Archive

Archive for June, 2017

Blocking Foscams from phoning home using DD-WRT

June 28, 2017 Leave a comment

5898230e60ae0

I just bought myself a couple of Foscam FP9821P’s, and found that they phone home to a cloud server. That was kinda of expected – if you offer an easy app that scans a QR code and automatically connects you to the camera, then there must be a cloud service in-between.

What was more surprising, is that there’s absolutely no way to turn this off. Even if you toggle everything off, it will still phone out via UDP. I had expected that maybe I could disable UPNP for it and that would help, but it’s irrelevant – the cameras ‘phone’ out to several domains using UDP outbound, and there’s no configuration option to stop it. Foscam support confirm this.

So – it looks like I’ll have to block it at the firewall instead. One reason for using DD-WRT was that I would have this kind of granular control on specific devices. I would also VLAN them too, but am taking my DD-WRT config a step at a time.

 

So, this was the traffic reported by DD-WRT beforehand (from the Foscam’s wired ethernet)

Screen Shot 2017-06-28 at 11.25.58

Locking down the IP range

First, I set up static DHCP addresses for the WiFi MAC addresses printed on the back of the cameras, so that their IP addresses sit within a tight range altogether. On my router, this is at http://192.168.0.1/Services.asp.

Untitled

Blocking those IPs

Then, I create a policy under http://192.168.0.1/Filters.asp (again, my router address) to block any outbound internet traffic from the Foscam IP’s. Rather than try to reverse-engineer the domains those IPs are resolving from and block those domains, which might end up as a wild goose chase if there are fallback domains or even additional hardcoded IPs, I’m just blocking all internet-bound traffic – which is really a more accurate representation of what I’m trying to achieve.

This is the main page at the top, and the sub-page/window at the bottom which pops up when you click Edit List of clients.

 

Screen Shot 2017-06-28 at 11.29.29

I’ve changed the fields boxed in red – I’m setting a 24/7 Access Restriction to the internet from the Foscam WiFi IP addresses.

Now this is in place, I unplugged the ethernet cable, and watched how the outbound IP addresses went.

Screen Shot 2017-06-28 at 11.35.31

All outbound attempts via the router are dropped. And nothing else.

And can I access it within my LAN still?

Screen Shot 2017-06-28 at 11.37.19

Yes! Sorted!

 

Advertisements
Categories: Uncategorized

Read-testing a drive with 7-Zip hash check

June 11, 2017 Leave a comment

I recently needed to test that all files on a backup drive were readable. The question was, what was the fastest way that I could do an ad-hoc check on those files?

It turns out, that 7-Zip (which I had installed already) comes with a context menu option in Explorer for generating a hash check on a file. Although it’s intended for comparing file integrity, this involves reading the entire file in order to generate the hash, so it does the job.

To use, simply Shift-Select all files on the drive, and generate a hash. I wasn’t sure about CRC, so I selected SHA-1.

As it turned out, it was pretty quick. It took a while to warm up, but eventually both Windows Task Manager and the WinZip dialogue said they were reading at 100MB/s. Since my Western Digital 4TB USB3 drive shows public benchmarks at 114MB/s sustained for sequential read, and the file-based hash has no guarantee on file size or sequentiality, I was very happy with that speed.

 

Of course, generating the hash is CPU-intensive, and my Mac Pro was using 30% CPU in the Win10 VM, but since it seemed to be ripping through the drive as fast as possible anyway, I didn’t mind.

Of course, this isn’t a comprehensive test – it only tests files, not the whole disk, and if the sectors are dodgy but the drive manages to read the file anyway, then you’ll be unaware of that problem. But this was only intended to check that I should be able to read that backup drive in the offchance my VM migration fails, and I also had a cloud backup (albeit much more work to retrieve) so it was low risk.

 

Categories: Uncategorized