[nico99]

Hello all.

I have a Raspberry Pi running Motion, keeping an eye on my home. The Motion stream authentication patch doesn't work on ARM, meaning I am not able to set a password to view the stream, so I have set the stream on a new port number so it will be harder to find at random. I also have my router set up to email me a log of IP addresses going to it, and so far it's just me SSHing in, or viewing the webcam stream.

I am now switching to a new ISP which has wired the block up for fibre optic. My old ADSL router won't work on it, and the router they have provided doesn't have the option to view or email any logs. I would like to be able to continue to check that nobody else is having a look at the webcam - it's not a big deal, I'd just like to. So I thought I'd get the Pi to monitor the ports I'm using for the webcam and SSH, and write the log to a file. I have made a service using tcpdump which does this very neatly. (I've got it to only log the start and end packets of each session, so it doesn't write a huge file).

So, to my question: In my reading to figure out how to do this, I came across a couple of forums where people were saying that running tcpdump permanently in the background as root is a security risk. Is this the case in my case? How so? Is there an alternative route I can take?

Thanks in advance for any advice. A few notes: I have root login and password login disabled on SSH, and I've set a cron script to check for my phone's MAC address and turn off Motion when it sees it, so at best anyone looking at my webcam will see a sleeping cat most of the time. I could buy a new router which does logging but it would be nice not to. Also - I am in no way an IT professional, just someone having fun learning new things and making useful stuff - so please forgive any holes in my knowledge.

[WarheadsSE]

I would strongly suggest against tcpdump, and instead have iptables create a log entry on a new connection to that port. If done carefully, you might even be able to lock it down to just your phone (this one gets more complex quickly)

Even better, setup a VPN or SSH tunnel so there is no unsecured access of any kind.

[nico99]

Thanks very much for the response, I'll look into those.

Is there a straightforward explanation of why tcpdump would be a bad idea in this situation?

[WarheadsSE]

Because you're not using any security, and setting a bell on the door.

[moonman]

You can also setup a reverse proxy with password authentication (and maybe even add an ssl layer - this is what I do for my transmission remote access). Nginx,lighttpd and apache support this. Apache might be too heavy. Lighttpd is tricky to setup for reverse proxy with rewrite rules (unless it is v1.5 and we only have 1.4.xx in repos). So this leaves nginx. Don't know if 'pound' supports password authentication.