Professional Documents
Culture Documents
Mac OS X Security Tips
Mac OS X Security Tips
Rick Hill
UC Davis, Engineering ,Webmaster
Jackie Simmons
UC Davis, Engineering, Deans Office
Paul Waterstraat
UC Davis, Geology, Systems Manager
Mac OS X Security
Trust No One
Fox Mulder - The X Files
Network Security
Server Security
Wired & Wireless Security
2
Mac OS X client
Out of the box, Mac
OS X is pretty
secure.
If you check the
Sharing System
Preference youll
find things disabled
by default.
Mac OS X Server
Server Settings.app can show you the status of the
common services that Apple has supplied with Mac
OS X Server. Out of the box, if you dont enable
any services your machine is pretty secure.
Mac OS X
But how do I know there arent other ports or
daemons or service running that leave my machine
vulnerable to the network?
On the next few slides Ill describe a couple of tools
you can use on the machine itself and from an
external machine to determine which ports are
open and who is connecting to them.
It is most important to become familiar with what your server looks like under
normal conditions and load. Otherwise you wont be able to tell the normal
connections from the hacked connections.
/usr/sbin/netstat
Use the netstat command to list the active and
pending TCP/IP connections between your machine
and the network. This is a useful tool if you suspect
that someone is breaking into your computer or
using your computer to break into other
computers.
The commands output displays the host and port
number of each end of the connection, and the
connections current status.
netstat
Use the terminal command netstat to learn on
which ports your computer is listening for
connections.
epaul% /usr/sbin/netstat -a -f inet | grep LISTEN
Active Internet connections
Proto Recv-Q Send-Q Local Address
tcp4
tcp4
0
0
0
0
localhost.ipp
localhost.1033
Foreign Address
(state)
*.*
LISTEN
LISTEN
Text *.*
The localhost to the left of the port numbers in the Local Address column
means that the service will only allow connections from itself. e.g. localhost.ipp
will only allow connections from localhost.
To see this, open a web page to http://localhost:631 or http://127.0.0.1:631.
If there is a star to the left of the service port number, as in *.ipp, then it will
accept connections from anywhere.
As you make your server more server-like by turning on services, use netstat to
see what things look like with those services running.
I count 34 ports listening for connections. And they can come from anywhere.
netstat
Now, I open a web page http://security.ucdavis.edu,
and an ssh session with quartz.geology.ucdavis.edu.
Use netstat to see what connections are now open.
epaul% /usr/sbin/netstat -a -f inet
Active Internet connections
Proto Recv-Q Send-Q Local Address
tcp4
0
0 ammonite.geology.49205
tcp4
0
0 ammonite.geology.49203
tcp4
0
0 ammonite.geology.49202
tcp4
0
0 ammonite.geology.49201
tcp4
0
0 ammonite.geology.49200
tcp4
0
0 ammonite.geology.49199
tcp4
0
0 ammonite.geology.49198
tcp4
0
0 localhost.1033
tcp4
0
0 localhost.968
tcp4
0
0 localhost.ipp
tcp4
0
0 localhost.1033
Foreign Address
quartz.geology.u.ssh
192.35.210.223.http
a192-35-210-200..http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http
localhost.968
localhost.1033
*.*
*.*
(state)
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
LISTEN
LISTEN
10
netstat
First, heres the ssh connection to quartz:
Active Internet connections
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp4
0
0 ammonite.geology.49205 quartz.geology.u.ssh
(state)
ESTABLISHED
0
0
0
0
0
0
0
0
0
0
0
0
ammonite.geology.49203
ammonite.geology.49202
ammonite.geology.49201
ammonite.geology.49200
ammonite.geology.49199
ammonite.geology.49198
192.35.210.223.http
a192-35-210-200..http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http
des067.ucdavis.e.http
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
11
Or, for the command line challenged, you can use the Network Utilitys Lookup
function.
netstat
You may have noticed that netstat displays only 22
characters of host and port information.
tcp4
tcp4
0
0
0
0
ammonite.geology.49203 192.35.210.223.http
ammonite.geology.49202 a192-35-210-200..http
ESTABLISHED
ESTABLISHED
Foreign Address
169.237.93.2.22
192.35.210.200.80
192.35.210.223.80
169.237.11.67.80
169.237.11.67.80
169.237.11.67.80
169.237.11.67.80
(state)
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
The ssh port is now displayed as 22, and the http port as 80.
12
/etc/services
The file /etc/services is a comprehensive list of
well known network services and the ports on
which they run.
epaul% /bin/cat /etc/services
# Network services, Internet style
#
...
echo
7/tcp
echo
7/udp
discard
9/tcp
sink null
systat
11/tcp
users
#Active Users
chargen
19/tcp
ttytst source
#Character Generator
ftp-data
20/tcp
#File Transfer [Default Data]
ftp
21/tcp
#File Transfer [Control]
ssh
22/tcp
#Secure Shell Login
telnet
23/tcp
#
24/tcp
any private mail system
smtp
25/tcp
mail
#Simple Mail Transfer
...
wnn6_DS
26208/tcp
#Wnn6 (Dserver)
13
Note that it is presently the policy of IANA to assign a single well-known port
number for both TCP and UDP; hence, most entries here have two entries even
if the protocol doesn't support UDP operations.
