LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (http://www.linuxquestions.org/questions/general-10/)
-   -   Home server compromised by smartass (http://www.linuxquestions.org/questions/general-10/home-server-compromised-by-smartass-942264/)

jlinkels 04-28-2012 07:51 AM

Home server compromised by smartass
 
My son is 9 years old. His name is Gabriel Rodger Edward Paulo, but we call him exclusively by his initials: GREP. This already should make you suspicious.

As many youngsters of that age he is is completely addicted to computers, internet and iPod. His favorite game at this moment is Minecraft. (No idea what that is). Since he was spending almost every minute not sleeping behind the computer my wife and I long time ago decided to limit that use somewhat.

On my home server, which also acts as internet gateway I created some scripts which added or removed rules from iptables, which were in turn called from cron. His active time windows became 08:00-10:00, 12:00-17:00 and 20:00-21:00. At 21:00, a local cron job in his computer would shut down his computer in addition.

This worked fine for some time and got him away from the computer. But then he used his iPod to access internet. Which I disabled for internet access as well. Then he sneakily borrowed my wife's laptop on which he also holds a user account in case they are travelling. Which I disabled as well through adding more rules in iptables.

Then he discovered that Minecraft could be downloaded and installed and played off-line. As usual in the race between security enforcers and security breachers it became time for the next step.

I created a flag file in my son's home directory on the server: /home/glinkels/.xallow. The same script which modifies the internet access now also writes a '0' or '1' in this file, according to whether or not X is allowed to run.

On his own computer, I created a link to this file on the server. Next I installed a script (running under root credentials) which examined this file, and killed and disallowed X at the off times, and started X at the allowed time windows.

This worked for a few days, and then I began noticing that he was able to use his computer during the disallowed time windows as well. At first I tought something had gone sour with one of the scripts I wrote. Or a cron job. Or incrorrect reading of the flag file. None of this all. At a certain moment I discovered that the contents of the flag file had magically changed back to '1'. So I concentrated on anything that would access that file. I checked all open tty's on all computers I have (which are quite some, including in my office which is VPN connected to my home office) for sessions I left open running a test script. None of that all. Last week I created an audit rule on this file, but I didn't have the time yet to look into it.

Until this morning I woke up at 06:30 by the sound coming from his computer. He was watching youtube videos, but at the same time, this time was outside his allowed time window, which started only at 08:00.

So I opened the /var/log/auth.log at my home server. Not the times are in UTC and we are UTC-4. A UTC time of 10:30 is 06:30 local time. This is the contents of the file around 06:30:
Code:

Apr 28 10:23:48 homeserv sshd[6321]: Accepted publickey for jlinkels from 192.168.110.130 port 47106 ssh2
Apr 28 10:23:48 homeserv sshd[6321]: pam_unix(sshd:session): session opened for user jlinkels by (uid=0)
Apr 28 10:24:00 homeserv sudo: jlinkels : TTY=pts/0 ; PWD=/home/jlinkels ; USER=root ; COMMAND=/bin/sh /root/ip_rule_grep.sh allow
Apr 28 10:24:01 homeserv CRON[6472]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 28 10:24:04 homeserv sshd[6324]: Received disconnect from 192.168.110.130: 11: disconnected by user

192.168.110.130 is my computer in the home office.

After severe cross-examination of my son, including using interrogation techniques as deprivation, exposure to hot and cold, bright lights, loud music and waterboarding, he finally admitted his crime after I threatened him that I would make hime wear a bra and post his picture on facebook.

Whenever his computer was blocked, he would sneak into my home office, and open a virtual console. My computer is always on (super low power Atom nettop) and not locked by a screen saver(*). The he SSH-ed into the home server. I am using public/private keys without a pass phrase. Hey, I thought I was at least safe in my own home. Then he would search the history for the famous command: sudo bash /root/ip_rule_grep.sh allow and executed it.

So never assume you are safe from security breachers in your own home.

jlinkels

(*) I stopped locking my screen when the screen saver kicked in when our eldest son left the house. We were afraid that he could browse to our confidential files including certain pictures with embarrassing content.

Edit:
PS. My wife says she can read from the smile on my face and the twinkle in my eyes that I am very proud that the little lad knows how to use Linux. This is completely untrue of course.

manwichmakesameal 04-28-2012 09:57 AM

That's hilarious. I can only hope....

catkin 04-28-2012 11:06 AM

Congratulations to you on your ingenious training program -- and to your son GREP for passing with flying colours :D

jefro 04-28-2012 11:27 AM

Seems he is way more advanced in best practices than the actual admin is.

Try this on a corporate lan with 35,000 users that try to get past stuff.

PrinceCruise 04-28-2012 02:07 PM

Uber cool. The lad is in somewhat right direction. :D

Regards.

allend 04-29-2012 09:54 AM

Naughty Daddy! You should not allow SSH logins for root, especially when faced with a precocious attacker capable of close observation and skillful social engineering.

jlinkels 04-29-2012 01:33 PM

Quote:

Originally Posted by allend (Post 4666021)
Naughty Daddy! You should not allow SSH logins for root, especially when faced with a precocious attacker capable of close observation and skillful social engineering.

If you read the post carefully you see that he connected over SSH with my credentials from my computer using my private key authentication. Then on the server, while still being me he used a sudo command. Sudo allows me to execute commands without password.
There are numerous weak spots in my scheme, like physical access, private key connection without a passphrase and passwordless sudo. Sometimes I just want to get work done instead of entering password twenty times in 15 minutes.
Root access for SSH is disabled on all my machines, and on all servers there is a list with allowedusers. Which is good for intruders, but doesn't help against unauthorized physical access.

jlinkels

allend 04-29-2012 06:49 PM

I stand corrected. I misread the log snippet. Obviously your son knows more than me!
Your experience does point out the potential flaw in bypassing two factor identification.

linuxlover.chaitanya 04-30-2012 02:12 AM

But the fortunate thing in all this episode was that it was only your son and not really a smartass cracker. And he only used this hack to gain access to internet and not much. A learning lesson for all the fathers around though.

sundialsvcs 05-01-2012 05:33 PM

Looking forward to that Facebook photograph. A "D"-cup should fit great.

linuxlover.chaitanya 05-01-2012 10:52 PM

Quote:

Originally Posted by sundialsvcs (Post 4667966)
Looking forward to that Facebook photograph. A "D"-cup should fit great.

:D .

////// 05-04-2012 10:11 AM

:D

cool son u have!
and only 9 years old.

newbiesforever 05-07-2012 02:32 PM

Is this whole story some kind of satire? I assume so. It's not your obviously absurd claim to have tortured your son that gives it away; that could simply be some sarcastic exaggeration within an otherwise true story. It's that your story is curiously devoid of angst about your son's defiance and lack of respect. I noticed that for him to have such skills, either he's a prodigy or you very extensively trained him to understand and perform these UNIX tricks, and why would you do that?

jlinkels 05-07-2012 02:52 PM

The interrogation part is satire, copied and pasted from a website where American interrogation techniques in Guantamo Bay are explained. It struck me how difficult it was for him to admit his actions, while he knew he would not be punished.

All other parts are the full truth, not in the least exaggerated. He is not especially trained in Linux, we just don't have any other OS around. Apparently he pays attention to what others (me) are doing. Generally when he wants something done I tell him to go ahead and only call me when things are broken beyond repair.

I am a proud father, but at the same time, as you say, a bad parent because I accept his lack of respect.

jlinkels

lithos 05-07-2012 03:51 PM

Hi jlinkels

I can only do :D
and thumbs up to you and your son's ingenuity.


All times are GMT -5. The time now is 03:48 PM.