1. Don’t put cameras on the public internet. Given the wide availability of free scanning and vulnerability detection tools, it makes sense to avoid using routable IP addresses for IP cameras if at all possible. The recent DDoS attacks on core DNS infrastructure used botnets of public cameras, and all the attackers had to do was find the cameras.
Instead, put cameras behind a firewall and run network address translation (NAT). While NAT is not itself a security mechanism, and has a long and well-deserved history of derision for breaking the Internet’s core principle of end-to-end connectivity, it will at least offer some protection from probes by scanning tools.