Securing the login page

Forum for questions and support relating to the 1.28.x releases only.
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Securing the login page

Post by Zmjm15 » Sun Aug 16, 2015 9:20 pm

Hi guys,

Just wondered if anyone has tried to secure the login page of ZM, with a captcha or some anti brute forcing method?

Many thanks

Nerre
Posts: 100
Joined: Thu Sep 25, 2014 10:22 am

Re: Securing the login page

Post by Nerre » Mon Aug 17, 2015 6:43 am

I think fail2ban can be used, it can be used to prevent brute force attacks for anything that posts log messages at failed login (the log does however need to contain the IP address, not sure if zoneminder writes it to the log).

darmach
Posts: 17
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach » Mon Aug 17, 2015 9:15 am

You can add additional level of security by using apache auth, something like that:
<Directory /var/www/your-zm-path >
AllowOverride All
# Order deny,allow
# Deny from all
# Allow from 192.168.10.2
# Allow from domain.com
## Allow from all
# AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/htpasswords
Require user allowed-user-name
</Directory>
I would have another question though - where does zoneminder logs failed access attempts? I mean application logons of course - when you set up passwords in the app.
Last edited by darmach on Sat Oct 29, 2016 8:51 am, edited 1 time in total.

kenneth558
Posts: 18
Joined: Mon Jul 27, 2015 3:57 am

Re: Securing the login page

Post by kenneth558 » Mon Aug 17, 2015 3:56 pm

I'm trying Fail2ban myself, but I also set up ufw, the default firewall. I don't have my server in the wild yet, but later today I should know how well it works.

Did you get ZM upgraded to 1.28.1 like I suggested in the other post?

Nerre
Posts: 100
Joined: Thu Sep 25, 2014 10:22 am

Re: Securing the login page

Post by Nerre » Tue Aug 18, 2015 6:10 am

darmach wrote: I would have another question though - where does zoneminder logs failed access attempts? I mean application logons of course - when you set up passwords in the app.
I assumed zoneminder did log login failures, but it seems to only log successful logins. That was a disappointment to me.

darmach
Posts: 17
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach » Tue Aug 18, 2015 9:43 am

Exactly what I found! Seems absurd... The failed ones are attention worthy...

User avatar
knight-of-ni
Posts: 2209
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Securing the login page

Post by knight-of-ni » Tue Aug 18, 2015 5:07 pm

Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/

User avatar
asker
Posts: 1005
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker » Tue Aug 18, 2015 6:30 pm

I never had the need to secure it beyond what was already available. I just added HTTPS.

But given this thread, I gave it a go - it was pretty trivial to add re-Captcha for instance.

Image

Modify login.php to insert the div and edit actions.php to handle the POST callback check of re-captcha.
Anyone wanting to use mobile clients (such as zmNinja or zmView) should not do this -- their clients will fail to log in.
Last edited by asker on Tue Aug 18, 2015 7:25 pm, edited 1 time in total.
--
My collection of ZoneMinder learnings:
https://wiki.zoneminder.com/Various_ZM_thoughts

User avatar
knight-of-ni
Posts: 2209
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Securing the login page

Post by knight-of-ni » Tue Aug 18, 2015 6:38 pm

I don't believe you. I think you are a robot.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/

darmach
Posts: 17
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach » Tue Aug 18, 2015 7:49 pm

knnniggett wrote:FYI...
Great news!

A pity it will be a moment till it is available in debian repos.
Maybe I should pull from git and deploy it myself...

Anyway - thank you v much!

User avatar
knight-of-ni
Posts: 2209
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Securing the login page

Post by knight-of-ni » Tue Aug 18, 2015 7:59 pm

darmach wrote: Great news!

A pity it will be a moment till it is available in debian repos.
Maybe I should pull from git and deploy it myself...

Anyway - thank you v much!
No need to wait if you don't want to. It is just a few lines of php.
You could edit the file functions.php on your system to match.

Here is a patch file that will do it:
https://patch-diff.githubusercontent.co ... 1021.patch

Until this is included in the zoneminder package you are using, you will have to reapply this patch after a package upgrade.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/

darmach
Posts: 17
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach » Tue Aug 18, 2015 8:06 pm

Haha, thanks! You're great!

User avatar
iconnor
Posts: 682
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: Securing the login page

Post by iconnor » Tue Aug 18, 2015 8:27 pm

I think the captcha on login page is a great feature... just needs to be turned on/off in config.

Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 » Tue Aug 18, 2015 9:08 pm

So we can just edit the functions.php with that code, then add the actual captcha code to the login page/actions.php?

That is awesome that you have managed to get this put in so quick!

User avatar
asker
Posts: 1005
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker » Wed Aug 19, 2015 1:05 am

Zmjm15 wrote:So we can just edit the functions.php with that code, then add the actual captcha code to the login page/actions.php?

That is awesome that you have managed to get this put in so quick!
No, we are conflating two completely different features.

1. What knniggett added in his PR (Pull Request) is a log that gets generated when a login fails so other applications can monitor that log to detect a failed login

2. What I added was a google re-captcha which adds further bot checks in addition to ZM's own auth.

If you want to experiment, I'll offer some hints - I don't want to post code (yet):

a) Read https://code.google.com/p/recaptcha/wik ... pRecaptcha -- its really simple. There are 3 parts: 1) Get an API key to use re-captcha 2) display the re-captcha in the login form 3) Validate the response from re-captcha before you consider a person authenticated

b) Getting an API key is as simple as putting in your domain name and having google generate a key

c) Add the "recaptcha" display code to login.php

d) actions.php is the PHP file that actually does the user login and gets called with the form data, so it makes sense you add code there to also check what is the status of recaptcha and add that condition there

The reason I don't want to post code:

ZM needs people to contribute.
ZM is an awesome product - you'd be surprised to know only 3-4 people work really hard to maintain it without any expectations of getting anything back except satisfaction (I'm not in that count) so I'd encourage you to experiment and try to implement this feature. I'm not a PHP person at all, so if you are not comfortable with it, don't worry, its not hard to pick up. And if you are already aware of it, then I'd love for you to add this. If you do add it, I can promise you, I can add the code to the web interface that allows users to enable/disable it and put in their secret key.
--
My collection of ZoneMinder learnings:
https://wiki.zoneminder.com/Various_ZM_thoughts

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest