Hacker News new | ask | show | jobs
by hello_computer 1098 days ago
I bought a couple Amcrests just a week ago, and they still operate identically to ones I purchased back in 2017. They have apparently been re-branding Dahua's software, since the HTTP APIs are identical, and there are still lots of "Dauha" strings in the configs[0].

I think a lot of the problems with IP cams aren't with the cameras themselves, but the poor state of open-source media players. Getting mplayer, ffplay, or vlc to play nicely with any ipcam has been a Labor of Hercules. If you're using the versions in repos--which are usually quite stale--all bets are off. I've had much better luck using the latest installers, direct from the project websites. So far, VLC seems to work best for me[1].

[0] https://github.com/BourgeoisBear/amdacli

[1] https://www.videolan.org/vlc/
1 comments
idatum 1098 days ago
I recommend explicitly blocking internet access for Amcrest devices. I configured my camera with a static IP and blocked it in my PF rules with logging, and my camera model was making 1000s (16k in 24 hours) of DNS requests for config.amcrestcloud.com. I don't use any of their cloud services.
link
hello_computer 1098 days ago
Rather than play whack-a-mole with filters, it's simpler to put mystery-meat devices on a separate VLAN+subnet that doesn't route. Firewall will keep the camera from accessing the internet, but does nothing to protect other hosts on the LAN.

The cloud thing can be disabled from their web UI or the HTTP API, but between all of the knock-offs out there (of any brand), and the eventual end of firmware updates, it's best not to trust any of this stuff.

link
idatum 1098 days ago
Absolutely agree a VLAN is the better solution to block an entire network, and I do use one in my case (protecting my other VLANs). But I still need to explicitly block Amcrest cam because I also have an RPI on that VLAN doing image processing, which uploads to an external site; hence I can't block the entire VLAN.
link
dmm 1098 days ago
A stateful firewall would allow your RPI to access the camera vlan/subnet while still blocking any outgoing connections from the cameras.

I use a Debian Linux router with nftables to achieve this in my homelab.

link
k_roy 1098 days ago
This is doubly important now that devices are starting to use DNS over HTTPs
link
hello_computer 1098 days ago
At the rate things are going, the only legal port on the internet is going to be 443/tcp. Use a different TCP port, get a visit from the cops. Send a UDP packet, black helicopters and unmarked vans are on their way.
link