Web server - best practices
  • I am looking for advice on best practices to harden the security of my setup.

    Everything is working fantastically well with SecuritySpy on Mac mini and the iOS app for remote viewing. I understand that opening any port to the internet comes with a risk of attack, and I'm wondering if there is anything I could do to lessen that risk, beyond using a strong password for the account I created in SS. Here are the settings I use in Web preferences:

    HTTP disabled
    HTTPS enabled on port 8100
    Both automatic port forwarding options are unchecked, as I setup forwarding port 8100 in my router manually.
    I am not using the DDNS feature, because my IP address hasn't changed in years. I am using the self-signed certificate that is available when DDNS is not enabled.
    HTTPS security Level 3
    Bonjour, Fast Start, and Write Log File are all checked
    Allow Screen Control is unchecked
  • Great to hear that everything is working so well!

    The two most important things are using HTTPS (rather than HTTP) and using strong passwords, both of which it sounds like you have done, so that's great. The highest HTTPS security level (3) also helps, by disabling weaker SSL cyphers that have known weaknesses.

    Self-signed certificate pose a bit of a risk, as one mode of attack is to impersonate your server and gain login details that way. It's very unlikely that a hacker would go to this trouble just to access your camera system, but you would be better off setting up a DDNS name in SecuritySpy so that you get an official certificate (especially if your IP address isn't specifically designated as being static). That way, if you get a certificate warning when connecting to your server, this is an indication that something is amiss.

    Apart from that, there's not much else you can do in terms of settings in SecuritySpy: with strong HTTPS encryption, strong passwords, and a valid certificate, a direct hack is virtually impossible. You should then consider other ways an attacker could get into your system, for example if you have any other server software running on your Mac or network with Internet access. And following standard security hygiene like being aware of phishing links and using public WiFi etc.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!