Proper way to secure zoneminder
Posted: Tue Dec 20, 2022 11:33 am
TL;DR: do the zoneminder devs feel safe using ZM authentication exposed to the Internet? (Honest/innocent question.)
I'm new to ZM and just want to make sure I understand how to secure it properly. I have it running on k8s with an ingress providing internet access, and I just put up basic auth on the ingress to ensure it is secure until I figure everything out. It works fine via a browser this way but I see that zmninja doesn't care for this config. Looking at the docs it seems like ZM has a built-in authentication system that is preferred (assuming I'm reading the latest info on that).
If I turn that on and get rid of my ingress authentication my understanding is that zoneminder will present an application login screen.
Please don't read anything into this question, but I just wanted to confirm that this is considered reasonably secure to open to the internet. I know ZM has been around for a long time and has some legacy config options, and I have no personal expertise in securing web applications, so I just wanted to confirm that this method of authentication is considered by the developers to be adequate for use today. Obviously I realize there are no guarantees - I just want to make sure that this is indeed considered the proper way to set up zoneminder when it is exposed to the internet via a reverse proxy.
In particular I noticed a statement in the docs: "Authenticated mode alone should not be relied up for securing Internet connected ZoneMinder."
I haven't fully gone through the details but I also saw in some zmninja some references to passing an authentication token in the URL and then using some kind of mod_rewrite approach to converting that into basic auth in the proxy. I suspect that will not be possible with a k8s ingress, but I haven't looked into it too closely.
I'm new to ZM and just want to make sure I understand how to secure it properly. I have it running on k8s with an ingress providing internet access, and I just put up basic auth on the ingress to ensure it is secure until I figure everything out. It works fine via a browser this way but I see that zmninja doesn't care for this config. Looking at the docs it seems like ZM has a built-in authentication system that is preferred (assuming I'm reading the latest info on that).
If I turn that on and get rid of my ingress authentication my understanding is that zoneminder will present an application login screen.
Please don't read anything into this question, but I just wanted to confirm that this is considered reasonably secure to open to the internet. I know ZM has been around for a long time and has some legacy config options, and I have no personal expertise in securing web applications, so I just wanted to confirm that this method of authentication is considered by the developers to be adequate for use today. Obviously I realize there are no guarantees - I just want to make sure that this is indeed considered the proper way to set up zoneminder when it is exposed to the internet via a reverse proxy.
In particular I noticed a statement in the docs: "Authenticated mode alone should not be relied up for securing Internet connected ZoneMinder."
I haven't fully gone through the details but I also saw in some zmninja some references to passing an authentication token in the URL and then using some kind of mod_rewrite approach to converting that into basic auth in the proxy. I suspect that will not be possible with a k8s ingress, but I haven't looked into it too closely.