by desired number of seconds
# Actual stream rate is the smallest of the numbers framerate and stream_maxrate
# Set the authentication method (default: 0)
# 0 = disabled
# 1 = Basic authentication
# 2 = MD5 digest (the safer authentication)
# Authentication for the stream. Syntax username:password
# Default: not defined (Disabled)
Similarly, look for “HTTP Based Control”, and set the following options:
# TCP/IP port for the http server to listen on (default: 0 = disabled)
# Restrict control connections to localhost only (default: on)
# Output for http server, select off to choose raw text plain (default: on)
# Authentication for the http based control. Syntax username:password
# Default: not defined (Disabled)
This ensures that you can a.) only login to the webcontrol page (port 8080) on
the host device, and b.) you must use a username:password pair to actually
access the video stream. It also gives the option of sending you authentication
credentials using the MD5 message-digest algorithm, which apparently has some
vulnerabilities, but may possibly be better than nothing.
So, there you are. All RasPi ports except for 22, 5900, 8081 and 8080 are closed by ufw; fail2ban scans attempts to log in to the SSH server (which shouldn’t be accessible anyway, except over the LAN), VNC is disabled for everything except VNC tunneling through SSH, and the router only forwards 8081 to the web. Stream and webcontrol pages are password protected.
That’s as tight as I could get it with my limited knowledge of network security,
but it seems much better than a wide open server.
In addition to protecting my camera server, I used UFW to lock all the ports on my laptop, as well as Fail2Ban to protect against hacking on port 22 (SSH). It’s also a good idea to use strong passwords.
See this reference for a more complete discussion of the security considerations for a RasPi camera server: