Rich notifications without exposed SecuritySpy port
I'm reluctant enabling port forwarding and the DDNS for SecuritySpy. Last time I've done that my network ended up under many-many port scans and automated attack tests daily. I only really had SecuritySpy HTTPS port exposed and nothing else, so perhaps I'm being too cautious here and should just trust it?
Is there a way to get rich notifications with image properly showing without exposing the SecuritySpy to internet?
thanks, Michal
Comments
Hi Michal, yes unfortunately it's normal that whenever you expose a port that is listening for incoming connections from the Internet, you will get automated bots trying to hack you. SecuritySpy has measures in place to prevent this from succeeding (its web server is custom-built from the ground up, lacks common attack vectors like server-side scripting and SQL, and has features like auto-banning of clients after a few failed login attempts). The best thing you can do here is to make sure your are using strong passwords for your web accounts as set under Settings > Web.
For an extra layer of security, you could switch from port forwarding to a virtual network solution for remote access into your SecuritySpy system. This is described here: Remote Access Without Port Forwarding. Under this scheme, only clients that have already been approved to join the virtual network can even attempt to make a connection. The main downside is that you have to install client software on each device that you want to be part of the network, however this is quite easy to set up (also you have to trust that the providers of these services have made them secure, but the solutions mentioned in the above post are both established trustworthy solutions with good track records).
Just to clarify why this is all relevant to the question, for any readers not familiar with how these notifications work: while the text portion of the notifications is "pushed" from Apple's servers directly to the phone, the image portion has to be "pulled" by the phone from SecuritySpy's web interface. So without web access into SecuritySpy, you would get the notification text but not the associated image.
Thanks Ben,
Your note about using VPN made me look into it some more. I actually do have VPN to be able to view SecuritySpy cameras, but it's using Teleport for zero-config connection, I was avoiding DDNS need this way.
I just went ahead, switched to WireGuard and enabled DDNS yesterday and everything works as expected, nice and simple actually. I'll monitor the access attempts for a bit, but WireGuard is pretty secure so fingers crossed.
thanks again,
Michal
Sounds great. One of the solutions we recommend - Tailscale - actually uses WireGuard as its underlying protocol. The advantage of using Tailscale is that it's significantly easier to set up. However the advantage of using WireGuard directly, as you are doing, is that you don't have to trust the coordination service of a company like Tailscale, so it's potentially more secure. WireGuard itself is indeed very secure - it's open-source and has been extensively audited and verified.
Thanks again for advice Ben!