Wednesday, July 26, 2017

Basic Security with ZoneMinder

ZoneMinder "out of the box" is setup with the most basic of features configured and simple to get going.  And security is never simple, so by default ZoneMinder is configured to be wide open to anyone who accesses the URL.  As I'm sure you've probably noticed.  In this post I'll cover some of the basics of ZoneMinder authentication, as well as some additional ideas on securing a ZoneMinder setup.

First, the obvious:  Security cameras often show things you wouldn't want published on the Internet.  For a business, it could show would-be vandals where things are in the building or when the building isn't staffed.  For a home, it could show similar things to potential evil doers, as well as an invasion of privacy (would you want a baby monitor published on the Internet for prying eyes to see?).  It's these reasons that I really do not like the cloud based NVR / camera systems and prefer on-prem systems where the data and access is controlled by me.  But, if the on-prem system is deployed in an insecure manor, the same problems could exist.

ZoneMinder Authentication

This is the first step to securing ZoneMinder.  As previously mentioned, there is no user authentication for ZoneMinder.  Let's fix that:

  1. On the ZoneMinder main screen, click on Options.
  2. Go to the "Users" tab.
  3. Click on "admin" to open the properties of the admin account
    1. Enter a new password in both the New Password and Confirm Password field, then click on Save.
  4. It's best practice to not always use the admin account, and instead make an account for each person or service that will be connecting to ZoneMinder.  Back on the Users tab, click on Add New User.
    1. Fill in the form, selecting what permissions this new user will have.  Assuming this is "you", you'll want to give this account the highest level of permissions.

That sets up the accounts, so now we have to enable authentication.

  1. Go to the System tab.
  2. Generate a random string of text and put it in the AUTH_HASH_SECRET field.
    1. An easy way to do this is a random sentence, or a GUID.
  3. Check the box for "OPT_USE_AUTH"
  4. Click on "Save"
  5. Close the Options window.
  6. The main window will now refresh.  Login again with your credentials.
At this point, ZoneMinder is now locked down to users that provide credentials.  This is way better then before, which allowed anyone to access it.  But we're going to go a few steps beyond that.  When you fill in that login page, the user credentials are sent in the clear.  This means that if you were to publish this to the Internet, anyone with a packet sniffer in the right spots could grab the credentials easily and use them.  Clearly this is not good.  There are many ways to handle this.  I'll go over one method in detail (since it's easy), and explain what you would need to do for the other two.

HTTPS using a Self Signed Certificate

HTTPS is the encrypted version of HTTP, which is what the World Wide Web basically works on.  HTTPS is what's used when you shop at Amazon, browse at Google, use your bank...basically anytime a website wants to protect your data in transit.

The premise of HTTPS is a "trust structure", where a trusted organization "signs" a certificate validating that person or organization is who they say they are.  That signing process costs money, and can be cumbersome.  I'll talk about it in the next section, but for the purposes here we're going to use a Self Signed Certificate.  The downside with this is when you browse to the ZoneMinder interface you will get an error saying the certificate is untrusted.  However, the connection is still encrypted and protected.  This is typically good enough for most people for small organizations.

For my setup I'm using Ubuntu Server 16.04.2 LTS, so that's what these directions are built on.  (I'm also assuming that ZoneMinder is the only thing running on this server)

First, activate the HTTPS / ssl handler for Apache (Ubuntu includes it in the default "LAMP" install, it just needs to be activated):

  1. sudo a2enmod ssl
  2. sudo service apache2 restart
Next, we'll create the place to store the certificates, as well as the self signed certificate itself:
  1. sudo mkdir /etc/apache2/ssl
  2. sudo openssl req -x509 -nodes -days 3065 -newkey rsa:2048 -keyout /etc/apache2/ssl/zm.key -out /etc/apache2/ssl/zm.crt
    1. Fill in the form with the obvious information
    2. For "Common Name", put in the IP address of the server or the fully qualified domain name if you have one (ie:
Now that we have the required certificate, we can configure Apache to talk HTTPS:
  1. Edit /etc/apache2/sites-available/default-ssl.conf with your favorite editor (nano, vim, etc)
    1. Change SSLCertificateFile to: /etc/apache2/ssl/zm.crt
    2. Change SSLCertificateKeyFile to: /etc/apache2/ssl/zm.key
Lastly, put the new HTTPS / ssl configuration in place and restart Apache:
  1. sudo a2ensite default-ssl.conf
  2. sudo service apache2 restart
Now open a browser and try to go to the server using HTTPS.  For example, .  You will get a security warning about an invalid certificate.  This is because it's a self signed certificate as opposed to one signed by a trusted 3rd party.  You can accept this warning and continue.

