krypted.com

Tiny Deathstars of Foulness

macOS Server 5.4 running on High Sierra (macOS 10.13) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall.

To enable the adaptive firewall, use the -f option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

Alternatively, use the -X option to disable the Adaptive Firewall:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -X

Once run, you’ll receive an error similar to the following:

Sep  8 14:16:18  afctl[16987] <Notice>: Unloading the launchd job

Sep  8 14:16:18  afctl[16987] <Notice>: Setting the start behavior to disabled

Sep  8 14:16:18  afctl[16987] <Notice>: Clearing out the blacklist

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses deleted.

Once started, the most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -d


You’ll receive no response on successful runs. When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -e

Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP):

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -r 192.168.210.88

To add an IP to the blacklist, use the -a option, also followed by the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 192.168.210.88

Once run, you’ll get a message as follows:

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses added.

To permanently add a machine to the whitelist, use -w with the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88

And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and can also be enabled with the /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to force-stop the service outright, use launchctl:

launchctl unload /Applications/Server.app/Contents/ServerRoot/usr/libexec/com.apple.afctl.plist

The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for macOS Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using. There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options:

/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary

The output provides the following information (helpful if plugging this information into a tool like Splunk):
  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued
Finally, there are scripts located in /Applications/Server.app/Contents/ServerRoot/usr/libexec that can be used to manage the firewall as well. These include ServerFirewallPromotion.sh (a simple bash script) and ServerFirewallServiceCleanser, a compiled binary.

September 26th, 2017

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , ,

OS X Server 5 (El Capitan 10.11 or Yosemite 10.10) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall. The most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -d When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -e Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP): /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -r 192.168.210.88 To add an IP to the blacklist, use the -a option, also followed by the IP: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 192.168.210.88 To permanently add a machine to the whitelist, use -w with the IP: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88 And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and the service is enabled by /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to stop the service outright, use launchctl: launchctl unload /Applications/Server.app/Contents/ServerRoot/usr/libexec/com.apple.afctl.plist The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for Mac OS X Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using. There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options: /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary The output provides the following information (helpful if plugging this information into a tool like Splunk):
  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued

September 22nd, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

I wrote up afctl (the command line tool to manage the OS X Server Adaptive Firewall) awhile back here http://krypted.com/mac-security/a-little-more-about-afctl-in-os-x-server. One thing I didn’t touch on is statistics. There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options: /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary The output provides the following information (helpful if plugging this information into a tool like Splunk):
  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued

October 5th, 2013

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , ,

Awhile back I wrote an article on managing the Adaptive Firewall built into Mountain Lion Server at http://krypted.com/mac-os-x-server/managing-lion-servers-adaptive-firewall-from-the-command-line. It’s worth mentioning that when you use this command you’re basically editing some text files. These include the blacklist, blockedHosts and whitelist folders at possibly the shortest folder at this depth in the file system that I’ve ever had the good luck to need to use /var/db/af (okay, okay, I’m sure we’ve all made /a/b/c and that’s shorter, but this is pretty close). You should use afctl to add and remove machines from these lists. The -w option in afctl used to add a host to a whitelist will cause the host to appear in the /var/db/af/whitelist file. The -a option used to blacklist a host will add it to the /var/db/af/blacklist file. Hosts that are flagged are dropped into /var/db/af/blockedHosts and when you remove those hosts with the -r option they are removed from that file. I think that pretty much beats that poor afctl horse to death. Simple is good sometimes!

June 4th, 2013

Posted In: Kerio, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

Tags: , , ,

Previously, I had done an article on using the adaptive firewall in Mac OS x Server. But I hadn’t looked at controlling it from the command line yet. In Lion Server, the firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall. The most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option: afctl -d When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option: afctl -e Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP): afctl -r 192.168.210.88 To add an IP to the blacklist, use the -a option, also followed by the IP: afctl -a 192.168.210.88 To permanently add a machine to the whitelist, use -w with the IP: afctl -w 192.168.210.88 And to remove a machine from the whittles, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and the service is enabled by /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to stop the service outright, use launchctl: launchctl unload com.apple.afctl.plist Finally, the configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for Mac OS X Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using.

November 9th, 2011

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , ,