Tiny Deathstars of Foulness

OS X has a built-in web server called Apache. It’s been there for a long, long time. Once upon a time, you could enable web sharing using System Preferences. This is no longer a feature in the Sharing System Preference pane, but you can actually enable it quicker than you could before. To do so, we’ll use apachectl:

/usr/sbin/apachectl start

To then stop the web server:

/usr/sbin/apachectl stop

To see the apache status:

/usr/sbin/apachectl status


/usr/sbin/apachectl fullstatus

The default site is stored in /Library/WebServer/Documents. You can then edit this there, or replace the index.html.en file with a file/hierarchy that you wish to have.

Screen Shot 2015-12-08 at 10.12.25 AM


December 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall.

Some tricks I’ve picked up with the Mac Firewall/alf scripting:

  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing the file from /Library/Preferences replacing it with the default plist from /usr/libexec/ApplicationFirewall/
  • Configure global settings, then per-application settings, then enable the firewall. If a remote system, do ;wait; and then enable the first time to make sure everything works before enabling the firewall for good.
  • To debug, use the following command: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”

In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic:

/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

To see if block all is enabled:

/usr/libexec/ApplicationFirewall/socketfilterfw --getblockall

The output would be as follows, if successful:

Firewall is set to block all non-essential incoming connections

A couple of global options that can be set. Stealth Mode:

/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

To check if stealth mode is enabled:

/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode

Firewall logging:

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command:

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail

To start the firewall:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications:

/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on

To check if you allow signed apps:

/usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned

This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application:

/usr/libexec/ApplicationFirewall/socketfilterfw --listapps

To check if an app is blocked:

/usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/

This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle):

/usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/

Once signed, verify the signature:

/usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/

Once signed, trust the application using the –add option:

/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/

To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better):

/usr/libexec/ApplicationFirewall/socketfilterfw -l

If, in the course of your testing, you determine the firewall just isn’t for you, disable it:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

To sanity check whether it’s started:

/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

Or to manually stop it using launchctl (should start again with a reboot):

launchctl unload /System/Library/LaunchAgents/
launchctl unload /System/Library/LaunchDaemons/

If you disable the firewalll using launchctl, you may need to restart services for them to work again.

July 16th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Installing Active Directory services is arguably one of the first things done on many a Windows Server. And for well over a decade you could unbox, update, run dcpromo and be done with much of that. While the wizards are still there, in the case of Windows Server 2012, the process has changed ever-so-slightly. To install a domain controller in Windows Server 2012, start with Server Manager. This new tool is the place where you start many a process in a Windows Server now, and Active Directory is no different.

To get started, first open Server Manager.

Screen Shot 2013-08-08 at 3.54.57 PM

From Server Manager, click on the Manage menu and select Add Roles and Features. At the Before you begin screen in the Add Roles and Features Wizard, click on Next.

Screen Shot 2013-08-08 at 3.55.00 PM

At the Installation Type screen, choose Role-based or feature-based installation and click Next.

Screen Shot 2013-08-08 at 3.55.02 PM

At the Server Selection screen, choose the server you’d like to install the Active Directory role on and then click Next. If you only have one server then you should only have one listing here.

Screen Shot 2013-08-08 at 3.55.06 PM

There are a number of Roles a domain controller can have. For many environments, a simple Domain Services role will be sufficient, especially on the first 2012 server in the environment. To select this, at the Server Roles screen, choose Active Directory Domain Services and then click on Next.

Screen Shot 2013-08-08 at 3.55.14 PM

A sanity check will run to verify all the required Features and other Roles are installed. If not, you’ll be presented with a list of items that will be installed in support of the Role being deployed. Click Add Features for most environments, unless you have the tools to manage the Role installed elsewhere.

Screen Shot 2013-08-08 at 3.55.17 PM

Back at the Server Roles screen, click Next, unless you’d like to install other Roles as well.

Screen Shot 2013-08-08 at 3.55.21 PM

At the Features screen, click Next, unless you’d like to install other features as well.

Screen Shot 2013-08-08 at 3.55.32 PM

At the AD DS screen, click Next.

Screen Shot 2013-08-08 at 3.55.57 PM

At the Confirmation screen, click Install. You can also tell the server to restart automatically here, so do that as well.

Screen Shot 2013-08-08 at 3.56.02 PM

Once the installation is complete, you’ll see a yellow icon indicating that something needs to happen with the server. The menu that appears contains a link to promote the server to a domain controller. Click the link to bring up the Deployment Configuration wizard.

Screen Shot 2013-08-08 at 4.30.05 PM

At the Deployment Configuration screen of the wizard you can choose whether to add the domain controller to an existing domain or create a new forest. In this case, we’ll select the “Add a new forest” option. When highlighted, you will be able to provide a name for the domain. here we use Once the name is provided, click Next.

