Securing the login page

Forum for questions and support relating to the 1.28.x releases only.
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 » Wed Aug 19, 2015 7:48 am

thanks for the guidance on this,

I have managed to get the recaptcha to display on the login page but it says ERROR: Invalid domain for site key

I am using a masked forwarder for a .com domain pointing to myip/zm, so im wondering if i am not allowed to do this?

Shall i change the way i forward or have i implemented the code wrong?

All i done was sign up for the recaptcha, then add the 2 bits of code into the login.php;

Paste this snippet before the closing </head> tag on your HTML template:
<script src='https://www.google.com/recaptcha/api.js'></script>


Paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear:
<div class="g-recaptcha" data-sitekey="6LeAfgsTAAAAAFd4xT22341234mq6QwTm5gPKV1"></div>


I haven't got to the POST section yet, just trying to get it to display correctly.


Many thanks

User avatar
asker
Posts: 941
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker » Wed Aug 19, 2015 2:58 pm

Hmm, I frankly don't know if that may cause problems - it might. Would it be possible to disable masking for now and get recaptcha working first?
--
My collection of ZoneMinder learnings:
https://wiki.zoneminder.com/Various_ZM_thoughts

Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 » Thu Aug 20, 2015 6:20 pm

Okay so i registered the reCaptcha to the IP address of the server and now its showing up fine.

I am just not sure on what code to put in which file for it to check after it has had the reCaptcha input.

It looks good so far, just that it will let people bypass the captcha and log straight in without verifying.

Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 » Sun Aug 23, 2015 10:22 pm

@knnniggett

So are you saying that if i was to add that code to my functions.php file, that this would then log failed zm logins and fail2ban would pick this up?

Many thanks

User avatar
asker
Posts: 941
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker » Sat Aug 29, 2015 12:31 am

Here goes:

Tutorial on how to add google re-captcha to ZM


Step 0: Get a reCaptcha domain and secret key set up

1. Go to https://www.google.com/recaptcha/admin#list
2. Follow instructions and sign up for a secret key for your site
3. keep a copy of the "site key" and the "secret key"


Step 1: Add the reCaptcha widget

Edit /usr/share/zoneminder/www/skins/classic/views/login.php

Add this right after line 22- which is "?>"

Code: Select all

<!-- PP: Add Google recaptcha script -->
<head>
        <script src='https://www.google.com/recaptcha/api.js'></script>
</head>
Add this right after line that reads

Code: Select all

 <input type="submit" value="<?php echo translate('Login') ?>"/>
(Replace "PUT IN YOUR SITE KEY HERE" with your site-key)

Code: Select all

<!-- PP Display recaptcha widget -->
 52         <br/>
 53         <br/>
 54                 <center>
 55                         <div class="g-recaptcha"  data-sitekey="PUT IN YOUR SITE KEY HERE"></div>
 56                 </center>
IT is important this is added before the closing

Code: Select all

</form>
tag

Load up zone minder and ensure your captcha is showing. If it does not show up, you've done something wrong. Rinse and repeat.


Step 2: Server validation:

First, grab the Google client library for reCaptcha (not necessary but makes it easy)

Code: Select all

cd /usr/share/zoneminder/www/includes
sudo wget https://github.com/google/recaptcha/archive/master.zip
sudo unzip master
sudo mv recaptcha-master recaptcha
Add this code to /usr/share/zoneminder/includes/actions.php:

Right after around line 44, that reads

Code: Select all

 44 if ( !empty($action) )
 45 {
Add this: (Replace "REPLACE WITH YOUR SECRET KEY" with your secret key)

Code: Select all

     

       //PP let's first validate reCaptcha response

        require_once( 'recaptcha/src/autoload.php' );
        $secret = "REPLACE WITH YOUR SECRET KEY";
        $gRecaptchaResponse = $_REQUEST['g-recaptcha-response'];
        $remoteIp = $_SERVER['REMOTE_ADDR'];
        $recaptcha = new \ReCaptcha\ReCaptcha($secret);
        $resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
        if (!$resp->isSuccess()) {
                userLogout();
                $view='login';
                $refreshParent = true;
        }
--
My collection of ZoneMinder learnings:
https://wiki.zoneminder.com/Various_ZM_thoughts

Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 » Mon Aug 31, 2015 3:22 pm

@Asker,

after following your step by step guide this has proved successful, thank you for posting this and putting in the work to getting this page secure.

thanks alot

aelg305
Posts: 3
Joined: Fri Sep 29, 2017 5:10 pm

Re: Securing the login page

Post by aelg305 » Fri Sep 29, 2017 5:21 pm

I noticed the subject for this post and Im wondering if anybody has looked into integrating google signin, form here: https://developers.google.com/identity/sign-in/web/

This basically uses the google user to signin users.

Here are the steps by steps I found, however, I have NOT implemnted it or tested, so not sure if this would be feasible:
https://developers.google.com/identity/ ... le-project

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest