LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 04-28-2012, 07:51 AM   #1
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 4,162

Rep: Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505
Home server compromised by smartass


My son is 9 years old. His name is Gabriel Rodger Edward Paulo, but we call him exclusively by his initials: GREP. This already should make you suspicious.

As many youngsters of that age he is is completely addicted to computers, internet and iPod. His favorite game at this moment is Minecraft. (No idea what that is). Since he was spending almost every minute not sleeping behind the computer my wife and I long time ago decided to limit that use somewhat.

On my home server, which also acts as internet gateway I created some scripts which added or removed rules from iptables, which were in turn called from cron. His active time windows became 08:00-10:00, 12:00-17:00 and 20:00-21:00. At 21:00, a local cron job in his computer would shut down his computer in addition.

This worked fine for some time and got him away from the computer. But then he used his iPod to access internet. Which I disabled for internet access as well. Then he sneakily borrowed my wife's laptop on which he also holds a user account in case they are travelling. Which I disabled as well through adding more rules in iptables.

Then he discovered that Minecraft could be downloaded and installed and played off-line. As usual in the race between security enforcers and security breachers it became time for the next step.

I created a flag file in my son's home directory on the server: /home/glinkels/.xallow. The same script which modifies the internet access now also writes a '0' or '1' in this file, according to whether or not X is allowed to run.

On his own computer, I created a link to this file on the server. Next I installed a script (running under root credentials) which examined this file, and killed and disallowed X at the off times, and started X at the allowed time windows.

This worked for a few days, and then I began noticing that he was able to use his computer during the disallowed time windows as well. At first I tought something had gone sour with one of the scripts I wrote. Or a cron job. Or incrorrect reading of the flag file. None of this all. At a certain moment I discovered that the contents of the flag file had magically changed back to '1'. So I concentrated on anything that would access that file. I checked all open tty's on all computers I have (which are quite some, including in my office which is VPN connected to my home office) for sessions I left open running a test script. None of that all. Last week I created an audit rule on this file, but I didn't have the time yet to look into it.

Until this morning I woke up at 06:30 by the sound coming from his computer. He was watching youtube videos, but at the same time, this time was outside his allowed time window, which started only at 08:00.

So I opened the /var/log/auth.log at my home server. Not the times are in UTC and we are UTC-4. A UTC time of 10:30 is 06:30 local time. This is the contents of the file around 06:30:
Code:
Apr 28 10:23:48 homeserv sshd[6321]: Accepted publickey for jlinkels from 192.168.110.130 port 47106 ssh2
Apr 28 10:23:48 homeserv sshd[6321]: pam_unix(sshd:session): session opened for user jlinkels by (uid=0)
Apr 28 10:24:00 homeserv sudo: jlinkels : TTY=pts/0 ; PWD=/home/jlinkels ; USER=root ; COMMAND=/bin/sh /root/ip_rule_grep.sh allow
Apr 28 10:24:01 homeserv CRON[6472]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 28 10:24:04 homeserv sshd[6324]: Received disconnect from 192.168.110.130: 11: disconnected by user
192.168.110.130 is my computer in the home office.

After severe cross-examination of my son, including using interrogation techniques as deprivation, exposure to hot and cold, bright lights, loud music and waterboarding, he finally admitted his crime after I threatened him that I would make hime wear a bra and post his picture on facebook.

Whenever his computer was blocked, he would sneak into my home office, and open a virtual console. My computer is always on (super low power Atom nettop) and not locked by a screen saver(*). The he SSH-ed into the home server. I am using public/private keys without a pass phrase. Hey, I thought I was at least safe in my own home. Then he would search the history for the famous command: sudo bash /root/ip_rule_grep.sh allow and executed it.

So never assume you are safe from security breachers in your own home.

jlinkels

(*) I stopped locking my screen when the screen saver kicked in when our eldest son left the house. We were afraid that he could browse to our confidential files including certain pictures with embarrassing content.

Edit:
PS. My wife says she can read from the smile on my face and the twinkle in my eyes that I am very proud that the little lad knows how to use Linux. This is completely untrue of course.

Last edited by jlinkels; 04-28-2012 at 07:54 AM. Reason: Added a PS
 
Old 04-28-2012, 09:57 AM   #2
manwichmakesameal
Member
 
Registered: Aug 2006
Distribution: Slackware
Posts: 800

Rep: Reputation: 100Reputation: 100
That's hilarious. I can only hope....
 
Old 04-28-2012, 11:06 AM   #3
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,551
Blog Entries: 28

Rep: Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176
Congratulations to you on your ingenious training program -- and to your son GREP for passing with flying colours
 
Old 04-28-2012, 11:27 AM   #4
jefro
Guru
 
Registered: Mar 2008
Posts: 11,714

Rep: Reputation: 1439Reputation: 1439Reputation: 1439Reputation: 1439Reputation: 1439Reputation: 1439Reputation: 1439Reputation: 1439Reputation: 1439Reputation: 1439
Seems he is way more advanced in best practices than the actual admin is.

Try this on a corporate lan with 35,000 users that try to get past stuff.
 
Old 04-28-2012, 02:07 PM   #5
PrinceCruise
Member
 
Registered: Aug 2009
Location: /Universe/Earth/India/Pune
Distribution: Slackware64 14.1/Current, CentOS 6.5/7.0
Posts: 773

Rep: Reputation: Disabled
Uber cool. The lad is in somewhat right direction.

Regards.
 
Old 04-29-2012, 09:54 AM   #6
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,461

Rep: Reputation: 852Reputation: 852Reputation: 852Reputation: 852Reputation: 852Reputation: 852Reputation: 852
Naughty Daddy! You should not allow SSH logins for root, especially when faced with a precocious attacker capable of close observation and skillful social engineering.
 
Old 04-29-2012, 01:33 PM   #7
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 4,162

Original Poster
Rep: Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505
Quote:
Originally Posted by allend View Post
Naughty Daddy! You should not allow SSH logins for root, especially when faced with a precocious attacker capable of close observation and skillful social engineering.
If you read the post carefully you see that he connected over SSH with my credentials from my computer using my private key authentication. Then on the server, while still being me he used a sudo command. Sudo allows me to execute commands without password.
There are numerous weak spots in my scheme, like physical access, private key connection without a passphrase and passwordless sudo. Sometimes I just want to get work done instead of entering password twenty times in 15 minutes.
Root access for SSH is disabled on all my machines, and on all servers there is a list with allowedusers. Which is good for intruders, but doesn't help against unauthorized physical access.

jlinkels

Last edited by jlinkels; 04-29-2012 at 01:35 PM.
 
Old 04-29-2012, 06:49 PM   #8
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,461

Rep: Reputation: 852Reputation: 852Reputation: 852Reputation: 852Reputation: 852Reputation: 852Reputation: 852
I stand corrected. I misread the log snippet. Obviously your son knows more than me!
Your experience does point out the potential flaw in bypassing two factor identification.
 
Old 04-30-2012, 02:12 AM   #9
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
But the fortunate thing in all this episode was that it was only your son and not really a smartass cracker. And he only used this hack to gain access to internet and not much. A learning lesson for all the fathers around though.
 
Old 05-01-2012, 05:33 PM   #10
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,401

Rep: Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119
Looking forward to that Facebook photograph. A "D"-cup should fit great.
 
Old 05-01-2012, 10:52 PM   #11
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
Looking forward to that Facebook photograph. A "D"-cup should fit great.
.
 
Old 05-04-2012, 10:11 AM   #12
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Dual boot :: Slackware 14.1 64bit multilib | Kali linux 64bit multi lib
Posts: 184

Rep: Reputation: 37


cool son u have!
and only 9 years old.
 
Old 05-07-2012, 02:32 PM   #13
newbiesforever
Senior Member
 
Registered: Apr 2006
Location: Glendale, AZ
Distribution: Distro-homeless. Lost.
Posts: 1,875

Rep: Reputation: 62
Is this whole story some kind of satire? I assume so. It's not your obviously absurd claim to have tortured your son that gives it away; that could simply be some sarcastic exaggeration within an otherwise true story. It's that your story is curiously devoid of angst about your son's defiance and lack of respect. I noticed that for him to have such skills, either he's a prodigy or you very extensively trained him to understand and perform these UNIX tricks, and why would you do that?
 
Old 05-07-2012, 02:52 PM   #14
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 4,162

Original Poster
Rep: Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505
The interrogation part is satire, copied and pasted from a website where American interrogation techniques in Guantamo Bay are explained. It struck me how difficult it was for him to admit his actions, while he knew he would not be punished.

All other parts are the full truth, not in the least exaggerated. He is not especially trained in Linux, we just don't have any other OS around. Apparently he pays attention to what others (me) are doing. Generally when he wants something done I tell him to go ahead and only call me when things are broken beyond repair.

I am a proud father, but at the same time, as you say, a bad parent because I accept his lack of respect.

jlinkels
 
Old 05-07-2012, 03:51 PM   #15
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi jlinkels

I can only do
and thumbs up to you and your son's ingenuity.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server compromised? sminogue Linux - Security 2 12-15-2011 01:54 PM
[SOLVED] Why cant I subtract Reputation from smartass comments! swampf0x LQ Suggestions & Feedback 29 03-28-2011 09:50 AM
my server has been compromised, what next? Kropotkin Linux - Security 15 08-27-2009 06:15 AM
Server Compromised? lss1 Linux - Security 7 12-16-2005 12:49 AM
Server Compromised? stlyz3 Linux - Security 6 09-07-2005 04:28 PM


All times are GMT -5. The time now is 07:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration