Mac OS X Security

Rick Hill
UC Davis, Engineering ,Webmaster
Jackie Simmons
UC Davis, Engineering, Deans Office
Paul Waterstraat
UC Davis, Geology, Systems Manager

Mac OS X Security
Trust No One
Fox Mulder - The X Files

Computer security is the result of a

long unbroken chain of diligence.
Paul Waterstraat

Network Security
Server Security
Wired & Wireless Security
2

Enabling and Disabling Services

Internal Monitoring of Services

Sharing and Server Settings
netstat
host
lsof
External Monitoring of Services
nmap
3

Mac OS X client
Out of the box, Mac
OS X is pretty
secure.
If you check the
Sharing System
Preference youll
find things disabled
by default.

Mac OS X Server
Server Settings.app can show you the status of the
common services that Apple has supplied with Mac
OS X Server. Out of the box, if you dont enable
any services your machine is pretty secure.

Mac OS X
But how do I know there arent other ports or
daemons or service running that leave my machine
vulnerable to the network?
On the next few slides Ill describe a couple of tools
you can use on the machine itself and from an
external machine to determine which ports are
open and who is connecting to them.

It is most important to become familiar with what your server looks like under
normal conditions and load. Otherwise you wont be able to tell the normal
connections from the hacked connections.

/usr/sbin/netstat
Use the netstat command to list the active and
pending TCP/IP connections between your machine
and the network. This is a useful tool if you suspect
that someone is breaking into your computer or
using your computer to break into other
computers.
The commands output displays the host and port
number of each end of the connection, and the
connections current status.

The buzzword for this type of thing is Host Based Analysis.

netstat
Use the terminal command netstat to learn on
which ports your computer is listening for
connections.
epaul% /usr/sbin/netstat -a -f inet | grep LISTEN
Active Internet connections
Proto Recv-Q Send-Q Local Address
tcp4
tcp4

0
0

0
0

localhost.ipp
localhost.1033

Foreign Address

(state)

*.*

LISTEN
LISTEN

Text *.*

Two ports are open. The ipp port is the CUPS

printing software and port 1033 is netinfo. Both
client and server look like this with nothing enabled.

The localhost to the left of the port numbers in the Local Address column
means that the service will only allow connections from itself. e.g. localhost.ipp
will only allow connections from localhost.
To see this, open a web page to http://localhost:631 or http://127.0.0.1:631.
If there is a star to the left of the service port number, as in *.ipp, then it will
accept connections from anywhere.
As you make your server more server-like by turning on services, use netstat to
see what things look like with those services running.

Compare that with a Sun Workstation running Solaris 8

Sun Microsystems Inc.
SunOS 5.8
amber% netstat -a -f inet | grep LISTEN
TCP Local Address
Remote Address
Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ ------localhost.4999
*.*
0
0 24576
0 LISTEN
*.sunrpc
*.*
0
0 24576
0 LISTEN
*.ftp
*.*
0
0 24576
0 LISTEN
*.telnet
*.*
0
0 24576
0 LISTEN
*.shell
*.*
0
0 24576
0 LISTEN
*.login
*.*
0
0 24576
0 LISTEN
*.exec
*.*
0
0 24576
0 LISTEN
*.exec
*.*
0
0 24576
0 LISTEN
*.uucp
*.*
0
0 24576
0 LISTEN
*.finger
*.*
0
0 24576
0 LISTEN
*.time
*.*
0
0 24576
0 LISTEN
*.echo
*.*
0
0 24576
0 LISTEN
*.discard
*.*
0
0 24576
0 LISTEN
*.daytime
*.*
0
0 24576
0 LISTEN
*.chargen
*.*
0
0 24576
0 LISTEN
*.32771
*.*
0
0 24576
0 LISTEN
*.32772
*.*
0
0 24576
0 LISTEN
*.32773
*.*
0
0 24576
0 LISTEN
*.32774
*.*
0
0 24576
0 LISTEN
*.fs
*.*
0
0 24576
0 LISTEN
*.32775
*.*
0
0 24576
0 LISTEN
*.printer
*.*
0
0 24576
0 LISTEN
*.lockd
*.*
0
0 24576
0 LISTEN
*.dtspc
*.*
0
0 24576
0 LISTEN
*.8888
*.*
0
0 24576
0 LISTEN
*.32777
*.*
0
0 24576
0 LISTEN
*.32778
*.*
0
0 24576
0 LISTEN
*.32779
*.*
0
0 24576
0 LISTEN
*.27000
*.*
0
0 24576
0 LISTEN
*.33945
*.*
0
0 24576
0 LISTEN
*.898
*.*
0
0 24576
0 LISTEN
*.5987
*.*
0
0 24576
0 LISTEN
*.34209
*.*
0
0 24576
0 LISTEN
*.6000
*.*
0
0 24576
0 LISTEN

I count 34 ports listening for connections. And they can come from anywhere.

netstat
Now, I open a web page http://security.ucdavis.edu,
and an ssh session with quartz.geology.ucdavis.edu.
Use netstat to see what connections are now open.
epaul% /usr/sbin/netstat -a -f inet
Active Internet connections
Proto Recv-Q Send-Q Local Address
tcp4
0
0 ammonite.geology.49205
tcp4
0
0 ammonite.geology.49203
tcp4
0
0 ammonite.geology.49202
tcp4
0
0 ammonite.geology.49201
tcp4
0
0 ammonite.geology.49200
tcp4
0
0 ammonite.geology.49199
tcp4
0
0 ammonite.geology.49198
tcp4
0
0 localhost.1033
tcp4
0
0 localhost.968
tcp4
0
0 localhost.ipp
tcp4
0
0 localhost.1033

Foreign Address
quartz.geology.u.ssh
192.35.210.223.http
a192-35-210-200..http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http
localhost.968
localhost.1033
*.*
*.*

(state)
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
LISTEN
LISTEN

10

Ive opened up an ssh session to quartz.geology.ucdavis.edu and opened a web

page to http://security.ucdavis.edu (des067.ucdavis.edu), which, in turn, has
links to:
http://wdcs.trendmicro.com/dcs.gif () and http://www.trendmicro.com/
syndication/images/pb_trend_white.gif
WKS tend to run on privliged ports < 1024 on which they listen for
connections.
Out going connections tend to be on high numbered ports > 1024
Open the Activity window in Safari to see all the connections that it takes to
build the web page.

netstat
First, heres the ssh connection to quartz:
Active Internet connections
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp4
0
0 ammonite.geology.49205 quartz.geology.u.ssh

(state)
ESTABLISHED

Next are the connection that result from opening

the web page at security.ucdavis.edu
tcp4
tcp4
tcp4
tcp4
tcp4
tcp4

0
0
0
0
0
0

0
0
0
0
0
0

ammonite.geology.49203
ammonite.geology.49202
ammonite.geology.49201
ammonite.geology.49200
ammonite.geology.49199
ammonite.geology.49198

192.35.210.223.http
a192-35-210-200..http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http

ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED

But wheres security.ucdavis.edu? The host command

shows us that its an alias for des067.ucdavis.edu
epaul% /usr/bin/host security.ucdavis.edu
security.ucdavis.edu is a nickname for des067.ucdavis.edu
des067.ucdavis.edu has address 169.237.11.67

11

Or, for the command line challenged, you can use the Network Utilitys Lookup
function.

netstat
You may have noticed that netstat displays only 22
characters of host and port information.
tcp4
tcp4

0
0

0
0

ammonite.geology.49203 192.35.210.223.http
ammonite.geology.49202 a192-35-210-200..http

ESTABLISHED
ESTABLISHED

Use -n to show addresses as numbers.

epaul% /usr/sbin/netstat -a -f inet -n
Active Internet connections
Proto Recv-Q Send-Q Local Address
tcp4
0
0 169.237.93.100.49205
tcp4
0
0 169.237.93.100.49218
tcp4
0
0 169.237.93.100.49216
tcp4
0
0 169.237.93.100.49215
tcp4
0
0 169.237.93.100.49214
tcp4
0
0 169.237.93.100.49213
tcp4
0
0 169.237.93.100.49212

Foreign Address
169.237.93.2.22
192.35.210.200.80
192.35.210.223.80
169.237.11.67.80
169.237.11.67.80
169.237.11.67.80
169.237.11.67.80

(state)
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED

Use the host command to look up names.

epaul% /usr/bin/host 192.35.210.200
200.210.35.192.IN-ADDR.ARPA domain name pointer
a192-35-210-200.deploy.akamaitechnologies.com

The ssh port is now displayed as 22, and the http port as 80.

12

/etc/services
The file /etc/services is a comprehensive list of
well known network services and the ports on
which they run.
epaul% /bin/cat /etc/services
# Network services, Internet style
#
...
echo
7/tcp
echo
7/udp
discard
9/tcp
sink null
systat
11/tcp
users
#Active Users
chargen
19/tcp
ttytst source
#Character Generator
ftp-data
20/tcp
#File Transfer [Default Data]
ftp
21/tcp
#File Transfer [Control]
ssh
22/tcp
#Secure Shell Login
telnet
23/tcp
#
24/tcp
any private mail system
smtp
25/tcp
mail
#Simple Mail Transfer
...
wnn6_DS
26208/tcp
#Wnn6 (Dserver)

13

Note that it is presently the policy of IANA to assign a single well-known port
number for both TCP and UDP; hence, most entries here have two entries even
if the protocol doesn't support UDP operations.
Updated from RFC 1700, Assigned Numbers (October 1994). All ports are
included.

Heres another netstat display

epaul% /usr/sbin/netstat -f inet -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp4
0
0 theoffice.geolog.ssh
terpsichore.geol.49152
tcp4
0
0 theoffice.geolog.49174 palladium.geolog.49770
tcp4
0
0 theoffice.geolog.49174 onyx.geology.ucd.49162
tcp4
0
0 theoffice.geolog.49174 dunite.geology.u.49228
tcp4
0
0 theoffice.geolog.49174 amazonite.geolog.49158
tcp4
0
0 theoffice.geolog.afpov amazonite.geolog.49153
tcp4
0
0 theoffice.geolog.49174 neuromancer.geol.49156
tcp4
0
0 theoffice.geolog.afpov smilodon.geology.49154

(state)
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED

We see an ssh connection and AppleShareIP (afpovertcp)

connections, but whats running on port 49174? A grep for
49174 in /etc/services finds nothing.
epaul% /usr/bin/grep ssh /etc/services
ssh
22/tcp
#Secure Shell Login
ssh
22/udp
#Secure Shell Login
epaul% /usr/bin/grep 49174 /etc/services
epaul%

14

/usr/sbin/lsof
Some of the ports on which the computer is
listening have no corresponding entries in /etc/
services and so are listed only by number. But we
can use lsof, list open files, to show what process is
listening on port 49174.
epaul% /usr/bin/sudo /usr/sbin/lsof -i:49174
COMMAND PID USER
FD
TYPE
DEVICE SIZE/OFF NODE NAME
mmserver 536 root
7u inet 0x03d64a6c
0t0 TCP *:49174 (LISTEN)
mmserver 536 root
12u inet 0x03d6175c
0t0 TCP
theoffice.geology.ucdavis.edu:49174->chalcedony.geology.ucdavis.edu:49441
(ESTABLISHED)
mmserver 536 root
13u inet 0x03d0e1dc
0t0 TCP
theoffice.geology.ucdavis.edu:49174->neuromancer.geology.ucdavis.edu:49156
(ESTABLISHED)

We see that mmserver, the MeetingMaker Server, is

running on port 49174.

15

Add entries to /etc/services

You can add your own entries for services you use to the
/etc/services file. Such as
automount
itunes
ichat
mmserver

1023/udp
3689/tcp
5298/tcp
49174/tcp

#Automounter
#iTunes
#iChatAgent
#Meeting Maker server

Then netstat will display the service name instead of

the port number. Also use service names with lsof.
epaul% /usr/sbin/netstat -a -f inet
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp4
0 33304 neuromancer.geol.itune ammonite.geology.49163
tcp4
0
0 neuromancer.geol.itune ammonite.geology.49157
...
epaul% sudo /usr/sbin/lsof -i:itunes
COMMAND PID
USER
FD
TYPE
DEVICE SIZE/OFF NODE NAME
iTunes 421 epaul
14u inet 0x02779f4c
0t0 TCP *:itunes
iTunes 421 epaul
17u inet 0x03089cbc
0t0 TCP
neuromancer.geology.ucdavis.edu:itunes->
ammonite.geology.ucdavis.edu:49171 (ESTABLISHED)
iTunes 421 epaul
18u inet 0x0277acbc
0t0 TCP
neuromancer.geology.ucdavis.edu:itunes->
ammonite.geology.ucdavis.edu:49157 (ESTABLISHED)

(state)
ESTABLISHED
ESTABLISHED

(LISTEN)

16

nmap
Use nmap from an external host (e.g. your desktop)
to scan your servers for open ports.
epaul% /sw/bin/nmap -sT amber.geology.ucdavis.edu
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on amber.geology.ucdavis.edu (169.237.93.62):
(The 1572 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
9/tcp
open
discard
13/tcp
open
daytime
19/tcp
open
chargen
21/tcp
open
ftp
23/tcp
open
telnet
37/tcp
open
time
79/tcp
open
finger
111/tcp
open
sunrpc
512/tcp
open
exec
513/tcp
open
login
514/tcp
open
shell
515/tcp
open
printer
32771/tcp open
sometimes-rpc5
...
32779/tcp open
sometimes-rpc21
Remote operating system guess: Solaris 8 early access beta through actual release
Uptime 15.757 days (since Tue May 20 15:35:09 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds

17

Standard disclaimer: nmap has been known to crash systems that it is probing,
to crash routers and switches on the network, and to take down printers with
wimpy IP stacks.
Let your network operations center know that you will be conducting scans.
Also check with your local network policy about what conditions scanning is
permitted.

Not to Sound Paranoid, But...

How do you know that your copies of netstat, lsof,
top, Process Viewer, and other apps have not been
hacked so that they hide the ports and processes
that the hacker is using?
Programs like Tripwire can be installed to note
changes in your system files/applications and notify
you of any changes.
http://sourceforge.net/projects/tripwire
Brian Hill has written CheckMate that implements a
tripwire-like algorithm for Mac OS X.
http://personalpages.tds.net/~brian_hill
18

CheckMate
CheckMate installs as a System Preference

19

CheckMate
Export a copy of your files and checksums and put this
somewhere other than the computer you've scanned.

20

CheckMate
You can do manual scans as well as automated ones.

21

Eavesdropping and Snooping

No matter how tightly secured you computer
configuration may be, once your information begins
traveling over the network its vulnerable to
eavesdropping. A bad guy doesnt need to attack
your computer directly to gain access to your
sensitive information. No talent, programming, or
networking experience is required to eavesdrop on
a network. The software works like this:
1. You connect to the network
2. You start it.
3. You tell it to record passwords or packets.
4. You take your recorded passwords and go.
22

Shared, Switched, or Wireless

All Networks Are Vulnerable!
Session hijacking was previously very difficult.
Ettercap can be used to implement a man-in-themiddle attack without its user having any knowledge
of networking or spoofing. Ettercap can sniff packets
between any two hosts on a switched LAN. It can
log passwords for TELNET, FTP, POP, SMB, SSH1,
HTTP, X11, IMAP4, SNMP, IRC, SOCKS5, ICQ
Beginning with Mac OS X Server 10.2, AppleShare
connections can be automatically tunneled via ssh,
providing full, end-to-end, encryption of the traffic.
23

Ettercap is so scary because of its ability to easily do ARP cache poisoning.

Typically machines send out an ARP request asking for the address of another
machine, and it receives a reply. In APR poisoning the replies are sent without a
request being made. The sniffer basically tells the rest of the network that IT IS
every machine on the network, and subsequently receives traffic for those
machines.
On the other hand, ettercap also has an ARP poisoning detector. So you can use
this to detect the bad guys.

Enabling SSH connections on server

24

SSH connections to the AppleShare server are not very well documents.
Page 239 of MacOSXServer_AdminGuide_121902.pdf says:
6 Select Enable Secure Connections if you want to allow client to connect
using secure AFP (uses SSH).

Connecting to the
File Server

25

On each client...
Click Options and enable Secure Connections

Default Connection

26

Note that top of the box lets you know that AppleShare will be making this
connection using the Two-Way Encrypted Password method.
Disable Clear Text Password (unless you need it to connect to legacy
AppleShare servers.)
Enable Allow Secure Connections using SSH
To ensure every AFS connection attempt makes use of SSH, youll need to
modify a general preference file. Edit each users ~/Library/Preferences/
.GlobalPreferences.plist file and locate the key. This key has a dictionary
object with various attributes related to AFS. In this dictionary, locate the key:
afp_cleartext_allow and make the value false.
<key>afp_cleartext_allow</key> <false/>

Preferred Connection

27

Next, locate the key afp_ssh_force and make it true:

<key>afp_ssh_force</key> <true/>
How do you tell if the connection that gets established is really secure and
encrypted?
These two changes prevent authentication credentials from being sent in the
clear text, and that all successful AFS connections are tunneled over ssh. With
each conection attempt, ssh is launched with options to forward some arbitrary
local port to the AFS port (548) on the remote server. If the remote server
dowsnt have SSH enabled, or the host verification fails, the AFS connection
attempt will also fail. [Mac OS X Security; Potter, Norvell, and Wotring; New
Riders Publishing, 2003]

Secure AFP Connection

If you succeed in making a secure connection you
should briefly see the following dialog box after you
click OK and before you are presented with the list
of mountable volumes on the remote AFP server.

netstat will show an ssh connection to the server

instead of an afpoverip connection.
[ammonite:~] testing% netstat -a -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
...
tcp4
0
0 ammonite.geology.49462 theoffice.geolog.ssh
...

(state)
ESTABLISHED

28

If you have set the afp_ssh_force key to true and you attempt to connect to a
server that does not support ssh and secure AFP connections. you will get a
Login Failed box, Unknown user, incorrect password, or log on is disabled.
Please retype the username and password or contact the servers administrator.
OK. No mention of unable to make secure connection. Click OK, but then you
cant cancel the Authentication Status box. You can kill it with a command-dot,
though.
Sweet! not!

For client-to-client connections

you can create your own SSH
tunnels manually.
Assuming the remote AFP server is running SSH and
you have a username and password for the server,
you can tunnel AppleShare traffic from port 548 on
the server to port 10548 on your local machine
using ssh.
epaul% ssh <username@afp-server> -L 10548:127.0.0.1:548

29

This creates an SSH tunnel from port 10548 on the localhost (127.0.0.1) to the
AFP port (548) on the remote afp-server host.

Encrypted AppleShare
Then use the Connect to Server in the Finder to
securely access your files and information using
afp://127.0.0.1:10548

30

Now Connect to Server to port 10548 on the localhost

(afp://127.0.0.1:10548)
So this does a file server connection to port 10548 on the local machine which,
in turn, is tunneled through SSH to the remote afp-server and forwarded to the
AFP port (548).
Click connect and see the login box from the remote afp-server.

Use Vapor to Create Tunnels

Vapor can be used to create tunnels for a variety of
protocols without using the command line.
http://www.afp548.com/Software/Vapor

31

Same idea, different services.

VaporSec from the same outfit can be used to construct IPsec tunnels.
Its a bit more complicated than Im indicating here. But its all documented on
the site.

Resources
Mac OS X Maximum Security
John Ray & William C. Ray
Sams, 1st Edition, 2003

Practical Unix & Internet Security

Simon Garfinkel, Gene Spafford & Alan Schwartz
OReilly, 3rd Edition, 2003

DDs Ultimate Guide to Mac OS X Security

http://homepage.mac.com/macbuddy/SecurityGuide.html

32

See also:
Building Internet Firewalls; Elizabeth D. Zwicky, Simon Cooper, & D. Brent
Chapman; OReilly, 2nd Edition, 2000.
Mac OS X Security; Bruce Potter, Preston Norvell, Brian Wotring; New Riders
Publications, 1st Edition, 2003.

Contact Information
Rick Hill
rrhill@ucdavis.edu
Jackie Simmons
jdsimmons@ucdavis.edu
Paul Waterstraat
waterstraat@geology.ucdavis.edu
computing.geology.ucdavis.edu/security/macosx

33