Zoneminder Server Internet Security Considerations

[BlackAndChrome]

I currently have 1.29 running on Ubuntu Server 14.04.4. I have it as a testbed in my apartment but it will soon be moving to my parents business with 7 cams (12+ in the end).

After I move it I would like to be able to maintain remote access to both the video feeds and the Ubuntu terminal. The port forwarding is easy, my concern is with the security. Using SSL with Zoneminder is an obvious solution but I can't seem to get it configured right (I can do your basic file manipulation in BASH but not much more without specific instructions) and there is not a direct follow the steps guide (that I can locate) for ssl configuration.

So if I am forwarding ports 22 and 80. Assuming I keep my SSH password significantly stronger than the general access to the http ZM streams, is there any significant threat of network intrusion? I understand that the ZM streams will be vulnerable to man in the middle attack but if the authorization used for remote devices is set to view streams only, and the content being filmed isn't particularly sensitive, is it something I really need to be worried about?

Thanks,
-Nick

[bbunge]

Couple of things you can do:

Set up a VPN on the business router. Connect to the network through the VPN and manage the Ubuntu server as if you were there.

Use Webmin to manage he server and port forward port 10000 to get to webmin.

If you are having problems setting up SSL on Ubuntu switch to CentOS 7 with ZM 1.29.0. It uses SSL out of the box.

You may want to wait a couple of hours as I test the install for Ubuntu 16.04. It has ZM 1.29.0 without having to stand on your head.

bb

[knight-of-ni]

All the ZoneMinder rpms from zmrepo.zoneminder.com come preconfigured for SSL (only), using the default self-signed cert already on the box.
Of course, that means you will need to switch to either CentOS or Fedora.

[BlackAndChrome]

Thanks for the input. I actually have a Cisco VPN 3000 Concentrator that I might consider trying to configure. It came in a surplus lot that I bought to get a Gigabit switch that I needed for a inter building fiber link. Seems like overkill but it would be nice to have access to the entire network.

This server is pretty much exclusively for ZM. The only thing I change outside of the easy install is that I direct the files to an NFS share on a ReadyNAS using autofs. So changing distros shouldn't cause me much trouble unless there will be some distinct advantage to sticking with Ubuntu and going to 16. Ideally I won't even have to ssh in, I'm hoping to not have to touch it at all except through the zm interface.

Thanks again,
-Nick

[bbunge]

You may want to give Ubuntu 16.04 a try. You do not need to add a repository to get 1.29.0. You have a choice between MySQL and Mariadb. 16.04 uses systemd. I've done several installs today with great results! And, it will be supported for 5 years!

[knight-of-ni]

@bbunge Oh, and since you've seen how I configure SSL on CentOS, there is technically nothing stopping you from just copying those lines out of the config and into the apache config on an Ubuntu box. Maybe add that as an option to your easy way docs??

[bbunge]

@bbunge Oh, and since you've seen how I configure SSL on CentOS, there is technically nothing stopping you from just copying those lines out of the config and into the apache config on an Ubuntu box. Maybe add that as an option to your easy way docs??

Well...

[knight-of-ni]

I figured you might have already thought of that...

[BlackAndChrome]

Guestion regarding autofs and relocating directories...

I currently have my ReadyNAS NFS share setup so that the server has root access. I temp mount the partition and move the images and events directories from the /var/lib/zoneminder directory to the /data/zoneminder directory on the NAS.

my /etc/auto.master has the added line

Code: Select all

/-     auto.nfs

my /etc/auto.nfs file contains these 2 lines

Code: Select all

/var/lib/zoneminder/images (NAS-IP):/data/zoneminder/images
/var/lib/zoneminder/events (NAS-IP):/data/zoneminder/events

The files appear to mount correctly but whenever the server reboots the images folder changes ownership from "apache apache" to "root root". This of course results in ZM showing only "Cannot write to content dirs" until the file ownership is changed back to apache using chown.

Any suggestions?

[Zmjm15]

Is there an easy way of setting up SSL on ubuntu 16?

[krasnal]

@BlackAndChrome
Your question is kinda off-topic but have you considered using /etc/fstab instead, or do you really need to have them mounted on the fly?

[BlackAndChrome]

@BlackAndChrome
Your question is kinda off-topic but have you considered using /etc/fstab instead, or do you really need to have them mounted on the fly?

Yeah I guess I could have started a new thread but since I had mentioned Autofs being my only real need when switching distros I figured I'd leave it here. I have read that autofs is better for mounting NAS shares because of how zoneminder would handle the NAS not being on the network for any reason.


viewtopic.php?t=22423

- Mounting network shares via fstab works as long as the network share is available.

On that thought, what happens when zmaudit discovers a database full of event entries, but the network share didn't mount/fell off?

Won't it start going through the database saying "this event no longer exists on disk, cleaning the database up" ??

Yes, that is the risk of using remote storage. By backing up the database on a regular basis, you have a chance to recover most of the events should this occur.

[krasnal]

@BlackAndChrome
I'm a bit confused by the line of thinking presented in the thread you linked to.

- If the NFS share isn't there when zoneminder starts up, the system will hang or wait a long time wait until the share comes up.
- Autofs will stop the system from hanging at startup. (But won't solve the absence of the NFS share.)

From my own personal perspective, I'd prefer the system to hang at boot-up time so I'll be aware that there's a problem. Of course, ymmv.

I don't use autofs with NFS but I do use NFS. The uid/gid of the mount point's owner should match the uid/gid of the NFS share's directory (the names don't need to match, btw, just the numeric identifiers). On my Debian 8, 1.29.0 system, the owner of the events and images directories is www-data (uid = 33, gid = 33). If your ReadyNAS system uses something different from your zoneminder box, you'll need to get the uid/gid aligned on both boxes.

[bbunge]

Is there an easy way of setting up SSL on ubuntu 16?

https://www.digitalocean.com/community/ ... untu-14-04

Also works for 16.04

[Zmjm15]

Awesome thanks