Securing the login page

Forum for questions and support relating to the 1.28.x releases only.
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 »

thanks for the guidance on this,

I have managed to get the recaptcha to display on the login page but it says ERROR: Invalid domain for site key

I am using a masked forwarder for a .com domain pointing to myip/zm, so im wondering if i am not allowed to do this?

Shall i change the way i forward or have i implemented the code wrong?

All i done was sign up for the recaptcha, then add the 2 bits of code into the login.php;

Paste this snippet before the closing </head> tag on your HTML template:
<script src='https://www.google.com/recaptcha/api.js'></script>


Paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear:
<div class="g-recaptcha" data-sitekey="6LeAfgsTAAAAAFd4xT22341234mq6QwTm5gPKV1"></div>


I haven't got to the POST section yet, just trying to get it to display correctly.


Many thanks
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker »

Hmm, I frankly don't know if that may cause problems - it might. Would it be possible to disable masking for now and get recaptcha working first?
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 »

Okay so i registered the reCaptcha to the IP address of the server and now its showing up fine.

I am just not sure on what code to put in which file for it to check after it has had the reCaptcha input.

It looks good so far, just that it will let people bypass the captcha and log straight in without verifying.
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 »

@knnniggett

So are you saying that if i was to add that code to my functions.php file, that this would then log failed zm logins and fail2ban would pick this up?

Many thanks
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker »

Here goes:

Tutorial on how to add google re-captcha to ZM


Step 0: Get a reCaptcha domain and secret key set up

1. Go to https://www.google.com/recaptcha/admin#list
2. Follow instructions and sign up for a secret key for your site
3. keep a copy of the "site key" and the "secret key"


Step 1: Add the reCaptcha widget

Edit /usr/share/zoneminder/www/skins/classic/views/login.php

Add this right after line 22- which is "?>"

Code: Select all

<!-- PP: Add Google recaptcha script -->
<head>
        <script src='https://www.google.com/recaptcha/api.js'></script>
</head>
Add this right after line that reads

Code: Select all

 <input type="submit" value="<?php echo translate('Login') ?>"/>
(Replace "PUT IN YOUR SITE KEY HERE" with your site-key)

Code: Select all

<!-- PP Display recaptcha widget -->
 52         <br/>
 53         <br/>
 54                 <center>
 55                         <div class="g-recaptcha"  data-sitekey="PUT IN YOUR SITE KEY HERE"></div>
 56                 </center>
IT is important this is added before the closing

Code: Select all

</form>
tag

Load up zone minder and ensure your captcha is showing. If it does not show up, you've done something wrong. Rinse and repeat.


Step 2: Server validation:

First, grab the Google client library for reCaptcha (not necessary but makes it easy)

Code: Select all

cd /usr/share/zoneminder/www/includes
sudo wget https://github.com/google/recaptcha/archive/master.zip
sudo unzip master
sudo mv recaptcha-master recaptcha
Add this code to /usr/share/zoneminder/includes/actions.php:

Right after around line 44, that reads

Code: Select all

 44 if ( !empty($action) )
 45 {
Add this: (Replace "REPLACE WITH YOUR SECRET KEY" with your secret key)

Code: Select all

     

       //PP let's first validate reCaptcha response

        require_once( 'recaptcha/src/autoload.php' );
        $secret = "REPLACE WITH YOUR SECRET KEY";
        $gRecaptchaResponse = $_REQUEST['g-recaptcha-response'];
        $remoteIp = $_SERVER['REMOTE_ADDR'];
        $recaptcha = new \ReCaptcha\ReCaptcha($secret);
        $resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
        if (!$resp->isSuccess()) {
                userLogout();
                $view='login';
                $refreshParent = true;
        }
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 »

@Asker,

after following your step by step guide this has proved successful, thank you for posting this and putting in the work to getting this page secure.

thanks alot
aelg305
Posts: 3
Joined: Fri Sep 29, 2017 5:10 pm

Re: Securing the login page

Post by aelg305 »

I noticed the subject for this post and Im wondering if anybody has looked into integrating google signin, form here: https://developers.google.com/identity/sign-in/web/

This basically uses the google user to signin users.

Here are the steps by steps I found, however, I have NOT implemnted it or tested, so not sure if this would be feasible:
https://developers.google.com/identity/ ... le-project
Locked