Personal and Small Business Technology

Setting Up a Network of Security Cameras with Recycled Equipment

Setting up a security camera system for a home office or small business would be costly if one were to use commercial grade systems, but an effective system can be put together quite inexpensively using recycled or repurposed hardware. The article that follows describes three security camera solutions for three different needs using repurposed equipment:

A Simple Live-camera Security Camera Solution Using Unused Android Cell Phones

Most cell phones made over the last five years have cameras that are more than sufficient for security video and a cell phone typically draws very little power--an advantage for any device that will be powered on 24 hours a day. There are several Android applications that allow you to use an old cell phone as a security camera with little configuration or work. IP Webcam is one example. To use this as a live feed accessible from the Internet, you would need to set up dynamic DNS and port forwarding on your router. Setting up dynamic DNS conflicts with the Terms and Conditions of some Internet Service Provider agreements, so check your agreements before configuring this type of arrangement.

An Android cell phone could be used as one of the security cameras in the solutions described in subsequent sections in place of the obsolete AirLink 101 camera that is described.

An Email-based Security Camera Solution Using Obsolete Web Cameras

When they were being discontinued a number of years ago, I bought several Airlink 101 AIC-250W WiFi security cameras. It can email a photo on a schedule or upload to an FTP site on a schedule. This served my needs until Verizon blocked port 25--the standard port for email servers. The Airlink device is hard coded to use port 25 (and WiFi channel 11), so I couldn't use it anymore without some changes.

I first looked at doing port translation, but the routers that I use only offer inbound port translation (port forwarding), and my current D-Link router isn't supported on DD-WRT yet.

I next looked at using the FTP function on the Airlink to copy security photos to web server. The most straightforward solution would be to transfer the files to a web server outside the firewall where I could log in to check, but the Airlink device only supports FTP, which sends password information in the clear text and transfers files unencrypted. Security camera photos need to be stored securely, so I needed to look at some intermediate server that would allow secure transmission outside the firewall.

I had an old Western Digital Mybook World Edition II Network Attached Storage (NAS) device that was now too small to be used as a backup device. Internally, it runs a stripped down version of Linux; there is a strong community that maintains add-in tools for the device that change it from a NAS device to a fairly full-featured low-power server. It should be noted that installing these tools voids any warranty and can render it unusable, but the device was unused, so accidentally turning it into a brick would not have been the end of the world.

Using the NAS as a collection server resulted in a fairly flexible security camera configuration that works well. The approach described is not restricted to the Airlink and the WD NAS device--you could just as easily use another Linux-based NAS device or much more easily a Raspberry Pi.

The example that follows discusses the “kitty cam” portion of the security camera network; the primary purpose of this portion is to provide a convenient way to verify that the cat sitter is stopping by to feed the cat while we are on vacation (the camera is pointed at the food bowl). The security portion of the network uses much the same approach but has different settings and off-site storage so that if an intruder steals the NAS device, we still have camera footage. All devices are connected to UPS devices so that they continue to run in a power outage.

Airlink 101 AIC-250W

The AirLink 101 AIC-250W Webcam was sold about a decade ago and was an inexpesive camera at the time. It supports wired Eithernet and 802.11g WiFi connections, has a maximum resolution of 640x480 and will send photos as email or FTP. It came with a Windows application that allows you to view and manage multiple cameras that are on the same subnet. Support was dropped almost immediately after manufacture as the manufacturer moved on to new products. The firmware restricts WiFi to channel 11, and email to port 25, which is now routinely blocked by most ISPs as an approach to reduce email spam.

Configure Camera for FTP

After getting the Airlink to connect to the Wi-Fi network, the primary set up is on the Configuration->Upload page shown in Figure 1. The FTP address, port number, user name and password are configured on the top portion. Because FTP is not a secure protocol, you should define a seperate user for this so that if the ID is compromised, the intruder won’t gain wider access to your network.

For the schedule operation for the kitty cam, I set up the camera to take a photo every 600 seconds from 7:00 AM until 7:00 PM--the time during which the cat sitter would most likely refill the food bowl.

Figure 1. FTP configuration for AirLink 101 security camera.
Figure 1.  FTP configuration for AirLink 101 security camera

Western Digital Mybook World Edition II Network Attached Storage (NAS)

The Western Digital Mybook World Edition was an early entry in to the Network Attached Storage market. It came in "blue light" (I) and "white light" (II) ) versions and offered a free lifetime subscription to MioNet, a service that allows you to access the drive from outside your firewall. The device firmware is based upon Linux, and there is a significant community of users who have compiled firmware updates to provide additional functionality. Updating the firmware voids the warranty, and can disable the device, but as firmware modifications go, this is perhaps one of the easiest devices to modify without damaging the device as the procedure is based upon the addition of programs rather then the total replacement of the firmware as is the case for many other devices.

Configure WD Mybook for FTP

To use the Western Digital (WD) NAS device, the first step is to configure the FTP service, as shown in Figure 2. I would normally change the default port, but the AirLink devices didn't work on the 8000-8999 range that the WD NAS supports.

Figure 2. FTP configuration for Western Digital Mybook World Edition II.
Figure 2. FTP configuration for Western Digital Mybook World Edition II

After you have turned on FTP, you will need to create a user ID (and password) that matches the user ID that you set on the AirLink camera. Figure 3 shows the User setup screen on the WD NAS device.

Figure 3. User setup on Western Digital Mybook World Edition II.
Figure 2. FTP configuration for Western Digital Mybook World Edition II

Configure SSH on WD Mybook

The next step in setting up the WD NAS is to configure SSH to allow you to access the command line and the Linux operating system on the WD NAS. Figure 4 shows the screen where you turn on SSH access. You should immediately log in and change the password from the default “welc0me” to a secure password using the commands shown in Figure 5.

Figure 4. Enabling SSH on the WD NAS device.
Figure 4.  Enabling SSH on the WD NAS device
Figure 5. Logging in via SSH and changing the root password.
Figure 5. Logging in via SSH and changing the root password

Alternative Setup using MioNet

At this point, you could install and use the MioNet software that is part of the stock WD NAS device. When I installed the MioNet software on my laptop, it wouldn't boot, so I decided that MioNet would not be part of my solution.

Install Optware on Mybook World Edition

A community of users has ported a large number of utilities to the WD Mybook via the “Optware” suite of packages. The installation instructions are available on http://mybookworld.wikidot.com/optware and won't be repeated here. To set up the capabilities for email, you will need to install install Optware, but recognize that this will void any warranty and may permanently damage the device if you mess up.

Install mutt, msmtp, cron and zip

After you have installed Optware, you will need to install the optional packages for mutt, msmtp, cron and zip using the command (run this under root):


/opt/bin/ipkg install mutt msmtp cron zip

Copy Certificate Authority Certificates to WD NAS

To protect against man in the middle attacks on the email that you send, you should verify the trust signature of the email server that you are using. To do this, you will need to provide the SSL certificates of the Certificate Authority (CA) that issued the certificate for your mail server. All of the major operating systems and web browsers update root CA certificates as part of their normal maintenance stream. WD does not have or update these as part of firmware updates, so you will need to provide them from some other source. The approach differs depending upon the environment that you are using for your primary workstation. Linux is by far the easiest for this operation.

Linux

On Linux, these are found in /etc/ssl/certs/ca-certificates.crt. To transfer these to your WD NAS, use the commands shown in Figure 6.

Figure 6. Transferring root certificates to your WD NAS from Ubuntu.
Figure 6. Transferring root certificates to your WD NAS from Ubuntu

Windows

On Windows, you will need to use the certutil program to export the root certificates.

OS X

On OS X, you will need to use the Keychain Access program found in the Applications->Utilities folder.

Configure msmtp

To setup the msmtp package, you will need to create a .msmtprc file in the /root directory with contents as shown below, where you have substituted your information. The password field is unencrypted, so this file should have permissions of 600. You should use an email ID that is used only for your security camera, so that if this is comprized, you won’t lose your primary personal email ID. The tls_certcheck off directive tells msmtp not to verify the certificate of the email server and leaves this installation open to a man-in-the middle attack. You can extract the root certificate for your email server and specify that so that the msmtp client will verify the identity of the email server.


#
# Set default values
#
defaults
auth plain
tls on
tls_starttls on
tls_certcheck off
#tls_trust_file
tls_trust_file /root/ca-certificates.crt
logfile /root/msmtp.log
#
# Set values for mss account
#
account account_alias
host smtp.youremaildomain.com
port 587
from This email address is being protected from spambots. You need JavaScript enabled to view it.
user This email address is being protected from spambots. You need JavaScript enabled to view it.
password
#
# Set default account to use for sending
#
account default : account_alias

If you have problems with your msmtp client authenticating with the email server, comment out the tls_trust_file line and uncomment the tls_certcheck off line. This will disable authentication of the server and leave you open to man in the middle attacks, but it will allow you to get everything else working.

Configure mutt

The next step is to configure mutt, the package that sends the email. The first line tells mutt to use the msmtp package to send mail, and then gives the location of the msmtp profile that we created in the previous step.


set sendmail="/opt/bin/msmtp -C /root/.msmtprc"
set copy="no"
set from="This email address is being protected from spambots. You need JavaScript enabled to view it."

Write Script to Send Email

Next, write a short script to zip some of the photos from the security camera and email them to a list of users. The script first does a cd to the directory with all of the The parameters for the mutt command are as follows:

  • -s gives the subject line for the email
  • -c gives a list of the destination email addresses
  • -F gives the mutt profile path that we created in the previous step.
  • -a gives the name of the file that we are attaching.
  • < directs the email body text from the file /shares/kitty/msg.txt

#!/bin/sh
cd /shares/kitty
chmod 640 *.jpg
TODAY=$(date +"%Y%m%d%H")
#tar -czvf photos.tgz kitty_cam$TODAY*.jpg
rm photos.zip
/opt/bin/zip photos.zip kitty_cam$TODAY*.jpg
/opt/bin/mutt -s "Kittycam Photos" -c This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it. -F /root/.muttrc -a photos.zip < msg.txt

Configure cron

Finally, it is time to set this up to send an email on a schedule using a cron service. There is a cron service that is installed as part of the normal WD NAS firmware, and a separate one that is installed as part of the Optware software. I was unable to get the normal cron service to work but was able to get the Optware service working by following the directions in this article about crontab. The key step is that you use the following command to update the crontab:


/opt/bin/crontab -e

If you omit the /opt/bin path, you will get the normal WD NAS installation of crontab which points to a crontab file that does not exist.

I set up my crontab to run the mail_photo.sh script written in the previous step run at 59 minutes past the hour from 7:00 AM to 7:00 PM, and to mail all of the photos taken in the previous hour:


SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/sbin:/opt/bin
MAILTO=""
HOME=/
# ---------- ---------- Default is Empty ---------- ---------- #
59 7-19 * * * /root/mail_photo.sh > /shares/kitty/mail.log

Finishing Up

When you are done, make sure to change all of the permissions on the files that you have created in the /root directory to 700, to prevent access to passwords from users other than root.

A Secure Copy (scp command) Based Remote Storage Solution

The example shown above is for a very simple security situation--just making sure that the cat sitter is stopping by each day. For intrusion deterrence and investigation, you would set up the camera to take a photo every few seconds, and upload the information to an offsite server that stores days or weeks of video. For this, you would use the openssl or gpg command to encrypt your camera files, the scp command to transfer them to a server, and a cron job that runs once per minute.

Calculate Storage Requirements

Before setting up this type of arrangement, make sure to estimate the storage requirements and set the video quality and frequency appropriately. At the highest resolution (640x480), the AirLink camera generates images that are about 32K in size. One per second would result in about 2.7 Gigabytes per day for both file transfer and storage. For one month, this would be about 83 Gigabytes of file transfer and storage.

Install GNUpg For Encryption for Linux

OpenSSL is installed by default, and works well for symmetric key encryption and S/MIME certificate based encryption, but it does not work well for encrypting large files with public keys that are not certificates. GNUpg works much better for this. To install it, use the command


/opt/bin/ipkg install gnupg coreutils

To configure it, you will need to generate a key and export it on your main workstation. This is the key you will use to decrypt the files. Remember the password. The commands below will work for the GNUpg available on Linux, OS X Macports, and Windows Cygwin.


gpg --gen-key
gpg --output yourkey.gpg --export This email address is being protected from spambots. You need JavaScript enabled to view it.

The first command will prompt for your name and email address, while the second command will export your public key. Next, you will generate a private key that will only reside on the WD NAS. Use the list-secret-keys option to identify the secret key that will be used only on the WD NAS:


gpg --gen-key
gpg --list-secret-keys
gpg --export-secret-keys -a 1234ABCD > secret.asc

Now, copy the keys to the WD NAS. On the WD NAS, you will need to import the key:


scp yourkey.gpg This email address is being protected from spambots. You need JavaScript enabled to view it.:/root
scp secret.asc This email address is being protected from spambots. You need JavaScript enabled to view it.:/root

For the private key use


gpg --allow-secret-key-import --import secret.gpg.key

gpg2 --import yourkey.gpg
gpg2 --edit-key This email address is being protected from spambots. You need JavaScript enabled to view it.
fpr
sign
trust
check

Note that the command on the WD NAS using Optware is gpg2 instead of gpg.

Create ssh Keypair for Secure Copy (scp)

For the secure file copy to work, you will need to generate an ssh keypair using the ssh-keygen command on the WD NAS:

~/.ssh # ssh-keygen -t rsa -f id_rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: e4:e5:62:af:45:42:c3:b9:3e:d3:6d:37:9e:48:71:4d root@backup ~/.ssh #

Next, upload the public key file id_rsa.pub to the .ssh directory of the account where you want to store the video files:


scp id_rsa.pub This email address is being protected from spambots. You need JavaScript enabled to view it.:/home/yourID/.ssh

Finally, on the remote server, concatenate the public key to the /home/yourID/.ssh/authorized_keys file:


cd .ssh
cat id_rsa.pub >> authorized_keys
cd ~
mkdir security

Script to Encrypt and Upload

The scripts that follow assume that all video is stored on the WD NAS via FTP in the same way that it was stored in the previous example. For this script, we want to combine all files generated in a minute, encrypt them and securely transmit them to the server.

#!/bin/sh
#
# Script to encrypt and send video files to remote server
#
cd /shares/security
TODAY=$(date +"%Y%m%d%H%M")
#
#
# When the AirLink 101 FTPs files, the have 755 permissions. Use this to determine which files
# have been transmitted and which have not.
#
# Create a list of files that have permissions indicating no transmission and zip them.
# Note that files that come in during zip activity won't get transmitted by this script.
#
ls -l /shares/security/*.jpg | grep ^-rwxr-xr-x | cut -b 56-150 | sed -e 's/ //' | tee chmod_list.txt | zip security_$TODAY.zip -@

cat chmod_list.txt | while read X; do chmod 640 $X; done;
echo "Completed zipping"
#
# Encrypt the file
# --batch and --homedir are required to run the script under cron
#
/opt/bin/gpg2 --output security_$TODAY.gpg --encrypt --batch --homedir /root/.gnupg --trust-model always --recipient This email address is being protected from spambots. You need JavaScript enabled to view it. security_$TODAY.zip
echo "Completed encryption"
#
# Copy the file to the remote server
# -- this requires previous set-up of public key access to ssh
#
scp security_$TODAY.gpg This email address is being protected from spambots. You need JavaScript enabled to view it.:/home/yourID/security
echo "Completed sending"
#
# Erase working files and change permissions that are used to determine what has been sent.
#
rm security_$TODAY.gpg
rm security_$TODAY.zip

The series of piped commands


ls -l /shares/security/*.jpg | grep ^-rwxr-xr-x | cut -b 56-150 | sed -e 's/ //' | tee chmod_list.txt | zip security_$TODAY.zip -@

creates the zip file to be encrypted by making a list of files that have the permissions that are left after FTP (ls and grep), cuts out the file name (cut), removes blanks (sed), creates a file list that will be used for chmod (tee) and zips up the files in to a single file for encryption. The chmod command changes the file permissions to the permanent storage permissions.

The gpg command requires the --batch and homedir parameters to work as a cron job. If this were run from the command line with the full set of environment variables and access to stdin, this would work without these two parameters. The --recipient parameter is used to look up the public key installed previously.

The final commands remove the working files.

Cron job

To edit the crontab, remember to use the /opt/bin/crontab -e command to get the Optware version of the crontab command.

This application will require a cron job that runs every minute all day, every day, so the crontab should look something like this:


SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/sbin:/opt/bin
MAILTO=""
HOME=/
# ---------- ---------- Default is Empty ---------- ---------- #
* * * * * /root/security_camera.sh > /root/camera.log

Decrypting the Video

To view the video, you will need to download it to your primary workstation or another workstation where you have the private key installed. To decrypt the files use the command


for FILE in *.gpg; do gpg --output "`basename $FILE .gpg`".zip --decrypt $FILE; done;