krypted.com

Tiny Deathstars of Foulness

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible. Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in OS X Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage. Setting Up The VPN Service In OS X Server To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:
  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol
Screen Shot 2015-09-22 at 10.23.05 PM The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPNScreen Shot 2015-09-22 at 10.24.23 PM
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.Screen Shot 2015-09-22 at 10.25.11 PM
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over. Screen Shot 2015-09-22 at 10.25.50 PM
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).
Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629. Using The Command Line I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required: sudo serveradmin start vpn And to stop the service: sudo serveradmin stop vpn And to list the available options: sudo serveradmin settings vpn The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app: vpn:vpnHost = "elcapserver.krypted.lan"
vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains = _empty_array
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.pptp:enabled = yes
vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"
vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.240"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.254"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains = _empty_array
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.l2tp:enabled = yes
vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>
vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.224"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.239"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"
vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "yaright" To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no To configure how long a client can be idle prior to being disconnected: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10 By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions: sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200 To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option: sudo serveradmin fullstatus vpn Which returns output similar to the following: vpn:servicePortsAreRestricted = "NO"
vpn:readWriteSettingsVersion = 1
vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0
vpn:servers:com.apple.ppp.pptp:enabled = yes
vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"
vpn:servers:com.apple.ppp.pptp:Type = "PPP"
vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"
vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.l2tp:Type = "PPP"
vpn:servers:com.apple.ppp.l2tp:enabled = yes
vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0
vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"
vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"
vpn:servicePortsRestrictionInfo = _empty_array
vpn:health = _empty_dictionary
vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"
vpn:configured = yes
vpn:state = "STOPPED"
vpn:setStateVersion = 1 Security folk will be stoked to see that the shared secret is shown in the clear using: vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "a dirty thought in a nice clean mind" Configuring Users For VPN Access Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar. Screen Shot 2015-09-22 at 10.28.10 PM At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services. Screen Shot 2015-09-22 at 10.28.30 PM At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box. Screen Shot 2015-09-22 at 10.29.07 PM Setting Up Client Computers As you can see, configuring the VPN service in OS X Server 5 (running on El Capitan and Yosemite) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service. Screen Shot 2015-09-22 at 10.30.27 PM At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create. Screen Shot 2015-09-22 at 10.31.01 PM At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings. Screen Shot 2015-09-22 at 10.31.35 PM At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection. Conclusion Setting Up the VPN service in OS X Server 5 (for Yosemite or El Capitan) is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into OS X at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

September 23rd, 2015

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , , , , ,

The mkdir command is used to create directories. Sometimes, in testing, you need to have a lot of directories. So, you can use the following command to create 10,000 5 digit directories, named 00001 to 10000: mkdir $(printf '%05d\n' {1..10000})

July 13th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix

Tags: , , , ,

I was recently building some preflight scripts and was looking to record some information about a machine live, before proceeding with a script. I found the cheapest way to determine information about architectures and chipsets when scripting preflight scripts for OS X to be the arch and machine commands respectively. For example, to verify the architecture is i386, use the arch command with no options: /usr/bin/arch Which simply outputs “i386”: i386 To check the machine type, simply use the machine command: /usr/bin/machine Which outputs as follows: x86_64h

December 14th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

Tags: , , , , , , ,

QuickLook scans file contents before you open those files. Usually this just lets you view a file quickly. But you can also use this same technology from the command line to bring about a change to the Finder without actually opening a file. To access QuickLook from the command line, use qlmanage. qlmanage -p ~/Desktop/MyTowel42.pdf While open, click the space bar to go back to your Terminal session. The most notable use case here is that when you use qlmanage you don’t run the risk of changing the date/time stamp of the files.

November 10th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , ,

You can export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically. To script profile deployment, administrators can add and remove configuration profiles using the new /usr/bin/profiles command. To see all profiles, aggregated, use the profiles command with just the -P option: /usr/bin/profiles -P As with managed preferences (and piggy backing on managed preferences for that matter), configuration profiles can be assigned to users or computers. To see just user profiles, use the -L option: /usr/bin/profiles -L You can remove all profiles using -D: /usr/bin/profiles -D The -I option installs profiles and the -R removes profiles. Use -p to indicate the profile is from a server or -F to indicate it’s source is a file. To remove a profile: /usr/bin/profiles -R -F /tmp/HawkeyesTrickshot.mobileconfig To remove one from a server: /usr/bin/profiles -R -p com.WestCoastAvengers.HawkeyesTrickshot The following installs HawkeyesTrickshot.mobileconfig from /tmp: /usr/bin/profiles -I -F /tmp/HawkeyesTrickshot.mobileconfig If created in Profile Manager: /usr/bin/profiles -I -p com.WestCoastAvengers.HawkeyesTrickshot There is a nifty new feature in the profiles command in Yosemite where you can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure): profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up. As of OS X Yosemite, the dscl command has extensions for dealing with profiles as well. These include the available MCX Profile Extensions: -profileimport -profiledelete -profilelist [optArgs]
-profileexport -profilehelp To list all profiles from an Open Directory object, use 
-profilelist. To run, follow the dscl command with -u to specify a user, -P to specify the password for the user, then the IP address of the OD server (or name of the AD object), then the profilelist verb, then the relative path. Assuming a username of diradmin for the directory, a password of moonknight and then cedge user: dscl -u diradmin -P moonknight 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge To delete that information for the given user, swap the profilelist extension with profiledelete: dscl -u diradmin -P apple 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge If you would rather export all information to a directory called ProfileExports on the root of the drive: dscl -u diradmin -P moonknight 192.168.210.201 profileexport . all -o /ProfileExports Note: Provisioning profiles can also be managed, frequently using the lower-case variant of installation and removal (e.g. -i to install, -r to remove, -c to list and -d to delete all provisioning profiles). Provisioning profiles can also come with a -u option to show the uuid. Finally, the -V option verifies a provisioning profile. In Yosemite we have a few new options, such as -H which shows whether a profile was installed, -z to define a removal password and -o to output a file path for removal information. Also, in Yosemite it seems as though if a configuration profile was pushed to you from MDM, you can’t remove it (fyi, I love having the word fail as a standalone in verbose output):
bash-3.2# profiles -P _computerlevel[1] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A _computerlevel[2] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003 _computerlevel[3] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397 charlesedge[4] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328 charlesedge[5] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6 _computerlevel[6] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783 _computerlevel[7] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1 _computerlevel[8] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0 There are 8 configuration profiles installed bash-3.2# profiles -r 772BED54-5EDF-4987-94B9-654456CF0B9A bash-3.2# profiles -P _computerlevel[1] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1 _computerlevel[2] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783 _computerlevel[3] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0 _computerlevel[4] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003 _computerlevel[5] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A _computerlevel[6] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397 charlesedge[7] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6 charlesedge[8] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328 There are 8 configuration profiles installed bash-3.2# profiles -rv 772BED54-5EDF-4987-94B9-654456CF0B9A profiles: verbose mode ON profiles: returned error: -204 fail

October 17th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

After writing up the presentation for MacSysAdmin in Sweden, I decided to go ahead and throw these into a quick cheat sheet for anyone who’d like to have them all in one place. Good luck out there, and stay salty. Get an ip address for en0: ipconfig getifaddr en0 Same thing, but setting and echoing a variable: ip=`ipconfig getifaddr en0` ; echo $ip View the subnet mask of en0: ipconfig getoption en0 subnet_mask View the dns server for en0: ipconfig getoption en0 domain_name_server Get information about how en0 got its dhcp on: ipconfig getpacket en1 View some network info: ifconfig en0 Set en0 to have an ip address of 10.10.10.10 and a subnet mask of 255.255.255.0: ifconfig en0 inet 10.10.10.10 netmask 255.255.255.0 Show a list of locations on the computer: networksetup -listlocations Obtain the active location the system is using: networksetup -getcurrentlocation Create a network location called Work and populate it with information from the active network connection: networksetup -createlocation Work populate Delete a network location called Work: networksetup -deletelocation Work Switch the active location to a location called Work: networksetup -switchlocation Work Switch the active location to a location called Work, but also show the GUID of that location so we can make scripties with it laters: scselect Work List all of the network interfaces on the system: networksetup -listallnetworkservices Rename the network service called Ethernet to the word Wired: networksetup -renamenetworkservice Ethernet Wired Disable a network interface: networksetup -setnetworkserviceenabled off Change the order of your network services: networksetup -ordernetworkservices “Wi-Fi” “USB Ethernet” Set the interface called Wi-Fi to obtain it if it isn’t already networksetup -setdhcp Wi-Fi Renew dhcp leases: ipconfig set en1 BOOTP && ipconfig set en1 DHCP ifconfig en1 down && ifconfig en1 up Renew a dhcp lease in a script: echo "add State:/Network/Interface/en0/RefreshConfiguration temporary" | sudo scutil Configure a manual static ip address: networksetup -setmanual Wi-Fi 10.0.0.2 255.255.255.0 10.0.0.1 Configure the dns servers for a given network interface: networksetup -setdnsservers Wi-Fi 10.0.0.2 10.0.0.3 Obtain the dns servers used on the Wi-Fi interface: networksetup -getdnsservers Wi-Fi Stop the application layer firewall: launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist Start the application layer firewall: launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist Allow an app to communicate outside the system through the application layer firewall: socketfilterfw -t
“/Applications/FileMaker Pro/FileMaker Pro.app/Contents/MacOS/FileMaker Pro” See the routing table of a Mac: netstat -nr Add a route so that traffic for 10.0.0.0/32 communicates over the 10.0.9.2 network interface: route -n add 10.0.0.0/32 10.0.9.2 Log bonjour traffic at the packet level: sudo killall -USR2 mDNSResponder Stop Bonjour: launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
 Start Bojour: launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist Put a delay in your pings: ping -i 5 192.168.210.1 Ping the hostname 5 times and then stop the ping: ping -c 5 google.com Flood ping the host: ping -f localhost Set the packet size during your ping: ping -s 100 google.com Customize the source IP during your ping: ping -S 10.10.10.11 google.com View disk performance: iostat -d disk0 Get information about the airport connection on your system: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I Scan the available Wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s Trace the path packets go through: traceroute google.com Trace the routes without looking up names: traceroute -n google.com Trace a route in debug mode: traceroute -d google.com View information on all sockets: netstat -at View network information for ipv6: netstat -lt View per protocol network statistics: netstat -s View the statistics for a specific network protocol: netstat -p igmp Show statistics for network interfaces: netstat -i View network information as it happens (requires ntop to be installed): ntop Scan port 80 of www.google.com /System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke www.google.com 80 80 Port scan krypted.com stealthily: nmap -sS -O krypted.com/24 Establish a network connection with www.apple.com: nc -v www.apple.com 80 Establish a network connection with gateway.push.apple.com over port 2195 /usr/bin/nc -v -w 15 gateway.push.apple.com 2195 Establish a network connection with feedback.push.apple.com only allowing ipv4 /usr/bin/nc -v -4 feedback.push.apple.com 2196 Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196 Capture some packets: tcpdump -nS Capture all the packets: tcpdump -nnvvXS Capture the packets for a given port: tcpdump -nnvvXs 548 Capture all the packets for a given port going to a given destination of 10.0.0.48: tcpdump -nnvvXs 548 dst 10.0.0.48 Capture the packets as above but dump to a pcap file: tcpdump -nnvvXs 548 dst 10.0.0.48 -w /tmp/myfile.pcap Read tcpdump (cap) files and try to make them human readable: tcpdump -qns 0 -A -r /var/tmp/capture.pcap What binaries have what ports and in what states are those ports: lsof -n -i4TCP Make an alias for looking at what has a listener open, called ports: alias ports='lsof -n -i4TCP | grep LISTEN' Report back the name of the system: hostname Flush the dns cache: dscacheutil -flushcache Clear your arp cache: arp -ad View how the Server app interprets your network settings: serveradmin settings network Whitelist the ip address 10.10.10.2: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 10.10.10.2 Finally, the script network_info.sh shows information about a Macs network configuration. Both active and inactive network interfaces are listed, in the order that they are used by the OS and with a lot of details (MAC-address, interface name, router, subnet mask etc.).

September 25th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

Tags: , , , , , , , , , , , , , , ,

Stroke got moved, so dug this up and am reprinting with the latest and greatest location.

Network Utility has a port scanner – it’s built in and really easy to use. Sure, stroke isn’t nmap, but it’s not trying to be… Since Network Utility is distributed with every copy of Mac OS X it stands to reason that every copy of Mac OS X has the ability to scan a port without using a GUI tool.  Enter one of the best named tools in Mac OS X, stroke.  Stroke is the command line back-end to the Port Scan tab of Network Utility.  To use stroke, you will need to cd into the Network Utility application bundle and then cd into Contents and then Resources.

