ZoneMinder Forums

I have zoneminder 1.22.3 installed from Mandriva 2007 livecd. This machine is connected to internet. After a few months without problem, yesterday i tried to connect to it with ssh and was rejected.Found that the LINUX ,ROOT and GUEST password had been changed. I has installed new password for each user but i am sure there will be more attacks.
Iptables and Shorewall are not running.
i has no idea on how to set a firewall.

Is there a safe default setting for a computer connected directly to Internet (fixed ip) running Zoneminder?

First I would consider relaoding the machine, odds are they have done more than just change your passwords.
Second, once you have reloaded the machine, CHANGE the passwords. You sould never leave the defaults for a machine that is accessable on the net, thats just asking for trouble especialy the ROOT login should be configured in ssh to not be accessable.
If you type setup from the command line, you should have access to set the firewall. Shorewall is not needed, just iptables and the port for ssh is by default 22 and should be changed to a nonstandard port.

If you're not a linux guru, get a simple home router and use that as firewall. Forward only port 80 and 22, to different external ports, that only you know.

cordel wrote:First I would consider relaoding the machine, odds are they have done more than just change your passwords.
Second, once you have reloaded the machine, CHANGE the passwords. You sould never leave the defaults for a machine that is accessable on the net, thats just asking for trouble especialy the ROOT login should be configured in ssh to not be accessable.
If you type setup from the command line, you should have access to set the firewall. Shorewall is not needed, just iptables and the port for ssh is by default 22 and should be changed to a nonstandard port.

Thanks for your comments.
Look that the problem could be worst that what i thought. I better reinstall everything.
I just checked this morning the log file and there is a large list of attemps to breaks with different usernames and thru different ports. At least that is what it looks like. Also there is a IP number where the attack comes from.
Can i set my zoneminder computer to reject access to all IP but mine?

I am ignorant about firewalls, iptable, etc.
I will investigate how to change the default ssh port to a nonstandard one. I thing it should not be dificult. But iptable, i do not know where to start.
All what i do with this computer is access it with a browser to see the zoneminder streaming and login thru ssh for maintainance. Where do i find the appropiate rules for this?

Wipe and reinstall. You can not trust a machine that has been "owned" for any length of time. For firewalls I like m0n0wall, http://m0n0.ch/wall/ and have been with the project a long time. I leave the port for ssh closed and only open it when I need it. But if this is not feasible, install fail2ban or something similar. This is very good to lock out port scanners and crackers. Last, figure out a way to watch your logs for changes. There are lots of utilities for this, so that is a search in itself. Good luck!

Oh and some info on ssh is at http://www.linux.com/articles/61061 Here you can lock it down to just your host and user, or change ports. If you change ports, tell fail2ban what to listen on as well.

Any unix (Linux) computer that is connected to the interweb should have fail2ban installed. Most distributions do not install it by default. Installing it will block brute force SSH / telnet / ftp programs.

Lee Sharp wrote:Wipe and reinstall. You can not trust a machine that has been "owned" for any length of time. For firewalls I like m0n0wall, http://m0n0.ch/wall/ and have been with the project a long time. I leave the port for ssh closed and only open it when I need it. But if this is not feasible, install fail2ban or something similar. This is very good to lock out port scanners and crackers. Last, figure out a way to watch your logs for changes. There are lots of utilities for this, so that is a search in itself. Good luck!

Oh and some info on ssh is at http://www.linux.com/articles/61061 Here you can lock it down to just your host and user, or change ports. If you change ports, tell fail2ban what to listen on as well.

curtishall wrote:Any unix (Linux) computer that is connected to the interweb should have fail2ban installed. Most distributions do not install it by default. Installing it will block brute force SSH / telnet / ftp programs.

And there are modules for Apache, and many other services. One of the most awesomely useful programs out there.

As suggested, i has installed Fail2ban 0.81 on Pclos.
I has enable the ssh segment because i have to find out which other sections i should enable and how it is done.
Will appreciate suggestions on what else should be activated and howto.
Also installed Shorewall and left open WEB and SSH.
On ssh, Fail2ban should take care of attacks and also set ssh loggin thru RSA key.
Found that Fail2ban leaves /tmp/fail2ban.sock if the computer is turned off not properly.
Found this. on Internet and thing that could help.
For the viewer's pleasure, I use the following in /etc/rc.local to force fail2ban to start:
if [ -z "$(ps -A | grep fail2ban-server)" ]; then
rm -f /tmp/fail2ban.sock
/etc/init.d/fail2ban start
fi

Is there a way to use RSA KEY (or something similar) to restrict who has access thru web port?
I has zoneminder protected with pasword but i thing this could be hacked too and the worst is that if i access this computer thru a browser and point it to
"my ip"/phpMyAdmin/index.php, i can has access to ZM tables since the user is Root without password by default and do not know how to change this.
I suppose that there should be other ways to gain acess to my computer thru port 80.
Remmenber that i do not know much about security.
Shoudn't it be a section on this forum about Security?
It seems to be easy to install and set Zoneminder but seems to be that security is more important that what i thought and it is not easy for a newbie.

Don't leave phpmyadmin installed, or at least move it to a different directory. And point fail2ban at apache as well to prevent script trawlers.