krypted.com

Tiny Deathstars of Foulness

OS X Server 5 (El Capitan 10.11 or Yosemite 10.10) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall. The most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -d When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -e Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP): /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -r 192.168.210.88 To add an IP to the blacklist, use the -a option, also followed by the IP: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 192.168.210.88 To permanently add a machine to the whitelist, use -w with the IP: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88 And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and the service is enabled by /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to stop the service outright, use launchctl: launchctl unload /Applications/Server.app/Contents/ServerRoot/usr/libexec/com.apple.afctl.plist The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for Mac OS X Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using. There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options: /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary The output provides the following information (helpful if plugging this information into a tool like Splunk):
  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued

September 22nd, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

After writing up the presentation for MacSysAdmin in Sweden, I decided to go ahead and throw these into a quick cheat sheet for anyone who’d like to have them all in one place. Good luck out there, and stay salty. Get an ip address for en0: ipconfig getifaddr en0 Same thing, but setting and echoing a variable: ip=`ipconfig getifaddr en0` ; echo $ip View the subnet mask of en0: ipconfig getoption en0 subnet_mask View the dns server for en0: ipconfig getoption en0 domain_name_server Get information about how en0 got its dhcp on: ipconfig getpacket en1 View some network info: ifconfig en0 Set en0 to have an ip address of 10.10.10.10 and a subnet mask of 255.255.255.0: ifconfig en0 inet 10.10.10.10 netmask 255.255.255.0 Show a list of locations on the computer: networksetup -listlocations Obtain the active location the system is using: networksetup -getcurrentlocation Create a network location called Work and populate it with information from the active network connection: networksetup -createlocation Work populate Delete a network location called Work: networksetup -deletelocation Work Switch the active location to a location called Work: networksetup -switchlocation Work Switch the active location to a location called Work, but also show the GUID of that location so we can make scripties with it laters: scselect Work List all of the network interfaces on the system: networksetup -listallnetworkservices Rename the network service called Ethernet to the word Wired: networksetup -renamenetworkservice Ethernet Wired Disable a network interface: networksetup -setnetworkserviceenabled off Change the order of your network services: networksetup -ordernetworkservices “Wi-Fi” “USB Ethernet” Set the interface called Wi-Fi to obtain it if it isn’t already networksetup -setdhcp Wi-Fi Renew dhcp leases: ipconfig set en1 BOOTP && ipconfig set en1 DHCP ifconfig en1 down && ifconfig en1 up Renew a dhcp lease in a script: echo "add State:/Network/Interface/en0/RefreshConfiguration temporary" | sudo scutil Configure a manual static ip address: networksetup -setmanual Wi-Fi 10.0.0.2 255.255.255.0 10.0.0.1 Configure the dns servers for a given network interface: networksetup -setdnsservers Wi-Fi 10.0.0.2 10.0.0.3 Obtain the dns servers used on the Wi-Fi interface: networksetup -getdnsservers Wi-Fi Stop the application layer firewall: launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist Start the application layer firewall: launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist Allow an app to communicate outside the system through the application layer firewall: socketfilterfw -t
“/Applications/FileMaker Pro/FileMaker Pro.app/Contents/MacOS/FileMaker Pro” See the routing table of a Mac: netstat -nr Add a route so that traffic for 10.0.0.0/32 communicates over the 10.0.9.2 network interface: route -n add 10.0.0.0/32 10.0.9.2 Log bonjour traffic at the packet level: sudo killall -USR2 mDNSResponder Stop Bonjour: launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
 Start Bojour: launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist Put a delay in your pings: ping -i 5 192.168.210.1 Ping the hostname 5 times and then stop the ping: ping -c 5 google.com Flood ping the host: ping -f localhost Set the packet size during your ping: ping -s 100 google.com Customize the source IP during your ping: ping -S 10.10.10.11 google.com View disk performance: iostat -d disk0 Get information about the airport connection on your system: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I Scan the available Wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s Trace the path packets go through: traceroute google.com Trace the routes without looking up names: traceroute -n google.com Trace a route in debug mode: traceroute -d google.com View information on all sockets: netstat -at View network information for ipv6: netstat -lt View per protocol network statistics: netstat -s View the statistics for a specific network protocol: netstat -p igmp Show statistics for network interfaces: netstat -i View network information as it happens (requires ntop to be installed): ntop Scan port 80 of www.google.com /System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke www.google.com 80 80 Port scan krypted.com stealthily: nmap -sS -O krypted.com/24 Establish a network connection with www.apple.com: nc -v www.apple.com 80 Establish a network connection with gateway.push.apple.com over port 2195 /usr/bin/nc -v -w 15 gateway.push.apple.com 2195 Establish a network connection with feedback.push.apple.com only allowing ipv4 /usr/bin/nc -v -4 feedback.push.apple.com 2196 Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196 Capture some packets: tcpdump -nS Capture all the packets: tcpdump -nnvvXS Capture the packets for a given port: tcpdump -nnvvXs 548 Capture all the packets for a given port going to a given destination of 10.0.0.48: tcpdump -nnvvXs 548 dst 10.0.0.48 Capture the packets as above but dump to a pcap file: tcpdump -nnvvXs 548 dst 10.0.0.48 -w /tmp/myfile.pcap Read tcpdump (cap) files and try to make them human readable: tcpdump -qns 0 -A -r /var/tmp/capture.pcap What binaries have what ports and in what states are those ports: lsof -n -i4TCP Make an alias for looking at what has a listener open, called ports: alias ports='lsof -n -i4TCP | grep LISTEN' Report back the name of the system: hostname Flush the dns cache: dscacheutil -flushcache Clear your arp cache: arp -ad View how the Server app interprets your network settings: serveradmin settings network Whitelist the ip address 10.10.10.2: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 10.10.10.2 Finally, the script network_info.sh shows information about a Macs network configuration. Both active and inactive network interfaces are listed, in the order that they are used by the OS and with a lot of details (MAC-address, interface name, router, subnet mask etc.).

