Home network security risk?

[Asharad]

Hello everyone. I am looking for some security advice for my home network. Today I discovered a strange computer had been discovered by Windows 7. I wasn't able to connect to it, nor could I resolve it's IP address. The only evidence of the connection was the name "Joshua-PC" was discovered by Windows 7. "Joshua-PC" is not a member of my LAN.

Here is what I discovered trying to track this down. My son admins a linux server on a RaspberryPI microPC. This box has Hamachi installed, and resides on a Hamachi VPN. He had allowed remote SSH access by members of his Hamachi VPN. One of his buddies on Hamachi owns a PC named "Joshua-PC", and had at some point connected to RaspberryPI via SSL. His computer appears to be the mystery computer discovered by my PC. However, my PC does not have Hamachi installed!

When we shutdown the RasberryPI machine, I could no longer discover "Joshua-PC". With RaspberryPI running, and Joshua-PC logged in by Hamachi/SSH, his machine becomes visible again. I spent some time on Skype with Joshua, and he claims that my machine is not discoverable to him. He can only see machines that are Hamachi VPN members.

I have asked my son to uninstall Hamachi from the RaspberryPI machine, and to disallow SSH outside our LAN. I have two questions:

1. How is it possible that a remote PC connected via VPN/SSH to RaspberryPI can become discoverable by non-VPN machines on the same LAN?
2. Is there anything else I should do?

I will provide a network diagram, in case it helps anyone. Hamachi is installed on 5 machines:
- MBP-MOBILE (Ubuntu)
- MBP-PC (Win7)
- JCP-MOBILE (Ubuntu)
- JCP-PC (Win7)
- RaspberryPI (Linux 3.6.11+ armv61)
My machine, which doesn't have Hamachi is MWP-PC (Win7). It is the machine that discovered "Joshua-PC". "Joshua-PC" is a VPN member, and is not on our LAN.

 

[bloodypulp]

Once Joshua-PC connects to VPN, he becomes part of your network. You need to setup access lists between your LAN pool and the VPN pool

 

[Asharad]

Once Joshua-PC connects to VPN, he becomes part of your network. You need to setup access lists between your LAN pool and the VPN pool

Thanks. I'm not sure I understand what needs to be done, but I can google it. The reason I'm confused is how can he access the rest of our LAN from one VPN connection? I thought VPN was private from whatever physical LAN it travels.

 

[Electrofreak]

Thanks. I'm not sure I understand what needs to be done, but I can google it. The reason I'm confused is how can he access the rest of our LAN from one VPN connection? I thought VPN was private from whatever physical LAN it travels.

Well that's really the point of a VPN; to allow a device to access your LAN via a WAN link.

Your son is probably doing it so he can do some sort of gaming that typically requires the other player to have a PC present on the LAN.

Unfortunately this works almost too well and does make the device a member of your LAN. If you don't know "Joshua" personally and you are the "admin" of your LAN, you are completely warranted in having your son discontinue the Hamachi connection.

I actually have a Hamachi connection I haven't used in years. I just fired it up, and to my surprise, my brother's PC was connected. So I did whatever any good brother would do and hit my little bro with Nmap, a port scanner and vulnerability tester.

Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-30 20:22 Eastern Daylight Time
NSE: Loaded 106 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 20:22
Scanning X.X.X.X [1 port]
Completed ARP Ping Scan at 20:22, 0.82s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:22
Completed Parallel DNS resolution of 1 host. at 20:22, 0.07s elapsed
Initiating SYN Stealth Scan at 20:22
Scanning X.X.X.X [1000 ports]
Discovered open port 139/tcp
Discovered open port 135/tcp
Discovered open port 445/tcp
Discovered open port 2869/tcp
Discovered open port 49155/tcp
Completed SYN Stealth Scan at 20:22, 5.04s elapsed (1000 total ports)
Initiating UDP Scan at 20:22
Scanning X.X.X.X [1000 ports]
Discovered open port 137/udp on X.X.X.X
Completed UDP Scan at 20:22, 4.24s elapsed (1000 total ports)

I ran a service scan as well but it had problems completing, so I cancelled it. Hopefully this was due to some blocking on Hamachi's side, but I wouldn't bet on it.

 

[Asharad]

Thanks. I guess still have a lot to learn about networking. My son thinks I'm over-reacting, but I did get him to uninstall Hamachi.

 

[Jesse B]

I actually have a Hamachi connection I haven't used in years. I just fired it up, and to my surprise, my brother's PC was connected. So I did whatever any good brother would do and hit my little bro with Nmap, a port scanner and vulnerability tester.

*snip*

Such a good brother Also, are those NetBIOS ports I see!?

 

[Electrofreak]

Thanks. I guess still have a lot to learn about networking. My son thinks I'm over-reacting, but I did get him to uninstall Hamachi.

Tell your son to hop on here, we'll straighten him out!

Again though, from what I could see, Hamachi (or maybe just Windows Firewall) did block most ports. However, I'm not a hacker and I did cancel the penetration test so I didn't see what could have been exploited via the VPN tunnel.

I told my brother I'd tested him. He actually works with me at the same ISP so he can appreciate the fact. I sent him the Nmap results and with almost no hesitation he shut down Hamachi; it's set to connect on startup and he hadn't thought to disable it.

I have really no idea how the Hamachi topology works, but it looks like the PCs actually connect back to a Hamachi DMVPN with LogMeIn IP addresses. It's very possible that LogMeIn has all the traffic pass through a firewall so it could be it's a lot more secure than it would be if the connection was established directly between peers. In which case, who knows, there may be nothing to worry about. That said, if Hamachi blocked everything, then the service would be relatively useless; the whole point is to allow communication between 2 devices that might not be able to otherwise.

Such a good brother Also, are those NetBIOS ports I see!?

Yep! I'm going to guess that's how it handles assigning hostnames to IPs connected to the DMVPN, assuming my guess is correct.