Tea Glorious Tea!
yea ok my bad ,didn't think of that . I'm 50 so those living arrangements left me like 30yrs ago lol.Dorms, apartment room mates .
instead of shutting down all the time when you go have a dump or whatever , maybe look into this ?
just a thought that occurred to me , if someone cant access a USB port ...well...
<--- Run xman to see that window.
If the attacker isn't just a normal roommate, but some sort of highly motivated "state actor", then any bus connection can be used - PCI, PCIe, firewire, USB, Thunderbolt - any bus can be abused. I'd bet SATA, eSATA, IDE can be used too. There are published attack techniques for USB, firewire, and thunderbolt connections.
And if you use any wireless mouse, keyboard of any sort, game over. Currently, none of the wireless protocols are known to be secure. I've been hacked over bluetooth.
For example:
- https://www.bleepingcomputer.com/new...urity-problem/
- https://www.kernel.org/doc/html/late...-ohci1394.html Completely access all RAM on a system.
- https://www.schneier.com/blog/archiv...ally_hack.html
- https://www.slashgear.com/thunderspy...heck-11619992/
- https://thunderspy.io/
I'm not making this stuff up.
Last edited by TheFu; April 16th, 2021 at 11:16 PM.
Tea Glorious Tea!
or ..
to block:
This will allow the root user only to mount the removable disks not the normal usersCode:sudo chmod 700 /media
to unblock:
Code:sudo chmod 755 /media
that's if your your 'attacker" is not a spy of some sorts like the fu said
What are you planning?
Agreed on the encryption bit. It's a layer of extra security, but it does have it's down sides as well.Originally Posted by TheFu
If you are in this sort of situation, enabling two-factor authentication can help immensely, but it won't stop everything if someone has physical access to your phone or email.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
Ubuntu addict and loving it
On the laptops I own (and I own several) pressing + holding the power button is NOT a graceful shutdown. It's a forced shutdown, the equivalent of suddenly pulling the power cord on a desktop PC. I would find it quite surprising if your Linux installation managed to log anything at all in that moment since you're basically violently pulling the rug from under its feet.
Please stop doing that. A short press of the power button so the laptop initiates a graceful shutdown by itself (takes about 2 to 10 seconds) is OK, but not pressing + holding.
As for the possibility of someone logging into your system:
Did you check these commands?
Sometimes people (intruders too) forget that these files exist, e.g. they remove entries from "auth.log" but forget to erase the traces they left in places like /var/log/wtmp .... The other thing is that /var/log/btmp and /var/log/wtmp are in a binary format and thus harder to manipulate without completely messing them up. Most people trying to cover their tracks will simply resort to erasing those files right away or filling them with binary '0' so those files look empty.Code:sudo last sudo lastb
So if you check the outputs of(the "bad" login attempts ... could well be empty if nobody ever tried anything) andCode:sudo lastb(the successful logins ... NO WAY this could ever be empty!!) is there any oddity there? Or nothing at all? e.g. you only get empty outputs from both commands?Code:sudo last
If the system was indeed tampered with thenwill produce no output at all (e.g. the log was erased) or there should be strange time gaps, e.g. complete days missing.Code:sudo last
On a normal system where no tampering took place a "last" output should look something like this and you should be able to see both local and remote logins over a period of several months:
And here a small example output from "lastb"... in this case an Internet-facing SFTP server where only SSH key authentication is activated. But lots of people try anyway with all kinds of weird usernames (this is a manual selection; I removed all entries with identifiable IP addresses) :Code:frodo pts/1 192.168.1.6 Sat Apr 17 12:03 still logged in frodo tty7 :0 Sat Apr 17 04:04 - 04:10 (00:05) frodo tty7 :0 Sat Apr 17 03:56 - 04:04 (00:07) frodo pts/1 192.168.1.6 Fri Apr 16 16:54 - 17:08 (00:14) frodo pts/1 192.168.1.6 Fri Apr 16 15:41 - 15:41 (00:00) frodo pts/1 192.168.1.6 Fri Apr 16 15:40 - 15:40 (00:00) frodo pts/1 192.168.1.6 Fri Apr 16 15:19 - 15:19 (00:00) gollum pts/1 10.106.77.10 Fri Apr 16 15:17 - 16:17 (01:00) frodo pts/0 192.168.1.6 Fri Apr 16 14:15 - 14:15 (00:00) frodo tty7 :0 Fri Apr 16 14:11 - 14:13 (00:01) frodo tty7 :0 Fri Apr 16 13:58 - 14:11 (00:13) frodo tty7 :0 Fri Apr 16 13:57 - 13:58 (00:01) frodo pts/0 192.168.1.6 Fri Apr 16 13:17 - 13:56 (00:38) frodo pts/0 192.168.1.6 Fri Apr 16 13:13 - 13:13 (00:00) frodo pts/0 192.168.1.6 Fri Apr 16 13:06 - 13:06 (00:00) frodo pts/0 192.168.1.108 Fri Apr 16 01:43 - 01:46 (00:03) reboot system boot 5.4.0-72-generic Fri Apr 16 01:09 still running frodo pts/0 192.168.1.7 Fri Apr 16 01:07 - 01:08 (00:00) frodo pts/0 192.168.1.7 Fri Apr 16 01:06 - 01:06 (00:00) frodo pts/0 192.168.1.7 Fri Apr 16 01:06 - 01:06 (00:00) frodo pts/0 192.168.1.7 Fri Apr 16 01:06 - 01:06 (00:00) frodo pts/0 192.168.1.7 Fri Apr 16 01:02 - 01:06 (00:03) frodo pts/0 192.168.1.7 Fri Apr 16 01:02 - 01:02 (00:00) frodo pts/1 192.168.1.2 Fri Apr 16 01:01 - 01:03 (00:01) frodo pts/0 192.168.1.7 Fri Apr 16 01:01 - 01:02 (00:00) frodo pts/0 192.168.1.7 Fri Apr 16 01:01 - 01:01 (00:00) frodo pts/0 192.168.1.2 Thu Apr 15 00:21 - 01:59 (01:38) frodo pts/0 192.168.1.2 Thu Apr 15 00:04 - 00:08 (00:03) frodo tty7 :0 Wed Apr 14 23:06 - 23:10 (00:03) gollum pts/0 10.106.77.10 Wed Apr 14 16:50 - 16:56 (00:06) frodo pts/0 192.168.1.43 Wed Apr 14 14:07 - 14:07 (00:00) reboot system boot 5.4.0-71-generic Wed Apr 14 14:05 - 01:08 (1+11:02) frodo pts/0 192.168.1.6 Wed Apr 14 13:52 - 13:52 (00:00) frodo pts/0 10.135.75.30 Wed Apr 14 12:02 - 12:12 (00:09) frodo pts/0 10.135.75.30 Wed Apr 14 11:47 - 11:51 (00:04) frodo pts/0 10.135.75.30 Wed Apr 14 11:39 - 11:41 (00:01) frodo pts/0 10.135.75.30 Tue Apr 13 12:30 - 12:31 (00:00) frodo pts/0 10.135.75.30 Tue Apr 13 12:11 - 12:13 (00:02) frodo pts/0 10.135.75.30 Tue Apr 13 11:20 - 11:30 (00:09) frodo pts/0 10.135.75.30 Tue Apr 13 10:23 - 10:30 (00:06) reboot system boot 5.4.0-71-generic Tue Apr 13 10:23 - 14:04 (1+03:41) frodo pts/1 10.135.75.30 Tue Apr 13 10:17 - 10:22 (00:04) ...
Failed local logins would be visible too on this log if there had been any of those.Code:randall ssh:notty vmi545853.contab Sat Apr 17 11:40 - 11:40 (00:00) randall ssh:notty vmi545853.contab Sat Apr 17 11:40 - 11:40 (00:00) pi ssh:notty mon75-h02-176-14 Sat Apr 17 10:54 - 10:54 (00:00) pi ssh:notty mon75-h02-176-14 Sat Apr 17 10:54 - 10:54 (00:00) pi ssh:notty mon75-h02-176-14 Sat Apr 17 10:54 - 10:54 (00:00) pi ssh:notty mon75-h02-176-14 Sat Apr 17 10:54 - 10:54 (00:00) admin ssh:notty this-is-a-tor-ex Sat Apr 17 07:18 - 07:18 (00:00) admin ssh:notty this-is-a-tor-ex Sat Apr 17 07:18 - 07:18 (00:00) sorin ssh:notty 19010730120.ip71 Sat Apr 17 06:04 - 06:04 (00:00) sorin ssh:notty 19010730120.ip71 Sat Apr 17 06:04 - 06:04 (00:00) ...
Can you check what output you get on your laptop?
First Cup of Ubuntu
I have checked last and was able to find several logs of logins from many months that looked normal. lastb didn't produce much just 1 entry that it begins on the 14th, I even tested putting the wrong password with sudo and on the lock login screen and didnt find any records anywhere of failed login attempts. Checking faillog only give me a long wall of text with "^@^@^@^@^@^@^@^@^@^@^@".
This is what I got running lastb command
Code:root pts/0 Wed Apr 14 18:54 - 18:54 (00:00) btmp begins Wed Apr 14 18:54:11 2021
And this is what I get running faillog -a
This is what I get running faillog -u (username)Code:Login Failures Maximum Latest On root 0 0 12/31/69 18:00:00 -0600 daemon 0 0 12/31/69 18:00:00 -0600 bin 0 0 12/31/69 18:00:00 -0600 sys 0 0 12/31/69 18:00:00 -0600 sync 0 0 12/31/69 18:00:00 -0600 games 0 0 12/31/69 18:00:00 -0600 man 0 0 12/31/69 18:00:00 -0600 lp 0 0 12/31/69 18:00:00 -0600 mail 0 0 12/31/69 18:00:00 -0600 news 0 0 12/31/69 18:00:00 -0600 uucp 0 0 12/31/69 18:00:00 -0600 proxy 0 0 12/31/69 18:00:00 -0600 www-data 0 0 12/31/69 18:00:00 -0600 backup 0 0 12/31/69 18:00:00 -0600 list 0 0 12/31/69 18:00:00 -0600 irc 0 0 12/31/69 18:00:00 -0600 gnats 0 0 12/31/69 18:00:00 -0600 nobody 0 0 12/31/69 18:00:00 -0600 systemd-network 0 0 12/31/69 18:00:00 -0600 systemd-resolve 0 0 12/31/69 18:00:00 -0600 systemd-timesync 0 0 12/31/69 18:00:00 -0600 messagebus 0 0 12/31/69 18:00:00 -0600 syslog 0 0 12/31/69 18:00:00 -0600 _apt 0 0 12/31/69 18:00:00 -0600 tss 0 0 12/31/69 18:00:00 -0600 uuidd 0 0 12/31/69 18:00:00 -0600 tcpdump 0 0 12/31/69 18:00:00 -0600 avahi-autoipd 0 0 12/31/69 18:00:00 -0600 usbmux 0 0 12/31/69 18:00:00 -0600 rtkit 0 0 12/31/69 18:00:00 -0600 dnsmasq 0 0 12/31/69 18:00:00 -0600 cups-pk-helper 0 0 12/31/69 18:00:00 -0600 speech-dispatcher 0 0 12/31/69 18:00:00 -0600 avahi 0 0 12/31/69 18:00:00 -0600 kernoops 0 0 12/31/69 18:00:00 -0600 saned 0 0 12/31/69 18:00:00 -0600 nm-openvpn 0 0 12/31/69 18:00:00 -0600 hplip 0 0 12/31/69 18:00:00 -0600 whoopsie 0 0 12/31/69 18:00:00 -0600 colord 0 0 12/31/69 18:00:00 -0600 geoclue 0 0 12/31/69 18:00:00 -0600 pulse 0 0 12/31/69 18:00:00 -0600 gnome-initial-setup 0 0 12/31/69 18:00:00 -0600 gdm 0 0 12/31/69 18:00:00 -0600 s 0 0 12/31/69 18:00:00 -0600 systemd-coredump 0 0 12/31/69 18:00:00 -0600 clamav 0 0 12/31/69 18:00:00 -0600
Code:Login Failures Maximum Latest On Jeff 0 0 12/31/69 18:00:00 -0600
Last edited by hairyjew117; April 18th, 2021 at 08:58 AM.
<--- Run xman to see that window.
Actually, using LUKS with 2FA **does** stop access to the computer data, unless the LUKS encryption is unlocked when the attacker arrives. Since while disk encryption unlocks before booting/login, the protection is simple to understand.
If the computer is useful, powered on, and you can type anything except a challenge, then it is NOT protected.
But if the computer is either powered off or sitting at the LUKS 2FA challenge prompts, then it is protected and I double **any** nation actor could directly gain access without both beating the person who knows the correct response to the challenge AND has the 2FA device available. Also, I boot from a flash drive that is kept with me when traveling. I don't boot from the on-board storage ... look up "evil maid attack" for more information.
I couldn't break into any of my LUKS encrypted systems without the correct 2FA device, regardless of what I might know. And someone with the 2FA device probably wouldn't know the correct challenge to enter to unlock the storage.
Basically, whole disk encryption, as performed by Ubuntu, is only good when the computer is powered off. That applies to all encrypted systems that I know. The storage must be locked to be useful for securing data.
<--- Run xman to see that window.
faillog output above doesn't show any attempts that failed.
First Cup of Ubuntu
Is it supposed to log them? I have entered my password incorrectly many times and it should show it but it doesn't.
<--- Run xman to see that window.
I'd have to read the manpage for that command to know.
Looks like it would see only failures related to login on a tty/ptty, not ssh or a screen saver.Code:NAME faillog - display faillog records or set login failure limits SYNOPSIS faillog [options] DESCRIPTION faillog displays the contents of the failure log database (/var/log/faillog). It can also set the failure counters and limits. When faillog is run without arguments, it only displays the faillog records of the users who had a login failure. ...
Posting Permissions
Adv Reply
Bookmarks