Open Port Security

Discussion topics related to mobile applications and ZoneMinder Event Server (including machine learning)
Post Reply
ChrisNeedsGoodAdvice
Posts: 6
Joined: Fri Jul 30, 2021 10:03 pm

Open Port Security

Post by ChrisNeedsGoodAdvice »

I was able to get ZoneMinder completely working along with zmNinja in the most rudimentary way. I setup a DDNS basically just to see that everything will work. Then I became very concerned with having ZoneMinder open to the world on my pfSense router.

Not coming from IT, I realize that I need to make sure now that my network remains secure from my ZM server all the way to my zmNinja app. I did plenty of research on SSH and VPN and decided to take the VPN route so I downloaded Wireguard on pfSense.

So as I proceed to learn how to route and secure my network, new questions surface:

Do I use Wireguard alone or as a protocol with a VPN carrier?
Will the use of the VPN circumvent the setup and usage of DDNS and NAT on pfSense?
Will I just use the standalone Wireguard app on my phone to secure the connection, but, then how does zmNinja work alongside it?
Or, does my entire iPhone network i/o need to reside in a VPN provider for everything network? If this is the case then does that mean my iPhone's network is always coat tailing my home network, basically?

I would be so grateful if anybody can support my questions one by one so I can have a better understanding and move on. My wife and kid would also be grateful - this is taking a lot of time.


Chris
tsp84
Posts: 227
Joined: Thu Dec 24, 2020 4:04 am

Re: Open Port Security

Post by tsp84 »

Personally I just have it behind a reverse proxy but my ports for it are open to the internet. I have fail2ban watching the logs for ZM so I will be notified of someone trying to access it. So far no ones really been interested. I would have HTTPS, and setup authenticated logins to Zoneminder with strong secure passwords, same for ZMES and mlapi. The VPN route means you need VPN on and connected at all times when viewing anything in zmNinja because it uses internet facing port (default 9000) to communicate with clients and any mobile clients need to talk with the ZoneMinder API's which are also internet facing. A picture in zmNinja FCM notifications REQUIRES an internet accessible HTTPS secured, auth enabled ZM instance to request the image from as well.

The only thing that would make things a little bit better is MFA, like TOTP's. Honestly just having Fail2ban and some good firewall rules helps most issues. I actually haven't checked how ZMES and MLAPI handle wrong passwords and if they log them....... going to need to add an access log and configure some Fail2ban jails and filters. You can also setup Fail2ban to send notifications via Pushover (this is what I have setup) so if you use pushover for your ZM notifications you can also get access notifications about ZM alongside object detection notifications.

Your question about circumventing DDNS and NAT.... no, not really and totally separate. VPN is also traversing NAT on your firewall regardless and VPN not seeing DNS record for your DDNS host would only happen if your VPN connection is your sole DNS provider and they aren't forwarding those records.

I do not recommend a VPN only connection for connecting with ZM abroad. Good firewall rules, using a TLD and cloudflare, and Fail2ban should be more then plenty.
User avatar
burger
Posts: 390
Joined: Mon May 11, 2020 4:32 pm

Re: Open Port Security

Post by burger »

ChrisNeedsGoodAdvice wrote: Fri Jul 30, 2021 10:42 pm ...I became very concerned with having ZoneMinder open to the world on my pfSense router.

..decided to take the VPN route so I downloaded Wireguard

Do I use Wireguard alone or as a protocol with a VPN carrier?
VPN carriers are essentially a VPS that only does a VPN. But you can also run a VPN/tunnel from any internet connected computer or a VPS (where you configure the VPN yourself). There are different types of VPNs. I'd suggest you run a web search on the different ways a VPN can be used. You may also want to purchase a good book on VPNs.
ChrisNeedsGoodAdvice wrote: Fri Jul 30, 2021 10:42 pm Will I just use the standalone Wireguard app on my phone to secure the connection, but, then how does zmNinja work alongside it?
You run Wireguard and then run ZMNinja. When you are done, you close ZMNinja, then close Wireguard. That's it. Perhaps it is cumbersome for non technical folk, but very secure otherwise. Using a VPN is a good way to secure ZM from whatever is on the internet. Leaving any port open on the WAN is dangerous.
fastest way to test streams:
ffmpeg -i rtsp://<user>:<pass>@<ipaddress>:554/path ./output.mp4 (if terminal only)
ffplay rtsp://<user>:<pass>@<ipaddress>:554/path (gui)
find paths on ispydb or in zm hcl

If you are new to security software, read:
https://wiki.zoneminder.com/Dummies_Guide
Post Reply