MotionEyeOS Raspberry Pi exposure to internet

[GarbovM]

Hello all,

I am curious as to the how secure my Raspberry Pi MotioneyeOS cameras are when exposed to the internet.  I obviously have set-up a surveillance username and PW, but would like to know if the rest of my network could be at risk from port forwarding my MotioneyeOS cameras.

In a nutshell, what risks are there to exposing my MotioneyeOS cameras to the internet?

Many thanks!

[Mark Andrews]

Hi,

Port Forwarding and strong, unique PW is a good start, and will stop many script kiddies. I'm sure you've read how many people never bother to update the default password; that is just hanging out a shingle that says "HACK ME!"  Make sure the firmware on your cameras is updated to latest, and use unique strong passwords for each camera. Since you are always at risk to some degree when connected to the internet, the question is who are you trying to stop and how much effort are you willing to put into stopping them? 

It is clearly not good if attackers compromise the pi + cameras, but getting into the rest of your network is what you really want to avoid. If your surveillance system is on your home network, you expose your entire home network, so one easy thing to do is isolate it from the rest of your network. Many wireless routers have a separate guest network that is not routed to your internal network. If you put your pi + cameras system on a guest network then you have isolated it from your internal network. Your pi+camera system security is not improved, but at least it's not a springboard to the rest of your system. 

Another thing you can do - more effort and know-how required - is to put the system behind a reverse proxy. This means that you have a separate computer running a properly configured, up to date HTTPS server (eg there are some howto articles on setting up nginx reverse proxy with motioneye out there). A good HTTPS reverse proxy is more challenging for attackers than HTTP. Carefully control access with firewall rules on the HTTPS proxy.

Keeping your software up to date is essential; the longer you leave a system without updating/patching to newer, presumably more secure versions, the more likely some exploit will be discovered. So, if the HTTP in motioneyeos is secure this week, there is nothing to say it will be next week. 

I ended up putting my motioneyeos system behind an HTTPS reverse proxy and carefully set up firewall rules, vlan, etc. If you go this route, check out LetsEncrypt and Certbot - it makes the whole certificate management thing less burdensome.

Hope that helps - 

[GarbovM]

Hi Mark,

Many thanks for your quick and detailed response.  I will go ahead with the reverse proxy.  Did you go LEMP or LAMP configuration?  I was looking at this tutorial  https://www.techcoil.com/blog/how-i-built-my-home-raspberry-pi-3-cctv-using-a-motion-eye-os-image-from-home-surveillance/

Cheers,

Mike

[GarbovM]

This is the drilled down details https://www.techcoil.com/blog/setting-up-a-lemp-web-server-on-raspberry-pi-3-with-an-ubuntu-server-15-10-3-image-to-host-a-wordpress-website/

On Sunday, May 13, 2018 at 11:14:06 AM UTC-4, Mark Andrews wrote:

[Mark Andrews]

Apache was more than i needed, so I went with LEMP.  When setting my system up, I used the tutorial you reference and it was pretty good.

Here is another i found helpful:

https://blog.radityakertiyasa.com/2015/03/raspberrypi-nginx-secure-reverse-proxy-server/

only caveat on that one is I recommend you skip public key pinning until you are really clear on how it all works. If you decide you want to use it , consider static pinning since you aren't concerned with scalability.

Once you get it all running, it's good to verify your system security:  https://www.ssllabs.com/ssltest/

[GarbovM]

SWeet!  Thanks for taking the time out of your weekend to give me a hand!  Much appreciated.

Cheers,

Mike

[Bruce Brannock]

Or you can get technical  use a subdomain name through https://freedns.afraid.org/  and then take advantage of  let's encrypt https://letsencrypt.org/ 

On Sunday, May 13, 2018 at 6:08:53 AM UTC-7, GarbovM wrote:

[GarbovM]

Hey Mark/Bruce,

I keep getting this error when running sudo tail -30 /var/log/nginx/error.log

connect() to unix:/var/run/php7.0-fpm .sock failed (2: No such file or directory)

I have modified the values in /etc/nginx/sites-enabled/default as per https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-php-7-on-ubuntu-14-04 so that it would now read fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; but still getting the error.

I have been up and down the this tutorial https://www.techcoil.com/blog/setting-up-a-lemp-web-server-on-raspberry-pi-3-with-an-ubuntu-server-15-10-3-image-to-host-a-wordpress-website/     and keep running into the same issue with error:  connect() to unix:/var/run/php7.0-fpm .sock failed (2: No such file or directory)

Any assistance would be appreciated,

Cheers,

Mike

[GarbovM]

Hey Bruce,

Thanks for the input!  I will be definitely be using a subdomain name and lets encrypt!  I am however having an issue that I mentioned to Mark (more detail in the post below) regarding error connect() to unix:/var/run/php7.0-fpm .sock failed (2: No such file or directory).

If you have any input that would be greatly appreciated!

Many thanks,
Mike

[Bruce Brannock]

MotionEyeOS it's not a conventional Linux innocence I was doing some reading and from my understanding installing applications in and working in MotionEyeOS other than the web interface of MotionEyeOS https://github.com/ccrisan/motioneyeos/wiki/FAQ#i-cant-seem-to-find-apt-get-or-any-other-package-manager-what-gives  you may find troubles there.

I just recently out of curiosity from another post installed raspbian Lite and manually installed MotionEye Debian package this may be a bit more difficult however if you have an extra micro SD card you can install raspbian Lite and then install Webmin so you can have a semi user-friendly web interface for administering Linux install motioneye. And go from there when I wrote that first post I did not know that MotionEyeOS was not a general-purpose Linux distribution such as raspbian sorry. You can change the port number and have a strong password and hope for the best lol So now that I have raspbian Lite webmin and motioneye installed I'm going to see if I can get it to work with let's encrypt and freedns I suggest doing some Googling maybe some Super Geek out there has already done it and wrote a tutorial. There's one other option if you have an extra Raspberry Pi or pc you can install use freeDNS and set up a VPN server and once you're in you just direct yourself to the URL of the motioneye just like you would at your internal Network and all that would be encrypted. I'm going to see if I can get it to work with raspbian however bear with me I haven't played around with running my own web server in quite some time but it's a challenge right and it's not like we're doing this on a deadline and have a boss breathing down my neck. Here's a couple pictures of motioneye  running on raspbian Lite and webmin interface

If you choose to go that route I'll be more than happy to help you set that part up. Once again sorry that you're having difficulties I don't understand why the motioneyeOS would not just run off of raspbian make the world easier lol.

And to answer your very first question you set up a static IP within motioneyeOS going to your router and just port forward the port that motioneyeOS uses that way nothing else is at risk it would technically be two ports if you're using the streaming feature.

[GarbovM]

Hey Bruce,

Thanks for your response, definitely gave me thing to think about!.

I do have my Motioneye cameras running on raspbian lite and port forwarded, view-able via the internet (stream).  What I am worried about is my network being attacked or vulnerable by having the ports exposed to the internet.

So, I was trying to put tougher a LEMP to provide a reverse proxy server for the camera stream. I think im 90% there, just one snag.

Thanks again Bruce and have a great evening!

Cheers,

Mike

[Bruce Brannock]

in general in the router, you specify an IP which would be the IP of the device in your case Motioneye and then you would port forward that port it would only allow access to that port on that ip.

[Mike Gaboury]

So my network won't be at risk? 

--
You received this message because you are subscribed to the Google Groups "motioneye" group.
To unsubscribe from this group and stop receiving emails from it, send an email to motioneye+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/5bc3d552-fb9b-446a-814d-a19af7ee9bc5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bruce Brannock]

To be truthful you can get technical and say in theory everything is at risk lol at all times that is connected to the internet lol.  But what you are doing I would say you would be safe just make sure it's for that that IP and that port. 

[Mike Gaboury]

Great, we'll I guess that simplifies things lol

To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/8168cd09-a21d-4be8-a18a-db8902727f16%40googlegroups.com.

[Calin Crisan]

Here are some ideas on how to improve security of a motionEye setup and basically of most services that run in your home and need to be accessible from the outside:

• Make sure there's really only one port forwarded to my motionEye system and that it's not the default 80, to prevent unwanted HTTP requests and attack attempts.
• Use Nginx or similar as a reverse-proxy to add HTTPS (Let's Encrypt offers free certificates). This prevents eavesdropping and minimizes the risk of a reply attack.
  
• Make sure normal user and administrator passwords are set to a relatively complex password (simple dictionary words should obviously be avoided).
• A VPN could improve security but in my opinion it's overkill.

[GarbovM]

Good day Calin,

First, I would like to thank you for putting together Motioneye! Also, thanks for your reply.  In respect to your advice, I'm actually heading down that road right now (LEMP), but have run into a snag when testing nginx.  Hopefully I can get it sorted out today, if not I'll keep chipping away at it lol.

Here is where I'm at now:

I keep getting this error when running sudo tail -30 /var/log/nginx/error.log

connect() to unix:/var/run/php7.0-fpm .sock failed (2: No such file or directory)

I have modified the values in /etc/nginx/sites-enabled/default as per https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-php-7-on-ubuntu-14-04 so that it would now read fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; but still getting the error.

Have a great day!

Cheers,

Mike

I have been up and down the this tutorial https://www.techcoil.com/blog/setting-up-a-lemp-web-server-on-raspberry-pi-3-with-an-ubuntu-server-15-10-3-image-to-host-a-wordpress-website/     and keep running into the same issue with error:  connect() to unix:/var/run/php7.0-fpm .sock failed (2: No such file or directory)

[Calin Crisan]

Normally the Nginx configuration should have nothing to do with PHP. It's a simple proxy pass directive. See this wiki article for a small example.

[GarbovM]

I suppose I will look into what you are suggesting as I have hit a brick wall with the LEMP set-up.  Thanks Calin!

[GarbovM]

I assume I will have to install motioneye manually to use Nginx?

[GarbovM]

Good day Calin,

I'm close to getting motioneye running behind nginx w/letsencrypt.

In respect to forwarding only one port, I find that there is no motioneye user interface, subsequently no screen to input a user name and pw and only displays the camera feed.

For instance this is what I was forwarding "just one port" 5137>5137 (external>internal).

If I forward 5137>80 (external>internal) I get motioneye user interface.

I plan to change the default port 80. What do you recommend?

Thanks for your time!
Cheers,
Mike

[Mark Andrews]

Hi Mike,

I believe you don't have to change anything on the motioneye pi, simply forward 5137 -> 80. The key is to add a firewall rule which allows port 80 connections to motioneye pi _only_ from your router, and you are all set. All external connections to port 80 on the motioneye will get rejected, and you are safe.

- Mark

[GarbovM]

Awesome! Thanks Mark. As always I really appreciate your assistance.

Cheers,
Mike