This is a simple hack for when you're AFK. Gives you pictures of who's trying to login into your PC.
Essentially you receive a telegram message for each failed login to your system. This works with any type of login, even SSH. And you also get a picture of the intruder (taken with the webcam).
how it works
Thanks to PAM's modularity, it's easy to integrate your own script. This script will acquire a picture from the webcam and send a message using telegram alongside the picture previously taken.
The script is made in python and thanks to some imported libraries is indeed very simple.
If you have a webcam LED, it will blink for a fraction of a second, it's very unlikely that the intruder will notice it.
As I mentioned, we need some python libraries, most of which are included in default python install. With one exception:
pip install telepot
We also need two external binaries and most likely they're already installed in your system:
apt install coreutils ffmpeg
As usual, this was easy.
At the moment, this is the only "dirty" part of the whole thing: I still have to check if there's a better way to do the pam integration. For now, this "just works".
Edit /etc/pam.d/common-auth, search for the line containing this text:
auth requisite pam_deny.so
and edit the line above, by changing "success=1" to "success=2"; then insert this new line (also before the "pam_deny" line):
auth [default=ignore] pam_exec.so seteuid /usr/local/bin/badlogin.py
We assume that our script will be placed in /usr/local/bin/badlogin.py. No need to reload any service or restart the computer.
For your reference, the resulting file should look something like this (comments stripped out):
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [default=ignore] pam_exec.so seteuid /usr/local/bin/badlogin.py auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so
the script itself
Let's put this in /usr/local/bin/badlogin.py:
#!/usr/bin/python import telepot import subprocess import os bottoken = 'XXXXXXXXXXXXXXX' chat = 1111111111 temp = subprocess.check_output(["mktemp", "tmp.XXX.jpg"]).rstrip() subprocess.call(["ffmpeg","-f", "video4linux2", "-s", "vga", "-i", "/dev/video0", "-vframes", "1", "-y", temp]) # initialize telegram bot connection bot = telepot.Bot(bottoken); bot.sendMessage(chat, 'Failed login!!!') bot.sendPhoto(chat, open(temp, 'rb')) os.remove(temp)
Don't forget to
chmod 755 /usr/local/bin/badlogin.py.
Two things are missing now: the bot token and the chat id. More on this later. Let's take a look at the code itself:
- First of all, we import some libraries, then we add the two aforementioned variables
- Then we call the "mktemp" binary, which is creating a temporary file (ending in .jpg, this is important)
- After that, we call another external binary: ffmpeg. This is responsible of taking the snapshot and saving it to our temporary file (rewriting it)
- Then comes the telegram stuff: bot initialization, send a text message and our picture
- Temporary file cleanup
telegram bot setup
Start Telegram on your PC or phone and open a chat with @botfather:
He'll ask for a name. Name it whatever you want (but it must end in 'bot')
Botfather will now give you the bot's token. Place this in the script, in place of 'XXXXXXXXXXXXXXX'.
Enable the privacy for this bot, just to be sure.
Obtaining the chat id is a bit tricky: the bot has to be running and answering to chats for that. So I wrote a small script:
#!/usr/bin/python import time import telepot bottoken = 'XXXXXXXXXXXXXXX' def handle(msg): content_type, chat_type, chat_id = telepot.glance(msg) print (chat_id) bot = telepot.Bot(bottoken); bot.message_loop(handle) # Keep the program running. CTRL+C to stop while 1: time.sleep(10)
Just put the token at the right place, then start the script: the bot will start to listen, you can then send him a message (with your telegram client) like this:
and it'll print to console the chat id. Once you have that, type CTRL+C to stop the program and throw it away. Put the chat id at the correct place in the final script and you're done.
- better pam integration (we don't like to mess with system pam configuration, it's better to add our own in a separate file)
- telegram bot setup
- check if webcam is available before taking the shot
- display snapshot
- configuration file
- .deb package
- get rid of mktemp in favor of python internals
- get rid of ffmpeg in favor of python's ffmpeg bindings