Again, this is a quick and dirty setup.  I didn't cover all of the different ways you can configure the HTTPS/SSL listener, nor did I cover the best practices way in this section.  I encourage you to read up on the mod_ssl pacakge for Apache for more details.

HTTPS Using 3rd Party Signed Certificates

In the last section I used a certificate that the server itself signed.  That's good enough for most home users, but if you want a more professional feel or want to publish this on the Internet, I'd strongly encourage you to use a 3rd party signed certificate.

There are many options for proper certificate signing.  Some of the popular ones are:
  • Thawte
  • GoDaddy
  • DigiCert
  • NameCheap
  • Comodo
  • GeoTrust
  • Let's Encrypt (free, but has limitations)
Each of those services have slightly different processes for requesting certificates.  I'd encourage you to read the specific directions provided by the provider you choose.  Ultimately, all of the Apache the configuration on the server would still be performed in the /etc/apache2/sites-available/default-ssl.conf file.


A VPN is a good way to provide access to the ZoneMinder server remotely and securely.  This allows you to not have to publish ZoneMinder to the Internet but still allow remote access.  If you don't know, a VPN (Virtual Private Network) allows a remote device to connect to a different network as if it were local.  VPNs are also typically encrypted, so all the connections between the remote computer and the remote network are all protected.

Many modern routers have VPN features built into them.  If the router you have does not, a great alternative is OpenVPN.  OpenVPN is a lightweight VPN server based on open standards and is easy to implement.  A good way to do this is by running OpenVPN on a dedicated Raspberry PI.  For details, check out .

That said, a VPN should not be considered a replacement for configuring HTTPS. HTTPS will protect your ZoneMinder server against local spyware that could exist on your network, since all the connections to ZoneMinder for the UI would be encrypted.


No matter what you choose, you'll want to secure ZoneMinder's UI with some or all of these features discussed here.  For my example setup, I used a self signed certificate, as well as a VPN for remote access.  I have plans to setup a certificate with Let's Encrypt at a later date.


  1. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work Melbourne CCTV Systems

  2. Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share. security guards

  3. I was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up. Hikvision

  4. I'm new to ZoneMinder and setting up web servers in general. I was wondering what kind of precautions should I take to make sure my home server with ZoneMinder would be at least somewhat secure. Right now I'm using the built-in auth option in ZM. My server is behind NAT and I use port forwarding with non-standard ports to connect to the server. I have all other ports blocked with software firewall. Is there something else I should do? I'm using Ubuntu 16.04 if that makes any difference.
    Thanks all, Charlotte from qlddiamondsecurity

  5. This is a smart blog. I mean it. You have so much knowledge about this issue, and so much passion. You also know how to make people rally behind it, obviously from the responses. Links Locksmith Services of Jacksonville Floriday is a Mobile Locksmith

  6. I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. CCTV Melbourne

  7. I am looking for and I love to post a comment that "The content of your post is awesome" Great work! security agency birmingham

  8. Me and my friends have thoroughly enjoyed this blog.
    IT support Phoenix

  9. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. mobile security patrols leek

  10. Also note that if you are planning on recording in low light situations, you need to keep this in mind when installing your surveillance cameras.Reolink tech support

  11. For example, those who can't seem to take action will typically define security as $X in the bank, 24response a house that's fully paid for, a stable high-paying job with benefits, a solid relationship with the boss, a car that runs well, etc.

  12. Best rated 10 Most popular Christmas Light Projectors of 2020 (Laser & LED) - Reviews

    Christmas is really a time for getting festive and joyful, a time when folks come collectively and luxuriate in every other’s agency at the same time reminiscing with regard to the good situations they’ve had all year long. Additionally it is a time and energy to enhance your home and its environment in festive colors. While many people have a preference for to hang Christmas lights all around their gutters and depart it at that, there is certainly a great deal of increased which can be achieved to embellish the house in the spirit of the vacations.
    For example, you may constantly make use of a Christmas Lights Projector Reviews to shed a festive light on the house in a very multitude of cheerful patterns. These projectors are normally low-cost and very easy to try, let alone how easy they are to setup. To give you a better understanding of just what the market provides in such a regard, we place jointly an inventory of the ten top rated Christmas light projectors money can buy.

  13. Best Hair Rollers For Fine Hair might seem effortless to invest in, however , you preferably should only procure the ideal. But how do you know which is the optimal This is often one of some of the most competitively priced rollers about the market place today. But, its fee doesn’t imply that it is not powerful. The device features an ionic technology with ceramic rollers that makes a fantastic shiny finish.

  14. The software is on the market in two sorts of model costless extensive Asma compare both of these versions the complete model may be the more desirable than absolutely free edition due to the fact it's endless use of this software and provides

  15. Key Freemake Video Converter also fuses fundamental devices for modifying video earlier than a transform, by way of example, reducing scenes and so forwards. These features aren’t as wide as master video modifying programming like Final Cut Pro. Be that as it can, FVC will place all the pieces to be able when there’s no other choice. Cost-free, speedily, converts into or out of any video compound perceived by anybody and duplicates

  16. I think this is one of the most significant information for me. And i’m glad reading your article. Thank for sharing! Nitro Pro Crack/a>

  17. Hi me John

    you shared a great post and thanks for this ossm concept and you spend a good time in good place.

  18. CCleaner Pro Serial Key is excellent software for home, business, Fog Up, and Google Android. This removes all unwanted and temporary documents. ccleanerprofreedownload

  19. Maxon CINEMA 4D Studio R23.110 Crack is easy to learn and extremely powerful: Cinema 4D is the perfect package for all 3D artists who want to achieve impressive results quickly and effortlessly. maxoncinema4dstudior21registrationkey

  20. SoundMajorz Vybe Omnisphere Library 2 Crack Free Download Torrent.soundmajorzvybeomnispherelibrary2keygen

  21. This post is very helpful. thank you for blogs

  22. Spyhunter Crack was specially developed to protect any computer and system. There are many security experts who recommend Spyhunter 6 for free for protection as Spyhunter 6 consists of many of the complete and updated developments and features that are now much needed in recent years.
    VUescan Pro Crack
    Elcomsoft Phone Breaker Crack
    Format Factory Crack
    Consoleact Crack
    Blue Cloner Diamond Crack

  23. Love to watch movies online on Rainierland? This article tells if free sites like Rainierland are safe to use & how you might be doing a ...


  24. Appreciation is a wonderful thing...thanks for sharing kepp it up.VSDC Video Editor

  25. Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it up

  26. I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 2 years, but I had no idea of solving some basic issues. I do not know how to Crack Softwares Free Download But thankfully, I recently visited a website named Crackedfine

    Kaspersky Total Security Crack

    Windows 11 Activator Crack

  27. When I need a program like this on my PC, I ultimately install it. And I'm glad to see its features because this edition has a lot to offer. I strongly advise you to download this app because it is free and simple to use.

  28. I love his site and his posts. Keep up the good work!

  29. Really Good Work Done By You...However, stopping by with great quality writing, it's hard to see any good blog today.
    VSDC Video Editor Pro CRACK

  30. Very good, I think I found the knowledge. I will see and refer some information in your post. thank you.

  31. I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
    Very interesting blog.
    VSDC Video Editor Pro Crack
    ReaConverter Pro Crack
    Gemini Crack

  32. Thank you so much for everything you've done with this post. This is a fantastic piece of writing.

  33. Enjoyed reading the article above, Very interesting, and thanks for sharing!! Keep posting such informative posts. Commercial Locksmith

  34. Some truly select content on this web site , saved to my bookmarks .


IT Accountability: Avoiding Murphy

Amongst technology experts, Murphy is someone we all try to avoid.  Murphy's Law states "Anything that can go wrong, will".  E...