Basic Security with ZoneMinder

ZoneMinder "out of the box" is setup with the most basic of features configured and simple to get going.  And security is never simple, so by default ZoneMinder is configured to be wide open to anyone who accesses the URL.  As I'm sure you've probably noticed.  In this post I'll cover some of the basics of ZoneMinder authentication, as well as some additional ideas on securing a ZoneMinder setup.


First, the obvious:  Security cameras often show things you wouldn't want published on the Internet.  For a business, it could show would-be vandals where things are in the building or when the building isn't staffed.  For a home, it could show similar things to potential evil doers, as well as an invasion of privacy (would you want a baby monitor published on the Internet for prying eyes to see?).  It's these reasons that I really do not like the cloud based NVR / camera systems and prefer on-prem systems where the data and access is controlled by me.  But, if the on-prem system is deployed in an insecure manor, the same problems could exist.

ZoneMinder Authentication

This is the first step to securing ZoneMinder.  As previously mentioned, there is no user authentication for ZoneMinder.  Let's fix that:

1. On the ZoneMinder main screen, click on Options.
2. Go to the "Users" tab.
3. Click on "admin" to open the properties of the admin account
1. Enter a new password in both the New Password and Confirm Password field, then click on Save.
4. It's best practice to not always use the admin account, and instead make an account for each person or service that will be connecting to ZoneMinder.  Back on the Users tab, click on Add New User.
1. Fill in the form, selecting what permissions this new user will have.  Assuming this is "you", you'll want to give this account the highest level of permissions.

That sets up the accounts, so now we have to enable authentication.

1. Go to the System tab.
2. Generate a random string of text and put it in the AUTH_HASH_SECRET field.
1. An easy way to do this is a random sentence, or a GUID.
3. Check the box for "OPT_USE_AUTH"
4. Click on "Save"
5. Close the Options window.
6. The main window will now refresh.  Login again with your credentials.

At this point, ZoneMinder is now locked down to users that provide credentials.  This is way better then before, which allowed anyone to access it.  But we're going to go a few steps beyond that.  When you fill in that login page, the user credentials are sent in the clear.  This means that if you were to publish this to the Internet, anyone with a packet sniffer in the right spots could grab the credentials easily and use them.  Clearly this is not good.  There are many ways to handle this.  I'll go over one method in detail (since it's easy), and explain what you would need to do for the other two.

HTTPS using a Self Signed Certificate

HTTPS is the encrypted version of HTTP, which is what the World Wide Web basically works on.  HTTPS is what's used when you shop at Amazon, browse at Google, use your bank...basically anytime a website wants to protect your data in transit.

The premise of HTTPS is a "trust structure", where a trusted organization "signs" a certificate validating that person or organization is who they say they are.  That signing process costs money, and can be cumbersome.  I'll talk about it in the next section, but for the purposes here we're going to use a Self Signed Certificate.  The downside with this is when you browse to the ZoneMinder interface you will get an error saying the certificate is untrusted.  However, the connection is still encrypted and protected.  This is typically good enough for most people for small organizations.

For my setup I'm using Ubuntu Server 16.04.2 LTS, so that's what these directions are built on.  (I'm also assuming that ZoneMinder is the only thing running on this server)

First, activate the HTTPS / ssl handler for Apache (Ubuntu includes it in the default "LAMP" install, it just needs to be activated):

1. sudo a2enmod ssl
2. sudo service apache2 restart

Next, we'll create the place to store the certificates, as well as the self signed certificate itself:

1. sudo mkdir /etc/apache2/ssl
2. sudo openssl req -x509 -nodes -days 3065 -newkey rsa:2048 -keyout /etc/apache2/ssl/zm.key -out /etc/apache2/ssl/zm.crt
1. Fill in the form with the obvious information
2. For "Common Name", put in the IP address of the server or the fully qualified domain name if you have one (ie: zoneminder.mydomain.com)

Now that we have the required certificate, we can configure Apache to talk HTTPS:

1. Edit /etc/apache2/sites-available/default-ssl.conf with your favorite editor (nano, vim, etc)
1. Change SSLCertificateFile to: /etc/apache2/ssl/zm.crt
2. Change SSLCertificateKeyFile to: /etc/apache2/ssl/zm.key

Lastly, put the new HTTPS / ssl configuration in place and restart Apache:

1. sudo a2ensite default-ssl.conf
2. sudo service apache2 restart

Now open a browser and try to go to the server using HTTPS.  For example, https://192.168.0.100/zm .  You will get a security warning about an invalid certificate.  This is because it's a self signed certificate as opposed to one signed by a trusted 3rd party.  You can accept this warning and continue.

Again, this is a quick and dirty setup.  I didn't cover all of the different ways you can configure the HTTPS/SSL listener, nor did I cover the best practices way in this section.  I encourage you to read up on the mod_ssl pacakge for Apache for more details.

HTTPS Using 3rd Party Signed Certificates

In the last section I used a certificate that the server itself signed.  That's good enough for most home users, but if you want a more professional feel or want to publish this on the Internet, I'd strongly encourage you to use a 3rd party signed certificate.

There are many options for proper certificate signing.  Some of the popular ones are:

• Thawte
• GoDaddy
• DigiCert
• NameCheap
• Comodo
• GeoTrust
• Let's Encrypt (free, but has limitations)

Each of those services have slightly different processes for requesting certificates.  I'd encourage you to read the specific directions provided by the provider you choose.  Ultimately, all of the Apache the configuration on the server would still be performed in the /etc/apache2/sites-available/default-ssl.conf file.

VPN

A VPN is a good way to provide access to the ZoneMinder server remotely and securely.  This allows you to not have to publish ZoneMinder to the Internet but still allow remote access.  If you don't know, a VPN (Virtual Private Network) allows a remote device to connect to a different network as if it were local.  VPNs are also typically encrypted, so all the connections between the remote computer and the remote network are all protected.

Many modern routers have VPN features built into them.  If the router you have does not, a great alternative is OpenVPN.  OpenVPN is a lightweight VPN server based on open standards and is easy to implement.  A good way to do this is by running OpenVPN on a dedicated Raspberry PI.  For details, check out http://www.pivpn.io/ .

That said, a VPN should not be considered a replacement for configuring HTTPS. HTTPS will protect your ZoneMinder server against local spyware that could exist on your network, since all the connections to ZoneMinder for the UI would be encrypted.

Conclusion

No matter what you choose, you'll want to secure ZoneMinder's UI with some or all of these features discussed here.  For my example setup, I used a self signed certificate, as well as a VPN for remote access.  I have plans to setup a certificate with Let's Encrypt at a later date.