ZoneMinder Forums

Hello,
I have been accessing ZM over a VPN until now on the phone (zmninja). However, putting VPN on family members mobiles is demanding. I was wondering how safe is to expose ZoneMinder on the internet. I will have letsencrypt certificates and will also use ZM authentication.

Like with anything facing the Internet your going to get people poking around.

Firstly make sure you have strong passwords in place, mix uppercase, lowercase, numbers and special characters. Setup a reverse proxy, such as NGINX and add another layer of security there. Also make sure that your user accounts have the least amount of access as possible. If they don't need to use a function, then remove it from them. You can also restrict what networks have access via the reverse proxy, which will give you a little more admin work, but will again increase your security.

Hopefully that's give you a few pointers.

Thanks for the tips. I have a NGINX reverse proxy in front of ZM. What do you mean by, "and add another layer of security there"?

I have setup a 'view' only user account which is on the mobile phones.

Are you suggesting to use geoip with nginx?

Adding GeoIP is one option, the other would be to setup authentication at the NGINX level. So users would have to effectively authenticate twice to logon to your ZM server.

I use Apache and previously I had logwatch watching the Apache log files for a login.
On a login, I would get an email that someone logged in (username/IP).
If a strange IP showed up, I would know to investigate (fortunately it never happened).

It was just my wife and I logging in, so I would get maybe 1 or 2 emails per week.
If you have many family members logging in, your inbox could be flooded.

You could take Maximo1970's idea of GeoIP and incorporate a script with logwatch so that only logins with IP addresses outside of your country would be emailed to you.

Just a thought...