Rick HillUC Davis, Engineering ,Webmaster

Jackie SimmonsUC Davis, Engineering, Deans’ Office

Paul WaterstraatUC Davis, Geology, Systems Manager

Mac OS X Security

1

• Network Security

• Server Security

• Wired & Wireless Security

Mac OS X Security“Trust No One”Fox Mulder - The X Files

“Computer security is the result of a long unbroken chain of diligence.”

Paul Waterstraat

2

• Internal Monitoring of Services

• Sharing and Server Settings

• netstat

• host

• lsof

• External Monitoring of Services

• nmap

Enabling and Disabling Services

3

Mac OS X client

Out of the box, Mac OS X is pretty secure.

If you check the Sharing System Preference you’ll find things disabled by default.

4

Mac OS X ServerServer Settings.app can show you the status of the common services that Apple has supplied with Mac OS X Server. Out of the box, if you don’t enable any services your machine is pretty secure.

5

Mac OS X

But how do I know there aren’t other ports or daemons or service running that leave my machine vulnerable to the network?

On the next few slides I’ll describe a couple of tools you can use on the machine itself and from an external machine to determine which ports are open and who is connecting to them.

It is most important to become familiar with what your server looks like under “normal” conditions and load. Otherwise you won’t be able to tell the normal connections from the hacked connections.

6

/usr/sbin/netstatUse the netstat command to list the active and pending TCP/IP connections between your machine and the network. This is a useful tool if you suspect that someone is breaking into your computer or using your computer to break into other computers.

The command’s output displays the host and port number of each end of the connection, and the connection’s current status.

The buzzword for this type of thing is “Host Based Analysis.”7

netstat

Text

Use the terminal command netstat to learn on which ports your computer is listening for connections.epaul% /usr/sbin/netstat -a -f inet | grep LISTEN

Active Internet connectionsProto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 localhost.ipp *.* LISTENtcp4 0 0 localhost.1033 *.* LISTEN

Two ports are open. The ipp port is the CUPS printing software and port 1033 is netinfo. Both client and server look like this with nothing enabled.

The localhost to the left of the port numbers in the Local Address column means that the service will only allow connections from itself. e.g. localhost.ipp will only allow connections from localhost.To see this, open a web page to http://localhost:631 or http://127.0.0.1:631. If there is a star to the left of the service port number, as in *.ipp, then it will accept connections from anywhere.As you make your server more server-like by turning on services, use netstat to see what things look like with those services running.

8

Compare that with a Sun Workstation running Solaris 8Sun Microsystems Inc. SunOS 5.8amber% netstat -a -f inet | grep LISTENTCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State-------------------- -------------------- ----- ------ ----- ------ -------localhost.4999 *.* 0 0 24576 0 LISTEN *.sunrpc *.* 0 0 24576 0 LISTEN *.ftp *.* 0 0 24576 0 LISTEN *.telnet *.* 0 0 24576 0 LISTEN *.shell *.* 0 0 24576 0 LISTEN *.login *.* 0 0 24576 0 LISTEN *.exec *.* 0 0 24576 0 LISTEN *.exec *.* 0 0 24576 0 LISTEN *.uucp *.* 0 0 24576 0 LISTEN *.finger *.* 0 0 24576 0 LISTEN *.time *.* 0 0 24576 0 LISTEN *.echo *.* 0 0 24576 0 LISTEN *.discard *.* 0 0 24576 0 LISTEN *.daytime *.* 0 0 24576 0 LISTEN *.chargen *.* 0 0 24576 0 LISTEN *.32771 *.* 0 0 24576 0 LISTEN *.32772 *.* 0 0 24576 0 LISTEN *.32773 *.* 0 0 24576 0 LISTEN *.32774 *.* 0 0 24576 0 LISTEN *.fs *.* 0 0 24576 0 LISTEN *.32775 *.* 0 0 24576 0 LISTEN *.printer *.* 0 0 24576 0 LISTEN *.lockd *.* 0 0 24576 0 LISTEN *.dtspc *.* 0 0 24576 0 LISTEN *.8888 *.* 0 0 24576 0 LISTEN *.32777 *.* 0 0 24576 0 LISTEN *.32778 *.* 0 0 24576 0 LISTEN *.32779 *.* 0 0 24576 0 LISTEN *.27000 *.* 0 0 24576 0 LISTEN *.33945 *.* 0 0 24576 0 LISTEN *.898 *.* 0 0 24576 0 LISTEN *.5987 *.* 0 0 24576 0 LISTEN *.34209 *.* 0 0 24576 0 LISTEN *.6000 *.* 0 0 24576 0 LISTEN

