[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: webcam html and ftp servers: restricting access

On Mon, Oct 01, 2007 at 11:49:35PM -0500, Russell L. Harris wrote:
> * Andrew Sackville-West <andrew@farwestbilliards.com> [071001 23:00]:
> > On Mon, Oct 01, 2007 at 07:30:06PM -0500, Russell L. Harris wrote:
> >> * Andrew Sackville-West <andrew@farwestbilliards.com> [071001 17:42]:
> >>> On Mon, Oct 01, 2007 at 03:58:26PM -0500, Russell L. Harris wrote:
> >>>> I am planning to run a remote machine (running Debian "testing") with
> >>>> a webcam for monitoring a remote location.  
> > I beg to differ as motion is pretty darn simple to setup and
> > operate,
> Thanks, Andrew.  This is the type of dialogue I need.  I'll take
> another look at motion.

:). I'm only pushing it because I use it and because it has the
built-in web-server. As such, it is a lighter weight option than
running apache and then some other webcam app. 

> > What specifically are you trying to do with ftp? If you want to be
> > able to login remotely and pull images from the remote camera box,
> > then certainly, sftp (or any number of other things) would work.
> > If you set up pubkey authentication, then you're pretty secure at
> > the remote end and there is nothing in the remote end that allows
> > access to the local end. 
> I had not given much thought to this approach; but I could implement
> it inexpensively with the aid of a dynamic dns service.  It would be
> much like fetching mail from a pop server.


> > If you're trying to *push* images from the remote end to local,
> > that's a different story. Pushing means you've got to run your
> > authentication the other way and expose your local end to compromise
> > from a compromised remote end.
> That is the approach I had in mind, and that is why I was concerned.
> But if the local machine goes out of service, there is no monitoring.
> So the first approach would be better.

yeah. I think pushing is a bad idea. As I said, it means the remote
machine needs to authenticate to the local machine, which means
someone could spoof that authentication and compromise the local
machine. Much better to authenticate the other way. The remote machine
could archive what you want and you could get it when you need either
by peeking at the web image when you want, or downloading captured
images or video. motion is highly configurable and can be made to do
all sorts of interesting things including calling scripts when its
done capturing motion. This would make doing the push thing more
attractive, but I think it can be used in more elegant ways too.

> > So, maybe you could lay out exactly what you want to have happen,
> > again. 
> Initially, all I need is the ability to glance at the remote site now
> and then, using a single webcam, in order to satisfy myself that all
> is well.  It would be dandy to be able to listen in, also, using the
> microphone on the webcam.  I was not attempting to provide
> comprehensive security monitoring.

well again, motion could be configured to show you a pretty low frame
rate over the web, just so you could see what's what and could also be
made to output .avi's of anything interesting, like the motion of
someone walking through the room, into local (that is, on the remote
machine) files for you to grab later. You could also script it do to
nice things like email you if it detects motion.

> It would be nice if I could check on the remote site from a machine of
> a relative or friend.  But they all run Window$, so that necessitates
> that I implement a web server, either at the remote site or else at my
> home.  If the web server is at home, then the home machine is exposed
> to attack (as well as to frequent lightning storms).
> The issue with the remote system is not so much security as it is
> keeping the system up and running despite hackers.  I cannot afford
> to reinstall the system every week.  So I plan to use an external
> firewall to protect the remote machine.  

so turn off remote control of the motion app and just put up the web
images. As I said originally, I'm sure you could tunnel it through ssh
if you wanted, though what the use of that is, i don't know. make use
of dynamic dns, and then you can surf to the web image whenever you
want. Now, that puts your images in the public view, and I'm not sure
how to avoid that as motion doesn't seem to authenticate for viewing,
just for controlling. You'll have to research that a bit. 

> > also, if you are just tying to grab remote images every so often, and
> > you have a web interface setup, you could just script wget to scrape
> > the page every so often and save it locally.
> Again, like automatically fetching the mail.


look, just FTR, I'm not sure if motion is what you really need, but it
seems like a close enough fit, at the outset, that its worth more of
your time to investigate it. hth


Attachment: signature.asc
Description: Digital signature

Reply to: