Securing the login page

[Zmjm15]

thanks for the guidance on this,

I have managed to get the recaptcha to display on the login page but it says ERROR: Invalid domain for site key

I am using a masked forwarder for a .com domain pointing to myip/zm, so im wondering if i am not allowed to do this?

Shall i change the way i forward or have i implemented the code wrong?

All i done was sign up for the recaptcha, then add the 2 bits of code into the login.php;

Paste this snippet before the closing </head> tag on your HTML template:
<script src='https://www.google.com/recaptcha/api.js'></script>

Paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear:
<div class="g-recaptcha" data-sitekey="6LeAfgsTAAAAAFd4xT22341234mq6QwTm5gPKV1"></div>

I haven't got to the POST section yet, just trying to get it to display correctly.


Many thanks

[asker]

Hmm, I frankly don't know if that may cause problems - it might. Would it be possible to disable masking for now and get recaptcha working first?

[Zmjm15]

Okay so i registered the reCaptcha to the IP address of the server and now its showing up fine.

I am just not sure on what code to put in which file for it to check after it has had the reCaptcha input.

It looks good so far, just that it will let people bypass the captcha and log straight in without verifying.

[Zmjm15]

@knnniggett

So are you saying that if i was to add that code to my functions.php file, that this would then log failed zm logins and fail2ban would pick this up?

Many thanks

[asker]

Here goes:

Tutorial on how to add google re-captcha to ZM


Step 0: Get a reCaptcha domain and secret key set up

1. Go to https://www.google.com/recaptcha/admin#list
2. Follow instructions and sign up for a secret key for your site
3. keep a copy of the "site key" and the "secret key"


Step 1: Add the reCaptcha widget

Edit /usr/share/zoneminder/www/skins/classic/views/login.php

Add this right after line 22- which is "?>"

Code: Select all

<!-- PP: Add Google recaptcha script -->
<head>
        <script src='https://www.google.com/recaptcha/api.js'></script>
</head>

Add this right after line that reads

Code: Select all

 <input type="submit" value="<?php echo translate('Login') ?>"/>

(Replace "PUT IN YOUR SITE KEY HERE" with your site-key)

Code: Select all

<!-- PP Display recaptcha widget -->
 52         <br/>
 53         <br/>
 54                 <center>
 55                         <div class="g-recaptcha"  data-sitekey="PUT IN YOUR SITE KEY HERE"></div>
 56                 </center>

IT is important this is added before the closing

Code: Select all

</form>

tag

Load up zone minder and ensure your captcha is showing. If it does not show up, you've done something wrong. Rinse and repeat.


Step 2: Server validation:

First, grab the Google client library for reCaptcha (not necessary but makes it easy)

Code: Select all

cd /usr/share/zoneminder/www/includes
sudo wget https://github.com/google/recaptcha/archive/master.zip
sudo unzip master
sudo mv recaptcha-master recaptcha

Add this code to /usr/share/zoneminder/includes/actions.php:

Right after around line 44, that reads

Code: Select all

 44 if ( !empty($action) )
 45 {

Add this: (Replace "REPLACE WITH YOUR SECRET KEY" with your secret key)

Code: Select all

     

       //PP let's first validate reCaptcha response

        require_once( 'recaptcha/src/autoload.php' );
        $secret = "REPLACE WITH YOUR SECRET KEY";
        $gRecaptchaResponse = $_REQUEST['g-recaptcha-response'];
        $remoteIp = $_SERVER['REMOTE_ADDR'];
        $recaptcha = new \ReCaptcha\ReCaptcha($secret);
        $resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
        if (!$resp->isSuccess()) {
                userLogout();
                $view='login';
                $refreshParent = true;
        }

[Zmjm15]

@Asker,

after following your step by step guide this has proved successful, thank you for posting this and putting in the work to getting this page secure.

thanks alot

[aelg305]

I noticed the subject for this post and Im wondering if anybody has looked into integrating google signin, form here: https://developers.google.com/identity/sign-in/web/

This basically uses the google user to signin users.

Here are the steps by steps I found, however, I have NOT implemnted it or tested, so not sure if this would be feasible:
https://developers.google.com/identity/ ... le-project