September 25th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

Tags: , , , , , , , , , , , , , , ,

In a couple of previous articles I looked at automating the Application Layer Firewall in OS X. These are pretty common articles that get back-linked to the site, so I decided to update them earlier, rather than later, in the Lion release. The tools to automate firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall. Some tricks I’ve picked up with alf scripting:
  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing com.apple.alf.plist file from /Library/Preferences replacing it /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
  • Configure global settings, then per-application settings
  • To debug: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”
In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic: /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on A couple of global options that can be set. Stealth Mode: /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on Firewall logging: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on To start the firewall: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications: /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application: /usr/libexec/ApplicationFirewall/socketfilterfw --listapps This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle): /usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp Once signed, verify the signature: /usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp Once signed, trust the application using the –add option: /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp To see a list of trusted applications. You can do so by using the -l option as follows: /usr/libexec/ApplicationFirewall/socketfilterfw -l If, in the course of your testing, you determine the firewall just isn’t for you, disable it: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off Or to manually stop it using launchctl (should start again with a reboot): launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist If you disable the firewalll using launchctl, you may need to restart services for them to work again.

July 20th, 2011

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,

Note: I had previously written this article for Mac OS X 10.5 but have put in a few updates and so thought it might be time to repost it. Mac OS X 10.5 and Mac OS X 10.6 have a multitude of ways to keep data from coming or going from a system. The traditional way is to use ipfw, although this isn’t the default way in 10.5 and above. Instead, you are meant to use the Application Layer Firewall (we’ll call it ALF for short), which is what you configure from the Security System Preference pane. You can enable the firewall simply enough by using the defaults command to augment the /Library/Preferences/com.apple.alf.plist file, setting the globalstate key to an integer of 1:
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
You can also configure the firewall from the command line. Stopping and starting ALF is easy enough, whether the global state has been set to 0 or 1, done using launchd. To stop:
launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
To start:
launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist
These will start and stop the firewall daemon (aptly named firewall) located in the /usr/libexec/ApplicationFirewall directory. As you can imagine, the settings for ALF can be configured from the command line as well. The socketfilterfw command, in this same directory, is the command that actually allows you to manage ALF. ALF works not by the simple boolean means of allowing or not allowing access to a port but instead by limiting access by specific applications, more along the lines of Mandatory Access Controls (although not yet using the MAC framework). When an application is allowed to open or accept a network socket, it’s known as a trusted application – and ALF keeps a list of all of the trusted applications. You can view trusted applications using socketfilterfw with the -l option; although the output can be difficult to read and so you can constrain it using grep for TRUSTEDAPPS as follows:
./socketfilterfw -l | grep TRUSTEDAPPS
You can also use the command line to add a trusted application using the -t option followed by the path to and then the actual application to be trusted. For example, to add FileMaker to the list of trusted apps you use something similar to the following, pointing to the binary, not the app bundle:
./socketfilterfw -t “/Applications/FileMaker Pro 9/FileMaker Pro.app/Contents/MacOS/FileMaker Pro”
Note: You can also use the socketfilterfw command to sign applications, verify signatures and enable debugging, using the -s, -v options and -d options respectively. Finally, there are a number of global preferences for the firewall that can be configured using the /usr/libexec/ApplicationFirewall/com.apple.alf.plist preferences file. You might be looking at the path to this file and thinking that it looks odd and it should really be in /Library/Preferences. And you might be right. But the com.apple.alf.plist file there appears to be a bit of silly misdirection. Changes there simply don’t seem to have the desired response. Therefore, stick with the one in the /usr/libexec/ApplicationFirewall directory. Some keys in this file that might be of interest include globalstate (0 disables the firewall, 1 configs for specific services and 2 is for essential services – as in the GUI), stealthenabled and loggingenabled. All are integers and fairly self explanatory vs. GUI settings from the System Preference pane.

February 11th, 2010

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , ,

Mac OS X 10.5 and Mac OS X 10.6 have a multitude of ways to keep data from coming or going from a system. The traditional way is to use ipfw, although this isn’t the default way in 10.5 and above. Instead, you are meant to use the Application Layer Firewall (we’ll call it ALF for short), which is what you configure from the Security System Preference pane. You can enable the firewall simply enough by using the defaults command to augment the /Library/Preferences/com.apple.alf.plist file, setting the globalstate key to an integer of 1:
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
You can also configure the firewall from the command line. Stopping and starting ALF is easy enough, whether the global state has been set to 0 or 1, done using launchd. To stop:
launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
To start:
launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist
These will start and stop the firewall daemon (aptly named firewall) located in the /usr/libexec/ApplicationFirewall directory. As you can imagine, the settings for ALF can be configured from the command line as well. The socketfilterfw command, in this same directory, is the command that actually allows you to manage ALF. ALF works not by the simple boolean means of allowing or not allowing access to a port but instead by limiting access by specific applications, more along the lines of Mandatory Access Controls (although not yet using the MAC framework). When an application is allowed to open or accept a network socket, it’s known as a trusted application – and ALF keeps a list of all of the trusted applications. You can view trusted applications using socketfilterfw with the -l option; although the output can be difficult to read and so you can constrain it using grep for TRUSTEDAPPS as follows:
./socketfilterfw -l | grep TRUSTEDAPPS
You can also use the command line to add a trusted application using the -t option followed by the path to and then the actual application to be trusted. For example, to add FileMaker to the list of trusted apps you use something similar to the following, pointing to the binary, not the app bundle:
./socketfilterfw -t “/Applications/FileMaker Pro 9/FileMaker Pro.app/Contents/MacOS/FileMaker Pro”
Note: You can also use the socketfilterfw command to sign applications, verify signatures and enable debugging, using the -s, -v options and -d options respectively. Finally, there are a number of global preferences for the firewall that can be configured using the /usr/libexec/ApplicationFirewall/com.apple.alf.plist preferences file. You might be looking at the path to this file and thinking that it looks odd and it should really be in /Library/Preferences. And you might be right. But the com.apple.alf.plist file there appears to be a bit of silly misdirection. Changes there simply don’t seem to have the desired response. Therefore, stick with the one in the /usr/libexec/ApplicationFirewall directory. Some keys in this file that might be of interest include globalstate (0 disables the firewall, 1 configs for specific services and 2 is for essential services – as in the GUI), stealthenabled and loggingenabled. All are integers and fairly self explanatory vs. GUI settings from the System Preference pane.

March 30th, 2009

Posted In: Mac OS X, Mac Security

Tags: , , , , , , , , ,