thanks for the guidance on this,
I have managed to get the recaptcha to display on the login page but it says ERROR: Invalid domain for site key
I am using a masked forwarder for a .com domain pointing to myip/zm, so im wondering if i am not allowed to do this?
Shall i change the way i forward or have i implemented the code wrong?
All i done was sign up for the recaptcha, then add the 2 bits of code into the login.php;
Paste this snippet before the closing </head> tag on your HTML template:
<script src='https://www.google.com/recaptcha/api.js'></script>
Paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear:
<div class="g-recaptcha" data-sitekey="6LeAfgsTAAAAAFd4xT22341234mq6QwTm5gPKV1"></div>
I haven't got to the POST section yet, just trying to get it to display correctly.
Many thanks
Securing the login page
Re: Securing the login page
Hmm, I frankly don't know if that may cause problems - it might. Would it be possible to disable masking for now and get recaptcha working first?
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.
Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Re: Securing the login page
Okay so i registered the reCaptcha to the IP address of the server and now its showing up fine.
I am just not sure on what code to put in which file for it to check after it has had the reCaptcha input.
It looks good so far, just that it will let people bypass the captcha and log straight in without verifying.
I am just not sure on what code to put in which file for it to check after it has had the reCaptcha input.
It looks good so far, just that it will let people bypass the captcha and log straight in without verifying.
Re: Securing the login page
@knnniggett
So are you saying that if i was to add that code to my functions.php file, that this would then log failed zm logins and fail2ban would pick this up?
Many thanks
So are you saying that if i was to add that code to my functions.php file, that this would then log failed zm logins and fail2ban would pick this up?
Many thanks
Re: Securing the login page
Here goes:
Tutorial on how to add google re-captcha to ZM
Step 0: Get a reCaptcha domain and secret key set up
1. Go to https://www.google.com/recaptcha/admin#list
2. Follow instructions and sign up for a secret key for your site
3. keep a copy of the "site key" and the "secret key"
Step 1: Add the reCaptcha widget
Edit /usr/share/zoneminder/www/skins/classic/views/login.php
Add this right after line 22- which is "?>"
Add this right after line that reads
(Replace "PUT IN YOUR SITE KEY HERE" with your site-key)
IT is important this is added before the closing tag
Load up zone minder and ensure your captcha is showing. If it does not show up, you've done something wrong. Rinse and repeat.
Step 2: Server validation:
First, grab the Google client library for reCaptcha (not necessary but makes it easy)
Add this code to /usr/share/zoneminder/includes/actions.php:
Right after around line 44, that reads
Add this: (Replace "REPLACE WITH YOUR SECRET KEY" with your secret key)
Tutorial on how to add google re-captcha to ZM
Step 0: Get a reCaptcha domain and secret key set up
1. Go to https://www.google.com/recaptcha/admin#list
2. Follow instructions and sign up for a secret key for your site
3. keep a copy of the "site key" and the "secret key"
Step 1: Add the reCaptcha widget
Edit /usr/share/zoneminder/www/skins/classic/views/login.php
Add this right after line 22- which is "?>"
Code: Select all
<!-- PP: Add Google recaptcha script -->
<head>
<script src='https://www.google.com/recaptcha/api.js'></script>
</head>
Code: Select all
<input type="submit" value="<?php echo translate('Login') ?>"/>
Code: Select all
<!-- PP Display recaptcha widget -->
52 <br/>
53 <br/>
54 <center>
55 <div class="g-recaptcha" data-sitekey="PUT IN YOUR SITE KEY HERE"></div>
56 </center>
Code: Select all
</form>
Load up zone minder and ensure your captcha is showing. If it does not show up, you've done something wrong. Rinse and repeat.
Step 2: Server validation:
First, grab the Google client library for reCaptcha (not necessary but makes it easy)
Code: Select all
cd /usr/share/zoneminder/www/includes
sudo wget https://github.com/google/recaptcha/archive/master.zip
sudo unzip master
sudo mv recaptcha-master recaptcha
Right after around line 44, that reads
Code: Select all
44 if ( !empty($action) )
45 {
Code: Select all
//PP let's first validate reCaptcha response
require_once( 'recaptcha/src/autoload.php' );
$secret = "REPLACE WITH YOUR SECRET KEY";
$gRecaptchaResponse = $_REQUEST['g-recaptcha-response'];
$remoteIp = $_SERVER['REMOTE_ADDR'];
$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
if (!$resp->isSuccess()) {
userLogout();
$view='login';
$refreshParent = true;
}
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.
Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Re: Securing the login page
@Asker,
after following your step by step guide this has proved successful, thank you for posting this and putting in the work to getting this page secure.
thanks alot
after following your step by step guide this has proved successful, thank you for posting this and putting in the work to getting this page secure.
thanks alot
Re: Securing the login page
I noticed the subject for this post and Im wondering if anybody has looked into integrating google signin, form here: https://developers.google.com/identity/sign-in/web/
This basically uses the google user to signin users.
Here are the steps by steps I found, however, I have NOT implemnted it or tested, so not sure if this would be feasible:
https://developers.google.com/identity/ ... le-project
This basically uses the google user to signin users.
Here are the steps by steps I found, however, I have NOT implemnted it or tested, so not sure if this would be feasible:
https://developers.google.com/identity/ ... le-project