I count 34 ports listening for connections. And they can come from anywhere.9

netstat

epaul% /usr/sbin/netstat -a -f inet

Active Internet connectionsProto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 ammonite.geology.49205 quartz.geology.u.ssh ESTABLISHEDtcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHEDtcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHEDtcp4 0 0 ammonite.geology.49201 des067.ucdavis.e.http ESTABLISHEDtcp4 0 0 ammonite.geology.49200 des067.ucdavis.e.http ESTABLISHEDtcp4 0 0 ammonite.geology.49199 des067.ucdavis.e.http ESTABLISHEDtcp4 0 0 ammonite.geology.49198 des067.ucdavis.e.http ESTABLISHEDtcp4 0 0 localhost.1033 localhost.968 ESTABLISHEDtcp4 0 0 localhost.968 localhost.1033 ESTABLISHEDtcp4 0 0 localhost.ipp *.* LISTENtcp4 0 0 localhost.1033 *.* LISTEN

Now, I open a web page http://security.ucdavis.edu, and an ssh session with quartz.geology.ucdavis.edu. Use netstat to see what connections are now open.

I’ve opened up an ssh session to quartz.geology.ucdavis.edu and opened a web page to http://security.ucdavis.edu (des067.ucdavis.edu), which, in turn, has links to:http://wdcs.trendmicro.com/dcs.gif () and http://www.trendmicro.com/syndication/images/pb_trend_white.gifWKS tend to run on “privliged ports” < 1024 on which they listen for connections. Out going connections tend to be on high numbered ports > 1024Open the Activity window in Safari to see all the connections that it takes to build the web page.

10

netstat

Active Internet connectionsProto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 ammonite.geology.49205 quartz.geology.u.ssh ESTABLISHED

Next are the connection that result from opening the web page at security.ucdavis.edu

tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHEDtcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHEDtcp4 0 0 ammonite.geology.49201 des067.ucdavis.e.http ESTABLISHEDtcp4 0 0 ammonite.geology.49200 des067.ucdavis.e.http ESTABLISHEDtcp4 0 0 ammonite.geology.49199 des067.ucdavis.e.http ESTABLISHEDtcp4 0 0 ammonite.geology.49198 des067.ucdavis.e.http ESTABLISHED

But where’s security.ucdavis.edu? The host command shows us that it’s an alias for des067.ucdavis.edu

epaul% /usr/bin/host security.ucdavis.edusecurity.ucdavis.edu is a nickname for des067.ucdavis.edudes067.ucdavis.edu has address 169.237.11.67

First, here’s the ssh connection to quartz:

Or, for the command line challenged, you can use the Network Utility’s Lookup function.

11

netstat

epaul% /usr/sbin/netstat -a -f inet -n

Active Internet connectionsProto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 169.237.93.100.49205 169.237.93.2.22 ESTABLISHEDtcp4 0 0 169.237.93.100.49218 192.35.210.200.80 ESTABLISHEDtcp4 0 0 169.237.93.100.49216 192.35.210.223.80 ESTABLISHEDtcp4 0 0 169.237.93.100.49215 169.237.11.67.80 ESTABLISHEDtcp4 0 0 169.237.93.100.49214 169.237.11.67.80 ESTABLISHEDtcp4 0 0 169.237.93.100.49213 169.237.11.67.80 ESTABLISHEDtcp4 0 0 169.237.93.100.49212 169.237.11.67.80 ESTABLISHED

You may have noticed that netstat displays only 22 characters of host and port information.

tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHEDtcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHED

Use -n to show addresses as numbers.

