How to secure Wansview IP camera

Forums › Home Workshop DIY › How to secure Wansview IP camera

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#243437 11-Dec-2018 21:10

I got a Wansview K3 IP camera, for use while we're at home, with no need for remote viewing. How do I make sure it's secure and not available on the internet?

I've changed the username and password already. I'll update the firmware. I've given it a static private IP on my network. Is there anything I should do on my router to block it from accessing the internet? I have a Fritzbox 7390.

Remote viewing

It might be handy in future to be able to get alerted if there's motion or something, and check it remotely. Is there a way to do that relatively securely without messing about with VPNs?

Jase2985

13735 posts

Uber Geek
+1 received by user: 6212

ID Verified

Lifetime subscriber

#2143643 11-Dec-2018 21:40

use something like teamviewer to access local computer to view the camera.

make sure any upnp is turned off on the camera so it cant open ports on your router

nzkc

1634 posts

Uber Geek
+1 received by user: 1041

#2143652 11-Dec-2018 22:03

Since you have a Fritzbox 7390 I'd add it to the "Blocked" access profile. To do that:

Go to the Home Network → Home Network Overview tab on the left.
Under the All Devices tab. Find the device/IP of your camera.
Click on the Details link for that device
Scroll down to the bottom of the page and set the Parental Controls for it to the Blocked profile.

I know you said you didnt want to mess with VPNs, but to be honest thats exactly what I would do to set it up. Its pretty easy and there are plenty of tutorials on the web.

I used to use https://www.dataplicity.com/ to connect to my Pi remotely (and IIRC you have a Pi), but since I set it up as a VPN server I use that instead. All done with SSH keys too. I found "Dataplicity" from this page: https://www.raspberrypi.org/documentation/remote-access/access-over-Internet/README.md and I mention it because it has some other alternatives.

Another way you might be able to access it is to do something like set up an Nginx reverse proxy with authentication done by Nginx. Something like: https://github.com/bitly/oauth2_proxy

richms

29104 posts

Uber Geek
+1 received by user: 10219

Trusted

Lifetime subscriber

#2143694 11-Dec-2018 22:47

The cloud notifications mean that it needs to be able to get to the internet, so you cant have that if you dont let them see the internet.

I only have my cloud cameras outside where I am not that worried if they get viewed by someone else.

Richard rich.ms

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2143751 12-Dec-2018 07:28

Jase2985:

use something like teamviewer to access local computer to view the camera.

make sure any upnp is turned off on the camera so it cant open ports on your router

TeamViewer from a phone kinda sucks.

richms:

The cloud notifications mean that it needs to be able to get to the internet, so you cant have that if you dont let them see the internet.

I only have my cloud cameras outside where I am not that worried if they get viewed by someone else.

I didn't know it did notifications. I bought it for interactive use, if it has features that do alerting without running an app on my phone 24/7 killing my battery I'll look at that.

nzkc:

Since you have a Fritzbox 7390 I'd add it to the "Blocked" access profile. To do that:

Go to the Home Network → Home Network Overview tab on the left.
Under the All Devices tab. Find the device/IP of your camera.
Click on the Details link for that device
Scroll down to the bottom of the page and set the Parental Controls for it to the Blocked profile.

I know you said you didnt want to mess with VPNs, but to be honest thats exactly what I would do to set it up. Its pretty easy and there are plenty of tutorials on the web.

I used to use https://www.dataplicity.com/ to connect to my Pi remotely (and IIRC you have a Pi), but since I set it up as a VPN server I use that instead. All done with SSH keys too. I found "Dataplicity" from this page: https://www.raspberrypi.org/documentation/remote-access/access-over-Internet/README.md and I mention it because it has some other alternatives.

Another way you might be able to access it is to do something like set up an Nginx reverse proxy with authentication done by Nginx. Something like: https://github.com/bitly/oauth2_proxy

The blocking profile sounds good, thanks.

I could set up a VPN into my network, but then I'd need a VPN client on my computer. I think the camera may have some cloud features, so if I ever want to use it as a security camera while I'm away I guess it'd be best to use those rather than roll my own.

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#2143755 12-Dec-2018 07:41

If it doesn't need internet access can you remove the gateway details from it?

As far as push notifications the device will need internet access or you'll need another device to do the monitoring for you. Eg Raspberry pi with Motioneye or you could look at Zoneminder or Blue Iris for a windows based solution.
If the camera doesn't have its own app you could see if the android app Tinycam supports your camera for live viewing the steam, but you would need a VPN to do this securely. Eg pivpn for remote access on a raspberry pi.

I've only used motioneye with a webcam in the past. Currently have 'push' notifications of stills via email, but if I want to watch any recordings I VPN in, using pivpn that is also my pihole.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2143758 12-Dec-2018 07:48

When I changed the camera IP address, the web UI required a gateway and DNS servers otherwise you can't save the IP details. Otherwise removing the gateway could work.

I don't need push notifications initially, I just want to run Tinycam (which supports it) or the Wansview app and see what's happening. When I do need motion sensing and notifications Motioneye looks good, and maybe I can run it on the same Pi as I use for PiHole... though maybe I need a newer one rather than the original one core 512MB RAM version.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#2143761 12-Dec-2018 07:56

IIRC I was using a dedicated rpi2 with MotioneyeOS and a 720p webcam as the feed, I cannot remember what the performance was like sorry. Also I was monitoring 24/7, but only recording stills based on motion detection onto the SD card.

cyril7

9075 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#2143790 12-Dec-2018 08:20

For remote access, If you want to avoid using or setting up the complexity of a VPN, why not use a poor mans VPN, ie SSH tunnel, its what I normally use for accessing my home and many of my client networks. If you want access to it from anywhere but dont want to expose your home IP you could jump it off a machine in AWS, and lock your home IP down to that AWS intance

Cyril

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2143796 12-Dec-2018 08:29

cyril7:

For remote access, If you want to avoid using or setting up the complexity of a VPN, why not use a poor mans VPN, ie SSH tunnel, its what I normally use for accessing my home and many of my client networks. If you want access to it from anywhere but dont want to expose your home IP you could jump it off a machine in AWS, and lock your home IP down to that AWS intance

Can you tell me a bit more about the SSH tunnel approach compared with a VPN please?

cyril7

9075 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#2143800 12-Dec-2018 08:33

Hi, all you need is SSH access into your home network, this requires exposing SSH, but you can mitigate that exposure via changing the port and adding something like fail2ban to stop/mitigate brute force. Then once you have SSH'd in you can add local port forwards to resources within the network and access them, pretty standard process as shown by TCP forwarding below. You may find it easier to use Putty to do this as you can easily confiigure multiple forwards and save making up bash scripts

https://man.openbsd.org/ssh.1#TCP_FORWARDING

Cyril

Spyware

3818 posts

Uber Geek
+1 received by user: 1366

Lifetime subscriber

#2143806 12-Dec-2018 08:45

https://blog.devolutions.net/2017/4/how-to-configure-an-ssh-tunnel-on-putty

HP

Shop now for HP laptops and other devices (affiliate link).

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#2144073 12-Dec-2018 13:08

I need to do something similar in the near future. I've been reading about using a reverse proxy (traefik, which I've been playing with for another project) as an alternative to a VPN or SSH tunnel.

This writeup is pretty comprehensive, but makes a few statements that I was't quite ready to take on face value:

 You do not have to expose or forward ports on your router. Exposing ports to the internet can be security risk if the app is not sufficiently protected or has a security flaw.
Reverse proxies also can make implementing HTTP access authentication easy, thereby adding a layer of security.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2144076 12-Dec-2018 13:11

I think I might just use their cloud service, I don't really want to open up my home network. Thanks for the ideas though guys.

surfisup1000

5288 posts

Uber Geek
+1 received by user: 2159

#2144138 12-Dec-2018 13:58

timmmay:

I got a Wansview K3 IP camera, for use while we're at home, with no need for remote viewing. How do I make sure it's secure and not available on the internet?

I've changed the username and password already. I'll update the firmware. I've given it a static private IP on my network. Is there anything I should do on my router to block it from accessing the internet? I have a Fritzbox 7390.

Remote viewing

It might be handy in future to be able to get alerted if there's motion or something, and check it remotely. Is there a way to do that relatively securely without messing about with VPNs?

I know you said you don't want to bother with a vpn, but did you know the fritzbox OS comes with a built-in vpn? It is simple to configure, and you can sign into it from anywhere and access all your LAN resources , such as your camera and shared folders etc.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2144391 12-Dec-2018 16:48

surfisup1000:

I know you said you don't want to bother with a vpn, but did you know the fritzbox OS comes with a built-in vpn? It is simple to configure, and you can sign into it from anywhere and access all your LAN resources , such as your camera and shared folders etc.

I assumed that was for outwards VPNs. So I could set up a user / password, a VPN client on my Android phone (any suggestions), and have home network access? That could be handy for this, and maybe for other things.