Take picture of unauthorized user trying to access your Laptop

Did you ever tried to guess your friends password? Did you ever tried to login to your partners password protected computer? Sounds silly and childish but many are guilty of it. Most cases it’s no big deal but I am sure all of us would like to know who tried to guess our passwords and tried to login to our computers. Similarly, do you leave your laptop at work or with your friends? Do you trust your friends or partner or colleagues enough? Another silly questions. Let me get to the point … I actually came across this when I was trolling through my authentication logs. I had multiple authentication attempts to my Laptop and looking at the timestamp I knew that I wasn’t at home at that time. I was simply suspicious and decided to look around if there’s anyway I can find out who tried authenticating to my laptop. Of everything I found, I decided that I will try to capture a take picture of unauthorized user who was trying this.

I found this post in Ubuntu Forums (links below) and it uses PAM and will work for all failed login attempts. Using SSH, a virtual terminal or via the regular login screen, it doesn’t matter as everything is handled by PAM in the end.

Install ffmpeg/avconv

First of all we need to install ffmpeg/avconv.

apt-get install libav-tools

Shell script

Next we create a small script /usr/local/bin/authsnapper with the following contents:

#!/bin/bash

#    Simple script to take picture after entering wrong password in Linux
#    
#    Requirements:
#    Install ffmpeg or avconv
#    apt-get install libav-tools
#    (at your option) any later version.
# 
#    blackMORE Ops <www.blackmoreops.com> 

ts=`date +%s`
ffmpeg -f video4linux2 -s vga -i /dev/video0 -vframes 3 /tmp/vid-$ts.%01d.jpg
exit 0  
#important - has to exit with status 0

Depending on your Webcam (i.e. USB, built-in you might want to change the /dev/video0 with the actual video device of your webcam. This script is using /tmp folder as the image location, you can change that to anything to your liking. It also takes 3 pictures, you might want to change that if you like.

Now make this script executable

chmod +x /usr/local/bin/authsnapper

Take picture after entering wrong password in LinuxBefore we go and do the next step, test this script, simply paste /usr/local/bin/authsnapper in your terminal and it should take 3 pictures and save those in /tmp folder.

If this works, then you can go and configure PAM to call this on every failed attempt. You might want to be careful doing this. If you make a mistake, you wont be able to login to your laptop or workstation anymore (or not in the usual ways, you need to break in).

Open a terminal window with root access (sudo -s) and leave it open – just in case you screw up in the next steps.

Changing authentication in pam.d

Open /etc/pam.d/common-auth in your favorite editor,

gedit /etc/pam.d/common-auth.

Keep in mind for the following steps as the order of lines in this file matters. Find the following line:

auth    [success=1 default=ignore]      pam_unix.so nullok_secure

Change success=1 to success=2 to have it skip our script on success. This is an important step. After this change, it should look like this:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure

Add the following line to call this script right after it:

auth    [default=ignore]                pam_exec.so seteuid /usr/local/bin/authsnapper

Save and close the file. No need to restart anything.

Testing

In a new terminal window, as regular user, try su -l testuser to log in as another user with username testuser. Deliberately enter the wrong password. Check if this result in a new picture. In you use Linux as root user as I do, you might want to create a new user for testing.

The same as above, but now enter the correct password. Check if you log in and it doesn’t result in a picture being taken. If the tests have succeeded you can log out from your Desktop environment. Try entering incorrect password and it should take 3 pictures.

Conclusion

I found this interesting and I guess it has its value to take picture of unauthorized user trying to access your Laptop… for example if you’re living in shared accommodation or dorm. But if you are good with programming and all, you might make it a full fledged software and publish in GIT. Just an idea but I think it’s a good one nevertheless.

Also, I am sure there’s better way of doing it, like instead of using /etc/pam.d/common-auth, you can try it in /etc/pam.d/sshd or /etc/pam.d/lightdm or a number of other ways. I will leave that testing to you. But in any of the cases you get locked out of your Linux, here’s how to break into Linux.

BTW, if anyone is wondering who tried to access my Laptop, yah nah .. not telling you. Thanks again and enjoy.

References:

  1. http://askubuntu.com/questions/253189/can-i-make-the-webcam-take-a-picture-when-an-incorrect-password-is-entered
  2. http://ubuntuforums.org/showthread.php?t=1509424&p=9827947#post9827947
  3. Understanding PAM
  4. PAM Man Pages

3 comments

  1. Joao Paulo Marcucci

    Very good! It is very useful =)

    But in Fedora I used /etc/pam.d/password-auth to get login fails in GDM

  2. Sir work but capture image enter correct password not incorrect password
    Sorry for my bad english

  3. How to edit the pam module “common-auth” in OpenSuse13.1 in order to work the script
    #
    auth required pam_env.so
    auth optional pam_gnome_keyring.so
    auth required pam_unix.so try_first_pass

    Thanks a lot for your attention and help

    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *