reggie4
Posts: 81
Joined: Wed Jan 15, 2014 2:09 pm

Motion web stream security

Thu Jan 30, 2014 9:40 am

Hi all,

Iv'e managed to get motion working nearly the way i want it, but need advice on Security.

It this the correct way to use the authentication for the stream in the motion.conf file?

Code: Select all

# Set the authentication method (default: 0)
# 0 = disabled
# 1 = Basic authentication
# 2 = MD5 digest (the safer authentication)
stream_auth_method 2

# Authentication for the stream. Syntax username:password
# Default: not defined (Disabled)
; stream_authentication myun:mypw
"myun:mypw" is straight text, not encoded, and not enclosed in "".



Im viewing the stream using Chrome using a html file containg the code:

Code: Select all

<html>
	<head>
		<style>
			body
			{
				margin: 0px;
				padding: 0px;
			}
			img
			{
				width: 100%;
				height: 100%;
			}
		</style>
	</head>
	<body>
		<!-- put the up address of your Pi in this line: -->
		<img src="http://192.168.1.xx:xxxx" />
	</body>
</html>
But this doesn't ask for a username and password, just gives me the stream.

Iv'e set:

Code: Select all

# Restrict stream connections to localhost only (default: on)
stream_localhost on
so i'm worried people outside my network will be able to see the private pictures.

Your advice is always welcome,

regards,

Reggie.

ethanol100
Posts: 581
Joined: Wed Oct 02, 2013 12:28 pm

Re: Motion web stream security

Thu Jan 30, 2014 11:41 am

I think in motion.conf all lines with # or ; are disabled. Have you tried to remove the ; form the line with stream_authentication?

Just to be sure: You have compiled motion on your own or installed it from the repository with apt-get? I think the version from the repository does not include the stream authentication stuff.

And you are sending the password unencrypted through the internet, perhaps a ssl encrypted proxy or something else would be saver?

reggie4
Posts: 81
Joined: Wed Jan 15, 2014 2:09 pm

Re: Motion web stream security

Thu Jan 30, 2014 6:48 pm

Hi ethanol100,

I did install Motion using

Code: Select all

sudo apt-get install motion
but the motion.conf file gives the option to
Set the authentication method
, so i assumed i could password protect the stream, with the installed version. How can i find out for sure if the version i have can do this?

Yes "#" defiantly excludes that line from the conf file.

I'll try removing the ";" too
you are sending the password unencrypted through the internet, perhaps a ssl encrypted proxy or something else would be saver
I'm sure it would, but i have absolutely no idea how to implement this; could you please point me in the direction of some tutorials, or examples on how to implement this within motion.

Thanks in advance,

Reggie.

ethanol100
Posts: 581
Joined: Wed Oct 02, 2013 12:28 pm

Re: Motion web stream security

Thu Jan 30, 2014 8:30 pm

There have been some discussions at i.e. http://www.raspberrypi.org/phpBB3/viewt ... 45#p203245

Link for the StreamAuthPatch:
http://www.lavrsen.dk/foswiki/bin/view/ ... mAuthPatch

Some ways of proxy in this link and in its comments:
http://www.lavrsen.dk/foswiki/bin/view/ ... gProxyGrab

But following
http://www.codeproject.com/Articles/665 ... nce-camera
your way should work, if your remove the ";". And you can try to use auth mode 1.

Sorry, I do not use motion, so I can only guess.

reggie4
Posts: 81
Joined: Wed Jan 15, 2014 2:09 pm

Re: Motion web stream security

Thu Jan 30, 2014 11:28 pm

Hi Ethanol,

I managed to get "Basic authentication" option 1 working by removing the ";" and typing http://ipaddress:portnumber into Firefox/ it didn't work in Chrome!

I'm still concerned about security, as its http and not https, could someone capture my username and password when sending this data from my web browser to the PI via my router?

How would they do this and how likely is it to happen?

The way i see it there are two ways into my network, via WIFI and through the internet and the firewall of my router.

