Securing the login page

Forum for questions and support relating to the 1.28.x releases only.
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Securing the login page

Post by Zmjm15 »

Hi guys,

Just wondered if anyone has tried to secure the login page of ZM, with a captcha or some anti brute forcing method?

Many thanks
Nerre
Posts: 100
Joined: Thu Sep 25, 2014 10:22 am

Re: Securing the login page

Post by Nerre »

I think fail2ban can be used, it can be used to prevent brute force attacks for anything that posts log messages at failed login (the log does however need to contain the IP address, not sure if zoneminder writes it to the log).
darmach
Posts: 21
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach »

You can add additional level of security by using apache auth, something like that:
<Directory /var/www/your-zm-path >
AllowOverride All
# Order deny,allow
# Deny from all
# Allow from 192.168.10.2
# Allow from domain.com
## Allow from all
# AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/htpasswords
Require user allowed-user-name
</Directory>
I would have another question though - where does zoneminder logs failed access attempts? I mean application logons of course - when you set up passwords in the app.
Last edited by darmach on Sat Oct 29, 2016 8:51 am, edited 1 time in total.
kenneth558
Posts: 18
Joined: Mon Jul 27, 2015 3:57 am

Re: Securing the login page

Post by kenneth558 »

I'm trying Fail2ban myself, but I also set up ufw, the default firewall. I don't have my server in the wild yet, but later today I should know how well it works.

Did you get ZM upgraded to 1.28.1 like I suggested in the other post?
Nerre
Posts: 100
Joined: Thu Sep 25, 2014 10:22 am

Re: Securing the login page

Post by Nerre »

darmach wrote: I would have another question though - where does zoneminder logs failed access attempts? I mean application logons of course - when you set up passwords in the app.
I assumed zoneminder did log login failures, but it seems to only log successful logins. That was a disappointment to me.
darmach
Posts: 21
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach »

Exactly what I found! Seems absurd... The failed ones are attention worthy...
User avatar
knight-of-ni
Posts: 2404
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Securing the login page

Post by knight-of-ni »

Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker »

I never had the need to secure it beyond what was already available. I just added HTTPS.

But given this thread, I gave it a go - it was pretty trivial to add re-Captcha for instance.

Image

Modify login.php to insert the div and edit actions.php to handle the POST callback check of re-captcha.
Anyone wanting to use mobile clients (such as zmNinja or zmView) should not do this -- their clients will fail to log in.
Last edited by asker on Tue Aug 18, 2015 7:25 pm, edited 1 time in total.
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
User avatar
knight-of-ni
Posts: 2404
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Securing the login page

Post by knight-of-ni »

I don't believe you. I think you are a robot.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
darmach
Posts: 21
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach »

knnniggett wrote:FYI...
Great news!

A pity it will be a moment till it is available in debian repos.
Maybe I should pull from git and deploy it myself...

Anyway - thank you v much!
User avatar
knight-of-ni
Posts: 2404
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Securing the login page

Post by knight-of-ni »

darmach wrote: Great news!

A pity it will be a moment till it is available in debian repos.
Maybe I should pull from git and deploy it myself...

Anyway - thank you v much!
No need to wait if you don't want to. It is just a few lines of php.
You could edit the file functions.php on your system to match.

Here is a patch file that will do it:
https://patch-diff.githubusercontent.co ... 1021.patch

Until this is included in the zoneminder package you are using, you will have to reapply this patch after a package upgrade.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
darmach
Posts: 21
Joined: Thu Aug 13, 2015 8:26 am

Re: Securing the login page

Post by darmach »

Haha, thanks! You're great!
User avatar
iconnor
Posts: 2880
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: Securing the login page

Post by iconnor »

I think the captcha on login page is a great feature... just needs to be turned on/off in config.
Zmjm15
Posts: 90
Joined: Fri Jul 31, 2015 7:56 pm

Re: Securing the login page

Post by Zmjm15 »

So we can just edit the functions.php with that code, then add the actual captcha code to the login page/actions.php?

That is awesome that you have managed to get this put in so quick!
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: Securing the login page

Post by asker »

Zmjm15 wrote:So we can just edit the functions.php with that code, then add the actual captcha code to the login page/actions.php?

That is awesome that you have managed to get this put in so quick!
No, we are conflating two completely different features.

1. What knniggett added in his PR (Pull Request) is a log that gets generated when a login fails so other applications can monitor that log to detect a failed login

2. What I added was a google re-captcha which adds further bot checks in addition to ZM's own auth.

If you want to experiment, I'll offer some hints - I don't want to post code (yet):

a) Read https://code.google.com/p/recaptcha/wik ... pRecaptcha -- its really simple. There are 3 parts: 1) Get an API key to use re-captcha 2) display the re-captcha in the login form 3) Validate the response from re-captcha before you consider a person authenticated

b) Getting an API key is as simple as putting in your domain name and having google generate a key

c) Add the "recaptcha" display code to login.php

d) actions.php is the PHP file that actually does the user login and gets called with the form data, so it makes sense you add code there to also check what is the status of recaptcha and add that condition there

The reason I don't want to post code:

ZM needs people to contribute.
ZM is an awesome product - you'd be surprised to know only 3-4 people work really hard to maintain it without any expectations of getting anything back except satisfaction (I'm not in that count) so I'd encourage you to experiment and try to implement this feature. I'm not a PHP person at all, so if you are not comfortable with it, don't worry, its not hard to pick up. And if you are already aware of it, then I'd love for you to add this. If you do add it, I can promise you, I can add the code to the web interface that allows users to enable/disable it and put in their secret key.
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Locked