Securing Raspberry Pi Security Camera (or UIs) using Apache Knox
I was able to get my hands on the Raspberry Pi Zero W and decided to put it to use by building a motion activated security camera. I had three simple requirements:
- The camera should have a live feed.
- It should alert me (email/text) when motion is detected.
- It should be secure.
I stumbeled on a great tutorial by Mark West, Building a Motion Activated Security Camera with Raspberry Pi Zero. By following the tuorial, I was able to achieve two of my requirements and I was somewhat happy about my setup. There were however some things that I thought needed to be worked out:
- Network Layout
- Image Detection enhancements
In this blog post I will cover Securing Raspberry Pi Motion Web Interface using Opensource tool called Apache Knox (disclamer: I am a committer for Apache Knox project)
I am assuming that Motion is configure to get live feeds from Raspberry Pi camera module, I will not go into the details as they are covered in detail by Mark West in his excellent blog post mentioned above. It should be noted that any Web Interface can be secured using Apache Knox, I am using Motion as an example here.
Why Apache Knox ?
- Authentication: Authenticates the users.
- Authorization: Make access decisions i.e. which services are accessible for which user.
- Audit: Gives the ability to determine what actions were taken by whom during some period of time.
- Lightweight: Has low memory and disk requirement.
Setup user and hostname
We will create a seperate user for authentication. This user will be created on the system where Apache Knox is installed. Apache Knox uses this user for authentication and access control (using PAM) so it makes sense to keep it seperate from other system users. We will use this user exclusively to access our Motion setup from outside.
Setting up user with username - myuser and password - strongpassword
sudo useradd -m myuser -G sudo
sudo passwd myuser
Add user to shadow group
sudo usermod -a -G shadow myuser
Update hostname so that in multiple node deployments each raspberry pi can be accessed, choose a hostname you like and update in these files
# update here sudo nano /etc/hosts sudo nano /etc/hostname
# commit changes sudo /etc/init.d/hostname.sh sudo reboot
Setup Apache Knox
Download Apache Knox
Unzip it to /knox directory
unzip knox-0.12.0.zip -d /knox
Create a link to PAM library under /knox/ext/native
sudo ln -s /lib/arm-linux-gnueabihf/libpam.so.0.83.1 libpam.so
Make sure the APP_JAVA_LIB_PATH parameter is correctly set
Optional: Update gateway port from default 8443 to something else in /knox/conf/gateway-site.xml
Update Knox config files
Now we update the knox topology file (sandbox.xml) to use PAM authentication, for Motion running locally on port 8081.
Note: Update the user (myuser) in authorization provider in sandbox.xml file
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>motion.acl</name> <!-- if you have a different user update here --> <value>myuser;*;*</value> </param> </provider>
If Motion is running on another machine then update the following code snippet in sandbox.xml file with the hostname and port where Motion is running.
<service> <role>MOTION</role> <url>http://<hostname>:<port></url> </service>Under /knox/knox-0.12.0/data/services create a folder structure as follows
/knox/knox-0.12.0/data/services/motion/0.0.1/Copy rewrite.xml and service.xml files from