Once you are at “/System/Library/CoreServices/Applications/Network Utility.app/Contents/Resources”, you will need to provide stroke with an IP address (or name), followed by the first port to scan and then the last (or the same number twice if your range is only one IP address.  For example, if you want to port scan port 80 on your own system you could use the following:

./stroke 127.0.0.1 80 80

But you shouldn’t just stroke yourself (sorry, couldn’t help it).  You should also stroke others (Clarence Carter be damned!).  So if you want to port scan www.google.com for port 80 the following would achieve such a lofty goal:

./stroke www.google.com 80 80

Because the name www.google.com has to resolve, you’re actually able to check whether a DNS error occurs and whether you can communicate over port 80 to the host in one command.  If you want to make a copy of stroke into a directory and then add it to your environment variable’s PATH you can then use it without needing to change your working directory.

September 8th, 2014

Posted In: Mac OS X, Mac Security, Network Infrastructure

Tags: , , , ,

(Guest post by Allister Banks) Working with modern tools in the ‘auto'(dmg/pkg) suite, it sure reinforces the old chestnut, ‘it’s turtles XML all the way down.’ The thing that struck me when first diving into using autopkg was that different product recipes could potentially have a good amount of similarities when they share common processors. One example is drag-drop apps that can be discovered with an ‘appcast’ URL, which, in my recollection, became common as the Sparkle framework gained popularity. This commonality is exactly the type of thing sysadmins like myself seek to automate, so I built a few helper scripts to 1. discover what apps have appcast URLs, 2. generate the base download recipe, and further, the 3. pkg-building recipe that can use the download recipe as a ‘parent’, and the 4. munki or JSS recipes which can nest the pkg recipe in it. Recursivity is the new black. screnshotsOfCode Please do take a look if you feel you’ve got apps that folks haven’t built recipes for yet, and laugh at/use/fork my code as you see fit!

April 3rd, 2014

Posted In: Uncategorized

Tags: , , , , , ,

On a Mac, I frequently use the tail command to view files as they’re being written to or in use. You can use the Get-EventLog cmdlet to view logs. The Get-EventLog cmdlet has two options I’ll point out in this article. The first is -list and -newest. The first is used to view a list of event logs, along with retention cycles for logs, log sizes, etc. Get-EventLog -list You can then take any of the log types and view information about them. To see System information: Get-EventLog System There will be too much information in many of these cases, so use the -newest option to see just the latest: Get-EventLog system -newest 5 The list will have an Index number and an EventID. The EventID can then be used to research information about each error code. For example, at http://eventid.net.

February 8th, 2014

Posted In: Microsoft Exchange Server, Windows Server, Windows XP

Tags: , , , , , , , , , , ,

Spotlight is really a simple tool. Spotlight consists of mds, a command that is the metadata server, mdworker, the pawn that mds sends to scan objects and index them and then the three command lines of mdutil (manage the indexes), mdls (list metadata of an object) and mdfind, which as the name implies, finds things. All of this is used to keep a database called .store.db nested under .Spotlight-V100 at the root of each volume that’s been indexed. Screen Shot 2013-11-14 at 9.39.09 PM To reindex Spotlight from the command line, we’ll use mdutil. From a command prompt, enter the following to index your boot volume. sudo mdutil -E / Or an external drive named krypted: sudo mdutil -E /Volumes/krypted When indexing, you will see the mds and mdworker processes running. If the process does not seem to be completing timely, you can use lsof to see where it is in the process. If the indexing errors then try and manually reindex based on the file that you see from where it crapped out: mdimport /Volumes/krypted/designingwomencollection/episode0101.mov Or to mdimport the directory that might be problematic: mdimport /Volumes/krypted/designingwomencollection Finally, the attributes that are tracked by Spotlight are many. The metadata attributes themselves are typically in xattr. For example, Command Line Finder Tags (http://krypted.com/mac-os-x/command-line-finder-tags/).  To see the raw metadata for a file, use xattr: xattr -l /Volumes/krypted/designingwomencollection/episodelist.pdf The output of which would include the following: com.apple.FinderInfo: 00000000  00 00 00 00 00 00 00 00 00 1C 00 00 00 00 00 00  |................| 00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................| 00000020 com.apple.metadata:_kMDItemUserTags: 00000000  62 70 6C 69 73 74 30 30 A1 01 55 52 65 64 0A 36  |bplist00..URed.6| 00000010  08 0A 00 00 00 00 00 00 01 01 00 00 00 00 00 00  |................| 00000020  00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................| 00000030  00 10                                            |..| 00000032 com.apple.quarantine: 0041;520d0314;Safari; The more metadata (QuickTime and some other apps can put a lot of metadata in files btw) the more you’d see. You can assign metadata manually or even exclude directories from indexing if you see the system is stuck on indexing a given directory.

November 15th, 2013

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , , ,

« Previous PageNext Page »