Securing the login page

[Zmjm15]

Hi guys,

Just wondered if anyone has tried to secure the login page of ZM, with a captcha or some anti brute forcing method?

Many thanks

[Nerre]

I think fail2ban can be used, it can be used to prevent brute force attacks for anything that posts log messages at failed login (the log does however need to contain the IP address, not sure if zoneminder writes it to the log).

[darmach]

You can add additional level of security by using apache auth, something like that:

<Directory /var/www/your-zm-path >
AllowOverride All
# Order deny,allow
# Deny from all
# Allow from 192.168.10.2
# Allow from domain.com
## Allow from all
# AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/htpasswords
Require user allowed-user-name
</Directory>

I would have another question though - where does zoneminder logs failed access attempts? I mean application logons of course - when you set up passwords in the app.

[kenneth558]

I'm trying Fail2ban myself, but I also set up ufw, the default firewall. I don't have my server in the wild yet, but later today I should know how well it works.

Did you get ZM upgraded to 1.28.1 like I suggested in the other post?

[Nerre]

I would have another question though - where does zoneminder logs failed access attempts? I mean application logons of course - when you set up passwords in the app.

I assumed zoneminder did log login failures, but it seems to only log successful logins. That was a disappointment to me.

[darmach]

Exactly what I found! Seems absurd... The failed ones are attention worthy...

[knight-of-ni]

FYI...
https://github.com/ZoneMinder/ZoneMinder/pull/1021

[asker]

I never had the need to secure it beyond what was already available. I just added HTTPS.

But given this thread, I gave it a go - it was pretty trivial to add re-Captcha for instance.



Modify login.php to insert the div and edit actions.php to handle the POST callback check of re-captcha.
Anyone wanting to use mobile clients (such as zmNinja or zmView) should not do this -- their clients will fail to log in.

[knight-of-ni]

I don't believe you. I think you are a robot.

[darmach]

FYI...

Great news!

A pity it will be a moment till it is available in debian repos.
Maybe I should pull from git and deploy it myself...

Anyway - thank you v much!

[knight-of-ni]

Great news!

A pity it will be a moment till it is available in debian repos.
Maybe I should pull from git and deploy it myself...

Anyway - thank you v much!

No need to wait if you don't want to. It is just a few lines of php.
You could edit the file functions.php on your system to match.

Here is a patch file that will do it:
https://patch-diff.githubusercontent.co ... 1021.patch

Until this is included in the zoneminder package you are using, you will have to reapply this patch after a package upgrade.

[darmach]

Haha, thanks! You're great!

[iconnor]

I think the captcha on login page is a great feature... just needs to be turned on/off in config.

[Zmjm15]

So we can just edit the functions.php with that code, then add the actual captcha code to the login page/actions.php?

That is awesome that you have managed to get this put in so quick!

[asker]

So we can just edit the functions.php with that code, then add the actual captcha code to the login page/actions.php?

That is awesome that you have managed to get this put in so quick!

No, we are conflating two completely different features.

1. What knniggett added in his PR (Pull Request) is a log that gets generated when a login fails so other applications can monitor that log to detect a failed login

2. What I added was a google re-captcha which adds further bot checks in addition to ZM's own auth.

If you want to experiment, I'll offer some hints - I don't want to post code (yet):

a) Read https://code.google.com/p/recaptcha/wik ... pRecaptcha -- its really simple. There are 3 parts: 1) Get an API key to use re-captcha 2) display the re-captcha in the login form 3) Validate the response from re-captcha before you consider a person authenticated

b) Getting an API key is as simple as putting in your domain name and having google generate a key

c) Add the "recaptcha" display code to login.php

d) actions.php is the PHP file that actually does the user login and gets called with the form data, so it makes sense you add code there to also check what is the status of recaptcha and add that condition there

The reason I don't want to post code:

ZM needs people to contribute.
ZM is an awesome product - you'd be surprised to know only 3-4 people work really hard to maintain it without any expectations of getting anything back except satisfaction (I'm not in that count) so I'd encourage you to experiment and try to implement this feature. I'm not a PHP person at all, so if you are not comfortable with it, don't worry, its not hard to pick up. And if you are already aware of it, then I'd love for you to add this. If you do add it, I can promise you, I can add the code to the web interface that allows users to enable/disable it and put in their secret key.