Use the host command to look up names.epaul% /usr/bin/host 192.35.210.200200.210.35.192.IN-ADDR.ARPA domain name pointer

a192-35-210-200.deploy.akamaitechnologies.com

The ssh port is now displayed as 22, and the http port as 80.12

/etc/services

epaul% /bin/cat /etc/services

# Network services, Internet style#...echo 7/tcpecho 7/udpdiscard 9/tcp sink nullsystat 11/tcp users #Active Userschargen 19/tcp ttytst source #Character Generatorftp-data 20/tcp #File Transfer [Default Data]ftp 21/tcp #File Transfer [Control]ssh 22/tcp #Secure Shell Logintelnet 23/tcp# 24/tcp any private mail systemsmtp 25/tcp mail #Simple Mail Transfer...wnn6_DS 26208/tcp #Wnn6 (Dserver)

The file /etc/services is a comprehensive list of well known network services and the ports on which they run.

Note that it is presently the policy of IANA to assign a single well-known port number for both TCP and UDP; hence, most entries here have two entries even if the protocol doesn't support UDP operations.Updated from RFC 1700, “Assigned Numbers” (October 1994). All ports are included.

13

Here’s another netstat displayepaul% /usr/sbin/netstat -f inet -aActive Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 theoffice.geolog.ssh terpsichore.geol.49152 ESTABLISHEDtcp4 0 0 theoffice.geolog.49174 palladium.geolog.49770 ESTABLISHEDtcp4 0 0 theoffice.geolog.49174 onyx.geology.ucd.49162 ESTABLISHEDtcp4 0 0 theoffice.geolog.49174 dunite.geology.u.49228 ESTABLISHEDtcp4 0 0 theoffice.geolog.49174 amazonite.geolog.49158 ESTABLISHEDtcp4 0 0 theoffice.geolog.afpov amazonite.geolog.49153 ESTABLISHEDtcp4 0 0 theoffice.geolog.49174 neuromancer.geol.49156 ESTABLISHEDtcp4 0 0 theoffice.geolog.afpov smilodon.geology.49154 ESTABLISHED

We see an ssh connection and AppleShareIP (afpovertcp) connections, but what’s running on port 49174? A grep for 49174 in /etc/services finds nothing.

epaul% /usr/bin/grep ssh /etc/servicesssh 22/tcp #Secure Shell Loginssh 22/udp #Secure Shell Login

epaul% /usr/bin/grep 49174 /etc/services

epaul%

14

/usr/sbin/lsofSome of the ports on which the computer is listening have no corresponding entries in /etc/services and so are listed only by number. But we can use lsof, list open files, to show what process is listening on port 49174.epaul% /usr/bin/sudo /usr/sbin/lsof -i:49174

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEmmserver 536 root 7u inet 0x03d64a6c 0t0 TCP *:49174 (LISTEN)mmserver 536 root 12u inet 0x03d6175c 0t0 TCP theoffice.geology.ucdavis.edu:49174->chalcedony.geology.ucdavis.edu:49441 (ESTABLISHED)mmserver 536 root 13u inet 0x03d0e1dc 0t0 TCP theoffice.geology.ucdavis.edu:49174->neuromancer.geology.ucdavis.edu:49156 (ESTABLISHED)

We see that mmserver, the MeetingMaker Server, is running on port 49174.