If i setup port forwarding on my router and use a no-ip.biz account to effectively fix an address, then how vulnerable is my network?

Sorry to sound ignorant, but I don't want to inadvertently leave my network vulnerable.

Any security advice would be welcomed,

Regards,

Reggie.

ethanol100
Posts: 581
Joined: Wed Oct 02, 2013 12:28 pm

Re: Motion web stream security

Fri Jan 31, 2014 9:44 am

The easiest way to get a ssl connection would be the program stunnel. It is a ssl proxy which would open a new port and accept ssl connection, if someone connects it will forward all traffic locally to your stream port.

Some example of configuration can be found here:
http://www.ubuntugeek.com/stunnel-unive ... emons.html

Inside a ssl-tunnel it is not so important to encrypt or hash(md5) your password, because the whole traffic from client to server will be encrypted.

If you are somewhere outside your local lan, and would connect to your webcam server, everybody on the way, where your traffic passes, could easily get your password. It would be really easy, you can just log all traffic and search for "auth" requests. So I would not advice to use clear text password. But how interesting is your webcam? In the end nothing is really save. The network would not be vulnerable, they could just watch your webcam.

On your local lan, it depends if you trust everybody who uses it. If you use WIFI with wpa2 as encryption, nobody can easily read your traffic from outside. So it would be save from inside.

So everything is just a question about, how paranoid you are.

reggie4
Posts: 81
Joined: Wed Jan 15, 2014 2:09 pm

Re: Motion web stream security

Sat Feb 01, 2014 8:26 am

That was a really interesting post ethanol100.

I'm not too concerned about someone watching my webcam; more about the possibility of someone lurking in my network and possibly taking control of the PI, the router, or other network connected computers without my knowledge.

I'll read up on network security, as my knowledge in that area is, well, limited!

1) I take it, my local network is everything connected behind the firewall in my router, everything with the address 192.168.1.XX. So if I connect to the PI (192.168.1.local_id:portnumber) from my wifi enabled laptop, (192.168.1.XX), using my windows web browser; someone on my local network could potentially see my password if i use "Basic authentication" option 1 in the motion.conf file; but not from the web side of the firewall?

2) If i connect from outside my router, using no-ip.biz and port forwarding, then people out on the web could harvest my password if the pi is set to "Basic authentication" option 1 in the motion.conf file, but could only access the live stream not any of the files on the pi or my network?

3) If i install stunnel on my PI, it would set up a safe tunnel between my browser, outside and inside my network, so all traffic would be encrypted?

4) I'm paranoid about viruses / Trojans and other nasties however, and religiosity scan for them. I take it some nasties could install programs on my local network that
search for "auth" requests
and send that data out to the web, but if i have stunnel on my pi, they wouldn't be able, to make sense of the encrypted traffic.

5) how would i go about
encrypt or hash(md5) your password
on my pi and a web side browser?

6) what if i use https?

Have I understood you correctly?

Regards,

Reggie.

ghans
Posts: 7854
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: Motion web stream security

Sat Feb 01, 2014 9:35 am

Digest Authentication (method 2 in your motion.conf)
does provide protection against eavesdropping and replay
attacks. It uses hashing internally , so the password won't be
send in clear text at all. A sophisticated attacker still could
intercept all traffic and view the stream itself - a possiblity
which i deem unlikely inside your own LAN .

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

ethanol100
Posts: 581
Joined: Wed Oct 02, 2013 12:28 pm

Re: Motion web stream security

Sun Feb 02, 2014 9:03 pm

I will try to answer your questions, but I am not an expert so it is just my opinion.
reggie4 wrote: 1) I take it, my local network is everything connected behind the firewall in my router, everything with the address 192.168.1.XX. So if I connect to the PI (192.168.1.local_id:portnumber) from my wifi enabled laptop, (192.168.1.XX), using my windows web browser; someone on my local network could potentially see my password if i use "Basic authentication" option 1 in the motion.conf file; but not from the web side of the firewall?
Yes
reggie4 wrote: 2) If i connect from outside my router, using no-ip.biz and port forwarding, then people out on the web could harvest my password if the pi is set to "Basic authentication" option 1 in the motion.conf file, but could only access the live stream not any of the files on the pi or my network?
Yes, additionally somebody could capture the traffic an view the live stream, without knowing the password. But your files are relative save. There could always be a "bug" in motion which can be used to get access to your computer. But in general the software in Debian is very well tested and I would trust motion. So I would say your raspberry pi would be save. (But you should always use different passwords and not use the same passwords for,i.e, your user login.)
reggie4 wrote: 3) If i install stunnel on my PI, it would set up a safe tunnel between my browser, outside and inside my network, so all traffic would be encrypted?
Yes, all packages from the raspberry pi to your computer (and back) would be encrypted. The strength and method of encryption can be configured with stunnel.
reggie4 wrote: 4) I'm paranoid about viruses / Trojans and other nasties however, and religiosity scan for them. I take it some nasties could install programs on my local network that
search for "auth" requests
and send that data out to the web, but if i have stunnel on my pi, they wouldn't be able, to make sense of the encrypted traffic.
I use only linux and I am not very afraid about viruses and trojans. The ssl tunnel would protect the communication, so nobody from a different computer could read it unencrypted. But if the trojan would be installed on your computer, where the tunnel ends, it could get access to the unencrypted data. Additionally the encryption is relative cpu intensive, and you would put an additional load on the raspberry pi. Locally I would not use encryption. A trojan will in general not be interested in you webcam, it would be more interested to get your email or bank account data.
reggie4 wrote: 5) how would i go about
encrypt or hash(md5) your password
on my pi and a web side browser?
I have no clue. Someone who uses motion could tell you? I think usually it should "just" work if you select stream_auth_method 2. I think it would work somehow like this: the browser calculates the hash of your password and will send only the hash to the motion server and the server calculates the hash of the password stored in the config file and compares both. The password can not be reconstructed from the md5 hash. But motion could also store only the md5 hash instead of the clear text password, I have really no clue.
reggie4 wrote: 6) what if i use https?
I do not know exactly what you mean. The idea is that in an encrypted tunnel the password is automatically encrypted and therefore a hash is not necessary.

I think you have understood me correctly.

kyuzumaki
Posts: 22
Joined: Sat Apr 26, 2014 6:49 pm

Re: Motion web stream security

Wed May 14, 2014 10:41 am

Has anyone been able to get auth method 2 to work? When enabled it prompts for a password and detects that its being sent by a more secure non-plaintext method but it doesnt actually let me login always says the password is incorrect. Are there specific limitations when using md5 digest or do I need to hash the password first?

barry914
Posts: 48
Joined: Sat Aug 20, 2016 7:40 pm

Re: Motion web stream security

Mon Oct 03, 2016 2:56 pm

I don't know if you're still looking for an answer, but yes, I just got it working. I simply set the authentication method to 2 and put in a username:password in clear text in the stream access section. When I access the stream I get the usual login popup and everything works normally.

jayache80
Posts: 1
Joined: Mon Nov 14, 2016 12:34 pm

Re: Motion web stream security

Mon Nov 14, 2016 12:44 pm

I am having trouble getting auth method 2 to work when I try to log in on my phone (iOS Safari). It seems I can log in on chrome browser though.

Anyone know why this may be? I kinda need to check this live stream on my phone, so I'm thinking about leaving it as basic authentication method 1 for now... IoT is in the news a lot lately though......

pertm84
Posts: 29
Joined: Sat Oct 20, 2018 10:59 am
Location: Norway

Re: Motion web stream security

Sun Oct 28, 2018 9:42 pm

I'd like to have access only on the config part. I don't mind if people see my stream, but I'd like to secure my settings.

Any knowledge on this?

Return to “Camera board”