Page 2 of 2
Re: Securing the login page
Posted: Wed Aug 19, 2015 7:48 am
by Zmjm15
thanks for the guidance on this,
I have managed to get the recaptcha to display on the login page but it says ERROR: Invalid domain for site key
I am using a masked forwarder for a .com domain pointing to myip/zm, so im wondering if i am not allowed to do this?
Shall i change the way i forward or have i implemented the code wrong?
All i done was sign up for the recaptcha, then add the 2 bits of code into the login.php;
Paste this snippet before the closing </head> tag on your HTML template:
<script src='https://www.google.com/recaptcha/api.js'></script>
Paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear:
<div class="g-recaptcha" data-sitekey="6LeAfgsTAAAAAFd4xT22341234mq6QwTm5gPKV1"></div>
I haven't got to the POST section yet, just trying to get it to display correctly.
Many thanks
Re: Securing the login page
Posted: Wed Aug 19, 2015 2:58 pm
by asker
Hmm, I frankly don't know if that may cause problems - it might. Would it be possible to disable masking for now and get recaptcha working first?
Re: Securing the login page
Posted: Thu Aug 20, 2015 6:20 pm
by Zmjm15
Okay so i registered the reCaptcha to the IP address of the server and now its showing up fine.
I am just not sure on what code to put in which file for it to check after it has had the reCaptcha input.
It looks good so far, just that it will let people bypass the captcha and log straight in without verifying.
Re: Securing the login page
Posted: Sun Aug 23, 2015 10:22 pm
by Zmjm15
@knnniggett
So are you saying that if i was to add that code to my functions.php file, that this would then log failed zm logins and fail2ban would pick this up?
Many thanks
Re: Securing the login page
Posted: Sat Aug 29, 2015 12:31 am
by asker
Here goes:
Tutorial on how to add google re-captcha to ZM
Step 0: Get a reCaptcha domain and secret key set up
1. Go to
https://www.google.com/recaptcha/admin#list
2. Follow instructions and sign up for a secret key for your site
3. keep a copy of the "site key" and the "secret key"
Step 1: Add the reCaptcha widget
Edit /usr/share/zoneminder/www/skins/classic/views/login.php
Add this right after line 22- which is "?>"
Code: Select all
<!-- PP: Add Google recaptcha script -->
<head>
<script src='https://www.google.com/recaptcha/api.js'></script>
</head>
Add this right after line that reads
Code: Select all
<input type="submit" value="<?php echo translate('Login') ?>"/>
(Replace "PUT IN YOUR SITE KEY HERE" with your site-key)
Code: Select all
<!-- PP Display recaptcha widget -->
52 <br/>
53 <br/>
54 <center>
55 <div class="g-recaptcha" data-sitekey="PUT IN YOUR SITE KEY HERE"></div>
56 </center>
IT is important this is added before the closing
tag
Load up zone minder and ensure your captcha is showing. If it does not show up, you've done something wrong. Rinse and repeat.
Step 2: Server validation:
First, grab the Google client library for reCaptcha (not necessary but makes it easy)
Code: Select all
cd /usr/share/zoneminder/www/includes
sudo wget https://github.com/google/recaptcha/archive/master.zip
sudo unzip master
sudo mv recaptcha-master recaptcha
Add this code to /usr/share/zoneminder/includes/actions.php:
Right after around line 44, that reads
Add this: (Replace "REPLACE WITH YOUR SECRET KEY" with your secret key)
Code: Select all
//PP let's first validate reCaptcha response
require_once( 'recaptcha/src/autoload.php' );
$secret = "REPLACE WITH YOUR SECRET KEY";
$gRecaptchaResponse = $_REQUEST['g-recaptcha-response'];
$remoteIp = $_SERVER['REMOTE_ADDR'];
$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
if (!$resp->isSuccess()) {
userLogout();
$view='login';
$refreshParent = true;
}
Re: Securing the login page
Posted: Mon Aug 31, 2015 3:22 pm
by Zmjm15
@Asker,
after following your step by step guide this has proved successful, thank you for posting this and putting in the work to getting this page secure.
thanks alot
Re: Securing the login page
Posted: Fri Sep 29, 2017 5:21 pm
by aelg305
I noticed the subject for this post and Im wondering if anybody has looked into integrating google signin, form here:
https://developers.google.com/identity/sign-in/web/
This basically uses the google user to signin users.
Here are the steps by steps I found, however, I have NOT implemnted it or tested, so not sure if this would be feasible:
https://developers.google.com/identity/ ... le-project