15

epaul% /usr/sbin/netstat -a -f inetProto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 33304 neuromancer.geol.itune ammonite.geology.49163 ESTABLISHEDtcp4 0 0 neuromancer.geol.itune ammonite.geology.49157 ESTABLISHED...epaul% sudo /usr/sbin/lsof -i:itunesCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEiTunes 421 epaul 14u inet 0x02779f4c 0t0 TCP *:itunes (LISTEN)iTunes 421 epaul 17u inet 0x03089cbc 0t0 TCP neuromancer.geology.ucdavis.edu:itunes-> ammonite.geology.ucdavis.edu:49171 (ESTABLISHED)iTunes 421 epaul 18u inet 0x0277acbc 0t0 TCP neuromancer.geology.ucdavis.edu:itunes-> ammonite.geology.ucdavis.edu:49157 (ESTABLISHED)

Add entries to /etc/servicesYou can add your own entries for services you use to the /etc/services file. Such as…automount 1023/udp #Automounteritunes 3689/tcp #iTunesichat 5298/tcp #iChatAgentmmserver 49174/tcp #Meeting Maker server

Then netstat will display the service name instead of the port number. Also use service names with lsof.

16

Use nmap from an external host (e.g. your desktop) to scan your servers for open ports.

nmap

epaul% /sw/bin/nmap -sT amber.geology.ucdavis.eduStarting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on amber.geology.ucdavis.edu (169.237.93.62):(The 1572 ports scanned but not shown below are in state: closed)Port State Service7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 32771/tcp open sometimes-rpc5 ... 32779/tcp open sometimes-rpc21 Remote operating system guess: Solaris 8 early access beta through actual releaseUptime 15.757 days (since Tue May 20 15:35:09 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds

Standard disclaimer: nmap has been known to crash systems that it is probing, to crash routers and switches on the network, and to take down printers with wimpy IP stacks.Let your network operations center know that you will be conducting scans.Also check with your local network policy about what conditions scanning is permitted.

17

Not to Sound Paranoid, But...How do you know that your copies of netstat, lsof, top, Process Viewer, and other apps have not been hacked so that they hide the ports and processes that the hacker is using?

Programs like Tripwire can be installed to note changes in your system files/applications and notify you of any changes.

http://sourceforge.net/projects/tripwire

Brian Hill has written CheckMate that implements a tripwire-like algorithm for Mac OS X.

http://personalpages.tds.net/~brian_hill

18

CheckMate installs as a System Preference

CheckMate

19

Export a copy of your files and checksums and put this somewhere other than the computer you've scanned.

CheckMate

20

You can do manual scans as well as automated ones.

CheckMate

21

Eavesdropping and Snooping

No matter how tightly secured you computer configuration may be, once your information begins traveling over the network it’s vulnerable to eavesdropping. A bad guy doesn’t need to attack your computer directly to gain access to your sensitive information. No talent, programming, or networking experience is required to eavesdrop on a network. The software works like this:

1. You connect to the network2. You start it.3. You tell it to record passwords or packets.4. You take your recorded passwords and go.

22

Shared, Switched, or WirelessAll Networks Are Vulnerable!

Beginning with Mac OS X Server 10.2, AppleShare connections can be automatically tunneled via ssh, providing full, end-to-end, encryption of the traffic.

Session hijacking was previously very difficult. Ettercap can be used to implement a man-in-the-middle attack without its user having any knowledge of networking or spoofing. Ettercap can sniff packets between any two hosts on a switched LAN. It can log passwords for TELNET, FTP, POP, SMB, SSH1, HTTP, X11, IMAP4, SNMP, IRC, SOCKS5, ICQ…

Ettercap is so scary because of its ability to easily do ARP cache poisoning. Typically machines send out an ARP request asking for the address of another machine, and it receives a reply. In APR poisoning the replies are sent without a request being made. The sniffer basically tells the rest of the network that IT IS every machine on the network, and subsequently receives traffic for those machines.On the other hand, ettercap also has an ARP poisoning detector. So you can use this to detect the bad guys.

23

Enabling SSH connections on server

SSH connections to the AppleShare server are not very well documents.Page 239 of MacOSXServer_AdminGuide_121902.pdf says:6 Select “Enable Secure Connections” if you want to allow client to connect using secure AFP (uses SSH).

24

Connecting to the File Server

On each client...Click Options… and enable Secure Connections

25

Default Connection

Note that top of the box lets you know that AppleShare will be making this connection using the “Two-Way Encrypted Password” method. Disable Clear Text Password (unless you need it to connect to legacy AppleShare servers.)Enable “Allow Secure Connections using SSH”To ensure every AFS connection attempt makes use of SSH, you’ll need to modify a general preference file. Edit each user’s ~/Library/Preferences/.GlobalPreferences.plist file and locate the key. This key has a dictionary object with various attributes related to AFS. In this dictionary, locate the key: afp_cleartext_allow and make the value false.<key>afp_cleartext_allow</key> <false/>

26

Preferred Connection

Next, locate the key afp_ssh_force and make it true:<key>afp_ssh_force</key> <true/>

How do you tell if the connection that gets established is really secure and encrypted? These two changes prevent authentication credentials from being sent in the clear text, and that all successful AFS connections are tunneled over ssh. With each conection attempt, ssh is launched with options to forward some arbitrary local port to the AFS port (548) on the remote server. If the remote server dowsn’t have SSH enabled, or the host verification fails, the AFS connection attempt will also fail. [Mac OS X Security; Potter, Norvell, and Wotring; New Riders Publishing, 2003]

27

Secure AFP ConnectionIf you succeed in making a secure connection you should briefly see the following dialog box after you click OK and before you are presented with the list of mountable volumes on the remote AFP server.

[ammonite:~] testing% netstat -a -f inetActive Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state)...tcp4 0 0 ammonite.geology.49462 theoffice.geolog.ssh ESTABLISHED...

netstat will show an ssh connection to the server instead of an afpoverip connection.

If you have set the afp_ssh_force key to true and you attempt to connect to a server that does not support ssh and secure AFP connections. you will get a “Login Failed” box, “Unknown user, incorrect password, or log on is disabled. Please retype the username and password or contact the server’s administrator. OK.” No mention of unable to make secure connection. Click OK, but then you can’t cancel the Authentication Status box. You can kill it with a command-dot, though.Sweet! not!

28

Assuming the remote AFP server is running SSH and you have a username and password for the server, you can tunnel AppleShare traffic from port 548 on the server to port 10548 on your local machine using ssh.

For client-to-client connections you can create your own SSH tunnels manually.

epaul% ssh <username@afp-server> -L 10548:127.0.0.1:548

This creates an SSH tunnel from port 10548 on the localhost (127.0.0.1) to the AFP port (548) on the remote afp-server host.

29

Encrypted AppleShareThen use the Connect to Server… in the Finder to securely access your files and information using afp://127.0.0.1:10548

Now “Connect to Server” to port 10548 on the localhost (afp://127.0.0.1:10548) So this does a file server connection to port 10548 on the local machine which, in turn, is tunneled through SSH to the remote afp-server and forwarded to the AFP port (548).Click connect and see the login box from the remote afp-server.

30

Vapor can be used to create tunnels for a variety of protocols without using the command line.

http://www.afp548.com/Software/Vapor

Use Vapor to Create Tunnels

Same idea, different services.VaporSec from the same outfit can be used to construct IPsec tunnels.It’s a bit more complicated than I’m indicating here. But it’s all documented on the site.

31

ResourcesMac OS X Maximum Security

John Ray & William C. RaySams, 1st Edition, 2003

Practical Unix & Internet SecuritySimon Garfinkel, Gene Spafford & Alan SchwartzO’Reilly, 3rd Edition, 2003

“DD’s Ultimate Guide to Mac OS X Security”http://homepage.mac.com/macbuddy/SecurityGuide.html

See also: “Building Internet Firewalls”; Elizabeth D. Zwicky, Simon Cooper, & D. Brent Chapman; O’Reilly, 2nd Edition, 2000.“Mac OS X Security”; Bruce Potter, Preston Norvell, Brian Wotring; New Riders Publications, 1st Edition, 2003.

32

Contact Information

Rick Hillrrhill@ucdavis.edu

Jackie Simmonsjdsimmons@ucdavis.edu

Paul Waterstraatwaterstraat@geology.ucdavis.educomputing.geology.ucdavis.edu/security/macosx

33