Community


All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Clients can still login after account is disabled/deleted!
PostPosted: Mon Oct 12, 2015 12:58 pm 
Offline

Joined: Sun Aug 23, 2015 10:39 am
Posts: 7
Hello,
I have NeoRouter Free server installed on Debian Wheezy 7.9, server version is 2.3.1.4360. I also have client running NeoRouter Free client v.2.3.1.4360 on another Debian machine (also Wheezy 7.9). I use Windows utility "NeoRouter Configuration Explorer" to manage users.
THE PROBLEM: I have created user "john", password "john123". I have run "nrclientcmd -d SERVER:PORT -u john -p john123" and successfully connected into my NeoRouter VPN. Now, using NeoRouter Configuration Explorer", I have disabled user "john". My Linux client is still connected. OK. Let's restart nrservice.sh on client... Restarted. We are connected to the VPN in again - despite user "john" is now disabled! OK, let's delete user "john". Deleted. Restarted nrservice.sh on client machine. We are connected to the VPN again! How come? I don't understand, really. With what credentials has the client logged in? The username "john" is already deleted! OK, let's restart server. Let's restart client. Nothing. My client is still able to log in into VPN.
Just FYI, I do not use GUI nor on server, neither on client machines, probably it is nto important, but anyway.
Let's do some testing. When I run "nrclientcmd -d SERVER:PORT -u john -p john123" after I disable/delete user "john", I am unable to login. That's OK. But if I run command "service nrservice.sh restart" then I become connected to VPN again! I ask the same question again - with what credentials has the client logged in? I run "ifconfig" - and nrtap interface is here, I see my VPN 10.0.0.X IP, I can ping other machines connected to the VPN and everything is working. I am connected. And I really should NOT be.
One more detail - my Linux client is actually a VMWare Workstation virtual machine which runs on a Windows computer, which is itself connected to the NeoRouter VPN. I don't know whether it makes any difference.
The only way I can prevent client connecting to VPN is to delete computer from the list of computers in NeoRouter Configuration Explorer. This way (after disabling/deleting user account) it can't connect to VPN anymore. But as soon as it gets connected at least once (and gets VPN IP) I can do whatever I want (disable or delete user account), NeoRouter service will ALWAYS connect machine to the VPN. I am sorry, but this is just ridiculous and I can't believe that it works this way.
Interesting, it does not happens with Windows clients, which use NeoRouter Network Explorer. On Windows, I am unable to login into VPN when I disable or delete user. So Windows clients work correctly.

I really don't understand what's going on here. Please tell me that it is not some giant security hole I have just discovered. Developers, please respond.


Top
 Profile  
 
 Post subject: Re: Clients can still login after account is disabled/deleted!
PostPosted: Tue Oct 13, 2015 3:21 pm 
Offline

Joined: Tue Feb 10, 2009 4:11 am
Posts: 96
Here's my understandings:
1. a client has HardwareID and HardwareID2 (in Client.xml);
2. server keeps a list of known clients with their HardwareID/HardwareID2, along with their computer names (in NeoRouter_0_0_1.db);
3. server does not need client to log in with username/password, as long as a client's HardwareID/HardwareID2 is in the known client list, neorouter connection will be established.

Your username/password is only for running nrclientcmd or NeoRouter Network Explorer so you can check computer's names, online status, etc., the neorouter connection has been established long before you run nrclientcmd.

Of course, before your computer successfully establishes a connection for the very first time, the server does not have client's HardwareID/HardwareID2 yet, so for just once you do need to use a pair of username/password to log in so the client can send its HardwareID/HardwareID2 to the server. The server does not remember which user/password you used to login (either admin or normal user, the connection is the same), neither does it need client to login after it's in the known client list.

After you disabled user 'john', on a known client you can still use enabled user 'jane' to run nrclientcmd.


Top
 Profile  
 
 Post subject: Re: Clients can still login after account is disabled/deleted!
PostPosted: Tue Oct 13, 2015 5:13 pm 
Offline

Joined: Sun Aug 23, 2015 10:39 am
Posts: 7
Yes, it seems that you are correct with server checking hardware ID of the computer, and not login/password themselves. This is probably the only possible explanation.
However, at least in my understanding, this leads to some security risks. I would even say to huge ones.
Basically, it means that I (as server administrator) am unable to control the ability of the clients to connect into my VPN. As soon as the client manages to connect for the first time, he will be always be able to connect, no matter what (well, at least, until hardware ID of his computer changes).
In this case I don't understand what's the point of the whole user account system (particularly, the option to enable/disable user access).
What concerns security risks I mentioned, here is my personal situation. I use NeoRouter to administer computers of my family relatives. Inside VPN, all clients have the privilege to access several services (shared family photos, videos, FTP server, database server, family website etc.). Now imagine one of the computers in my network gets infected with malware, or gets stolen. In my understanding, I would immediately disable corresponding user account to prevent accessing the VPN network. However, with NeoRouter, I am out of luck. Even if the attacker (human or malware) can't log in into NeoRouter Network Explorer (after I disable/delete corresponding user), he can still connect to all network services available inside the VPN (shared files, FTP server, etc.). Of course, one could say that I should protect access to above mentioned shared files, FTP server etc. with additional authentication - and, obviously, these services are protected. But what about, for example, our family website (which is not exposed to Internet and is available ONLY inside VPN)? The attacker could happily access it and I can't do anything about it. Also, attacker could execute various attacks (brute-force, DDOS, etc.) and again - I can't do anything about it. I mean, I can play with some firewall rules and disable access for compromised computer manually, but this is just a kludge and it is not how things are supposed to work.
Or imagine the situation when I want to allow my friend to temporary access my VPN. After he connects once, I can't control him anymore, he always be able to login, even if I disable or delete his account.
This very fact, that I, as administrator of the VPN server, am UNABLE to control who connects into my VPN, makes me quite desperate. I would expect different behaviour - if I disable John's account, John is not able to login into VPN anymore. This is how all network systems normally work. And even if NeoRouter's developers have chosen to use such a strange authentication policy (using hardware ID for known computers), they should provide some possibility to remove a computer from a list of known clients on the server. Unfortunately, it does not seem to be possible (or at least I don't know how to do that without editing NeoRouter_0_0_1.db file directly - which I see as a very dirty solution).
What can I say... As someone who takes security concerns very seriously, I would immediately want to switch to a different product. If there was one. Unfortunately, I am not aware of any other product that can provide all the features that NeoRouter provides (Linux/Windows clients and full mesh VPN being the most important of them).

P.S. Still waiting for developers to comment.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron