Moode Forum

Full Version: Security - which user really need to login
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Hi there,
I found three users that have a login shell:

* pi
* mpd
* upmpdcli 

while I understand that pi needs a shell, I don't get why mpd and upmpdcli need a bash ? 

Background I want to reduce the possible "doors" for a security breach and use PKI for real rlogin's
How are you able to login with either mpd or upmpdcli userids?
sudo passwd -S mpd
mpd L 02/17/2020 0 99999 7 -1

So the account is locked, last change of the password was in feb. and I am currently not able to do so, but that doesn't mean anything: I am currently also not able (missing knowledge) to use any stack exposure. So, while I can't , maybe there are other people able to do so. And they may use then this RPi system to go through the other 40 systems in the same network. Using lastlog shows, that none has used the account until today.

I just wonder, all other accounts are using /usr/sbin/nologin, why mpd and upmpdcli are using bash ? Can I change that to /usr/sbin/nologin or will that stop something to work ?
Couple things.

1. I'm not an expert on OS security.
2. moOde is not a secure system and should never be connected to an untrusted, unknown, public or unsecured network. It's meant to only be used on typical residential networks protected by a Router or on its own AP mode network. If you choose to use it on an untrusted network YMMV.

As far as the MPD and upmpdcli accounts go, they are created during the build of moOde by the commands below. Since we have not specified a login shell via --shell it must default to /bin/bash.

Code:
sudo useradd mpd
sudo useradd upmpdcli

They end up with the following status. Note that the "L" after the userid means the password is locked which prevents logging into the account. According to what I read "L" means the password is effectively disabled by changing it to a value which matches no possible encrypted value"

Code:
pi@rp2:~ $ sudo passwd --status mpd
mpd L 07/02/2020 0 99999 7 -1

pi@rp2:~ $ sudo passwd --status upmpdcli
upmpdcli L 07/02/2020 0 99999 7 -1

Here is what the pi account looks like. The "P" after the userid means it has a usable password that can be used to login to the account.

Code:
pi@rp2:~ $ sudo passwd --status pi
pi P 07/02/2020 0 99999 7 -1
pi@rp2:~ $

So even though those two accounts are assigned to the bash shell their passwords are locked which effectively prevents using those accounts to log into the system.

You could try changing the assigned shell for those two accounts to /usr/sbin/nologin and let us know if anything breaks.
I am also not a security expert - as a manager, I know enough to sound dangerous Big Grin
I understand your pre-requisistion, which is nice - and difficult to setup. In Germany the technical journals make regular attacs by scanning the network on open ports.
So I try to keep all devices to a minimum of software installed and also only required accounts.

So I will change the two accounts to nologin and will see , if this will break anything - which doesn't mean it could not break anybody else system Big Grin
Whats difficult about running moOde on a residential network?

Routers use a NAT layer to separate the WAN side from the LAN side of a residential network. Hackers can only see the ports on the WAN side and so unless you have used the Router's port mapping function to explicitly expose ports on moOde to the WAN side of the Router none of the ports moOde exposes on the LAN can be accessed.
(12-07-2020, 03:53 PM)Tim Curtis Wrote: [ -> ]Whats difficult about running moOde on a residential network?

Routers use a NAT layer to separate the WAN side from the LAN side of a residential network. Hackers can only see the ports on the WAN side and so unless you have used the Router's port mapping function to explicitly expose ports on moOde to the WAN side of the Router none of the ports moOde exposes on the LAN can be accessed.

In short, if someone is deep enough in your network to mess with your moode player, you probably have much bigger issues to worry about.
I keep trying to get this over to my managers at work who insist all out internal traffic goes over https.
@UpsiUps 

As far as logins are concerned, the obvious user account to attack via port 22 is "pi". Have you changed the default password? Any hacker worth their salt is running an automation-based attack armed with a list which includes various pi/<pw> combinations as well as volumio/volumio, etc., all  scrapped from the InterWeb™ for use when RPis are discovered.

At my former employer, the Network Police would have been on my case soon after I connected an RPi if it weren't on a DMZ segment. They worked in a "shoot first, ask questions later" mode.



Regards,
Kent
Let me share here my two cents.

First NAT is only working with IP4, with IP6 NAT will be removed (mid/long-term) as you will have your own IP6 segment for all your home network devices. Some may only get a public IP6 stack on their router and be forced to switch to IP6 also in their home network. The industry & Government want your device id to collect more data. (Yes, you could call it a crude theory, but ... you never know). You already have today installed bridge devices, if you mobile phone will use WIFI add home in parallel of GSM.

Every sw package could have a backdoor by accident, which might not be recognised & closed fast enough. So my strategy is to reduce th enumber of sw packages to a minimum needed.
Now, saying that I trust you that moode has no intend to collect data like SONOS and all the friendly lady speakers (Alexa,Siri etc.) do. Nevertheless are more than 1000 sw packages on the moode device. Some sw may not be installed by moode, they are already installed through the RPi OS ( like X11 server ).
I like the approach that OPENelec or Libraelec driving for KODI: just enough OS to enable Kodi.
A very positiv fact for moode is, that when I review my logs on the pihole, moode has only a few dns request and most are to connect to home-lan servers (for music files)

BTW: I am not wearing any hat, nor do I think I am paranoid - the fact that I had never a virus nor any other data loss through external access makes me very happy and keep me to be cautious also in the future Big Grin
(12-07-2020, 05:41 PM)TheOldPresbyope Wrote: [ -> ]@UpsiUps 

As far as logins are concerned, the obvious user account to attack via port 22 is "pi". Have you changed the default password? Any hacker worth their salt is running an automation-based attack armed with a list which includes various pi/<pw> combinations as well as volumio/volumio, etc., all  scrapped from the InterWeb™ for use when RPis are discovered.

At my former employer, the Network Police would have been on my case soon after I  connected an RPi if it weren't on a DMZ segment. They worked in a "shoot first, ask questions later" mode.



Regards,
Kent
I agree, that the standard user "pi" is always a nice honey pot for hackers. That the reason why I only allow password-less login with PKI, where th eprivate key is secured in a HSM.
In my young years as a consultant for HP Network Node Manager/ITO it was always interesting to discover the network and to see which new devices are shown on the map. And then use SNMP to get most out of these devices. Today at home, I don't use Nagio , Wireshark or other cool stuff that is eating too much of my time. So I try to prevent any of theses incidents by blocking ports or use only trusted sources. (Ok, I also use iCloud ... )

I am afraid, that in the end I need to build another wall of protection with another layer of network ( I already have guest, home & admin ) .But this is now far off-topic for moode Big Grin
Pages: 1 2