Updated from RFC 1700, Assigned Numbers (October 1994). All ports are
included.
(state)
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
14
/usr/sbin/lsof
Some of the ports on which the computer is
listening have no corresponding entries in /etc/
services and so are listed only by number. But we
can use lsof, list open files, to show what process is
listening on port 49174.
epaul% /usr/bin/sudo /usr/sbin/lsof -i:49174
COMMAND PID USER
FD
TYPE
DEVICE SIZE/OFF NODE NAME
mmserver 536 root
7u inet 0x03d64a6c
0t0 TCP *:49174 (LISTEN)
mmserver 536 root
12u inet 0x03d6175c
0t0 TCP
theoffice.geology.ucdavis.edu:49174->chalcedony.geology.ucdavis.edu:49441
(ESTABLISHED)
mmserver 536 root
13u inet 0x03d0e1dc
0t0 TCP
theoffice.geology.ucdavis.edu:49174->neuromancer.geology.ucdavis.edu:49156
(ESTABLISHED)
15
1023/udp
3689/tcp
5298/tcp
49174/tcp
#Automounter
#iTunes
#iChatAgent
#Meeting Maker server
(state)
ESTABLISHED
ESTABLISHED
(LISTEN)
16
nmap
Use nmap from an external host (e.g. your desktop)
to scan your servers for open ports.
epaul% /sw/bin/nmap -sT amber.geology.ucdavis.edu
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on amber.geology.ucdavis.edu (169.237.93.62):
(The 1572 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
9/tcp
open
discard
13/tcp
open
daytime
19/tcp
open
chargen
21/tcp
open
ftp
23/tcp
open
telnet
37/tcp
open
time
79/tcp
open
finger
111/tcp
open
sunrpc
512/tcp
open
exec
513/tcp
open
login
514/tcp
open
shell
515/tcp
open
printer
32771/tcp open
sometimes-rpc5
...
32779/tcp open
sometimes-rpc21
Remote operating system guess: Solaris 8 early access beta through actual release
Uptime 15.757 days (since Tue May 20 15:35:09 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds
17
Standard disclaimer: nmap has been known to crash systems that it is probing,
to crash routers and switches on the network, and to take down printers with
wimpy IP stacks.
Let your network operations center know that you will be conducting scans.
Also check with your local network policy about what conditions scanning is
permitted.
CheckMate
CheckMate installs as a System Preference
19
CheckMate
Export a copy of your files and checksums and put this
somewhere other than the computer you've scanned.
20
CheckMate
You can do manual scans as well as automated ones.
21
24
SSH connections to the AppleShare server are not very well documents.
Page 239 of MacOSXServer_AdminGuide_121902.pdf says:
6 Select Enable Secure Connections if you want to allow client to connect
using secure AFP (uses SSH).
Connecting to the
File Server
25
On each client...
Click Options and enable Secure Connections
Default Connection
26
Note that top of the box lets you know that AppleShare will be making this
connection using the Two-Way Encrypted Password method.
Disable Clear Text Password (unless you need it to connect to legacy
AppleShare servers.)
Enable Allow Secure Connections using SSH
To ensure every AFS connection attempt makes use of SSH, youll need to
modify a general preference file. Edit each users ~/Library/Preferences/
.GlobalPreferences.plist file and locate the key. This key has a dictionary
object with various attributes related to AFS. In this dictionary, locate the key:
afp_cleartext_allow and make the value false.
<key>afp_cleartext_allow</key> <false/>
Preferred Connection
27
(state)
ESTABLISHED
28
If you have set the afp_ssh_force key to true and you attempt to connect to a
server that does not support ssh and secure AFP connections. you will get a
Login Failed box, Unknown user, incorrect password, or log on is disabled.
Please retype the username and password or contact the servers administrator.
OK. No mention of unable to make secure connection. Click OK, but then you
cant cancel the Authentication Status box. You can kill it with a command-dot,
though.
Sweet! not!
29
This creates an SSH tunnel from port 10548 on the localhost (127.0.0.1) to the
AFP port (548) on the remote afp-server host.
Encrypted AppleShare
Then use the Connect to Server in the Finder to
securely access your files and information using
afp://127.0.0.1:10548
30
31
Resources
Mac OS X Maximum Security
John Ray & William C. Ray
Sams, 1st Edition, 2003
32
See also:
Building Internet Firewalls; Elizabeth D. Zwicky, Simon Cooper, & D. Brent
Chapman; OReilly, 2nd Edition, 2000.
Mac OS X Security; Bruce Potter, Preston Norvell, Brian Wotring; New Riders
Publications, 1st Edition, 2003.
Contact Information
Rick Hill
rrhill@ucdavis.edu
Jackie Simmons
jdsimmons@ucdavis.edu
Paul Waterstraat
waterstraat@geology.ucdavis.edu
computing.geology.ucdavis.edu/security/macosx
33