Secure your P2P camera, NVR, or DVR.

Most new IP cameras are using P2P be default. These cameras will send data to a central server either for IP lookup, recording or for relaying data (if direct connection by client to camera fails).

Worse, some cameras still report information even if P2P is turned “off”. These cameras often have a generic API which allows the server to issue any linux type commands or network calls (trojan horse). Even features like alarm notifications are sent to servers like “”.

Yes, they are easier to use – just plug in – but I’d rather connect app DIRECTLY to the camera. How can you try to secure these cameras, dvrs, nvrs? See below:

1. Most P2P cameras have a hidden web interface or offer RTSP/ONVIF support, so find those ports either in the admin screens or via port scanning.
1. Turn off P2P feature in camera and use the traditional DDNS/DNS plus port forwarding setup instead.
– see
2. Disable camera’s ability to reach out.
– set it’s internal IP address statically so you can alter the Gateway, DNS, and other values.
– set it’s Gateway IP address to a non-existant address (so it can’t find it’s way to internet servers)
– set it’s DNS server IP to a non-existant address (so it can’t lookup address of internet servers).
3. Use stunnel to protect your cameras.
– run stunnel on an old android, pc or raspberry pi.
– for example, goes to stunnel at port 8001 which then converts back to non-ssl forwarding to camera’s internal port 80.
– this way, you only need to open the stunnel machine to the outside and secure it. All IOT devices are not exposed except through stunnel via SSL.
– most cameras have multiple ports, so remember to setup stunnel/port forwarding for required ports (often HTTP and RTSP ports).

Finally, turn OFF UPNP support in your router to prevent internal devices from automatically opening tunnels from the outside to the inside without you knowing it.

Comments are closed.