ZoneMinder Forums

Hello,
I recently installed 1.29.0 on Debian Jessie (8.7). The default apache config file has the following: Now without login to ZM, I'm able to browse and view events folders
When I disable directory listing, it seems that ZM is working fine.
What feature/functionality requires the directory Indexing? Can I disable it?

How can I further secure the default install?

Thanks for your time.

Interesting... Just tried it on Debian 9 and Ubuntu 16.04 with http://ipaddress/zm/events and got the directory listing, too.

Will look into this...

bb

Remove it.
And put server behind VPN, and cameras on separate subnet with no internet access.

I use Basic Authentication (inside HTTPS) to secure the whole ZM tree.

As posted in the 1.30.x area

Here is a "fix" to block the directory browsing. I must admit it is partly my fault..

For Ubuntu
Undo my "Fix to allow API to work" (back to the original configuration)

nano /etc/apache2/apache2.conf

Change All to None in two places as shown below

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Edit zoneminder.conf

nano /etc/apache2/conf-available/zoneminder.conf

Add a - before Indexes and a + before FollowSymLinks

<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks

Make sure the following is at the bottom of the file

<Directory /usr/share/zoneminder/www/api>
AllowOverride All
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Restart Apache

service apache2 reload

http://ip-addr/zm/events should now give you a Forbidden 403 error