Screen Shot 2013-08-08 at 4.30.42 PM

At the Domain Controller Options screen, choose whether the server will be an AD Integrated DNS Server, a Global Catalog server, possibly a Read only domain controller and provide a Directory Services Restore Mode (DSRM) password used to restore the environment in case it fails. Also, choose the functional level of both the domain and forest. Because this is a new environment with no 2003 to 2008 servers we will leave the levels set to Windows Server 2012. Click Next when you’re satisfied with your entries.

Screen Shot 2013-08-08 at 4.33.14 PM

If you decided to enable DNS, you will have the option to also install DNS delegation which you should do if possible, in most environments. Click Next.

Screen Shot 2013-08-08 at 4.33.48 PM

At the Additional Options screen, provide a NetBIOS name. This is usually a 8 character or less rendition of the same domain name, often used in legacy tools or prepended to usernames and passwords when namespace collisions occur with account names. When you’ve provided the name, click Next.

Screen Shot 2013-08-08 at 4.34.09 PM

At the Paths screen, indicate where you want the directories that contain the Active Directory files stored. Most environments can leave these to the default settings and click Next.

Screen Shot 2013-08-08 at 4.34.26 PM

At the Review Options screen, click Next provided that all of the options match the information you provided/desire.

Screen Shot 2013-08-08 at 4.34.29 PM

At the Installation screen, click Install and watch the Progress (takes a minute or three usually to complete).

Screen Shot 2013-08-08 at 4.42.53 PM

Once completed, open the Tools menu in Server Manager to see the tools formerly available in the Administrative Tools section of the Start menu, including Active Directory Domains and Trusts, Active Directory Power Shell, Active Directory Sites and Services and Active Directory Users and Computers, which mostly look like they’ve looked for a long time (but with a pretty blue frame around the screen).

Screen Shot 2013-08-09 at 9.14.19 AM

Additionally, there’s an Active Directory Administrative Center, which provides quick and easy access to a number of features from other tools and allows you to change domain controllers, raise the domain/forest functional levels (useful when upgrading from previous incantations of Active Directory), etc.

Screen Shot 2013-08-10 at 3.31.59 PM

August 12th, 2013

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

iChat Server was sooooo easy to configure. iChat Server is now Messages Server. Both use the open source jabber project as their back-end code base. Lucky us, all Apple did in the latest iteration is change the name of the service in the Server app, leaving the command line effectively untouched. The paths to things serverish have changed. The jabberd binary is now at /Applications/ and the autobuddy binary is at /Applications/ Given the importance of having multiple binaries that do the same thing, another jabberd binary is also stored at /Applications/ Note that the man page says it’s in /etc. But I digress.

Setting up the Messages service is simple. Open the Server app and click on Messages in the Server app sidebar.

“I brought you some supper but if you’d prefer a lecture, I’ve a few very catchy ones prepped…sin and hellfire… one has man page lepers.”

Once open, click on the checkbox for “Enable server-to-server federation” if you have multiple iChat, er, I mean, Messages servers and then click on the checkbox for “Archive all chat messages” if you’d like transcripts of all Messages sessions that route through the server to be saved on the server. You should use an SSL certificate with the Messages service. If enabling federation so you can have multiple Messages servers, you have to. Before enabling the service, click on the name of the server in the sidebar of Server app and then click on the Settings tab. From here, click on Edit for the SSL Certificate (which should be plural btw) entry to bring up a screen to select SSL Certificates.

“Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious.”

At the SSL Certificates screen (here it’s plural!), select the certificate the Messages service should use from the available list supplied beside that entry and click on the OK button. If you need to setup federation, click back on the Messages service in the sidebar of Server app and then click on the Edit button. Then, click on the checkbox for Require server-to-server federation (making sure each server has the other’s SSL certificate installed) and then choose whether to allow any server to federate with yours or to restrict which servers are allowed. I have always restricted unless I was specifically setting up a server I wanted to be public (like public as in everyone in the world can federate to it, including the gorram reavers that want to wear your skin).

“And I think calling him that is an insult to the psychotic lowlife community.”

To restrict the service, then provide a list of each server address capable of communicating with your server. Once all the servers are entered, click the OK button.

Obviously, if you only have one server, you can skip that. Once the settings are as you wish them to be, click on the ON/OFF switch to light up the service. To see the status of the service, once started, use the fullstatus option with serveradmin followed by the jabber indicator:

sudo serveradmin fullstatus jabber

The output includes whether the service is running, the location of jabber log files, the name of the server as well as the time the service was started, as can be seen here:

jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "32"
jabber:currentConnectionsPort1 = "32"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.177"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = ""
jabber:hosts:_array_index:0 = ""
jabber:setStateVersion = 1
jabber:startedTime = "2012-08-02 02:53:26 +0000"
jabber:readWriteSettingsVersion = 1

There are also a few settings not available in the Server app. One of these that can be important is the port used to communicate between the Messages client and the Messages service on the server. For example, to customize this to 8080, use serveradmin followed by settings and then jabber:jabberdClientPortSSL = 8080, as follows:

sudo serveradmin settings jabber:jabberdClientPortSSL = 8080

To change the location of the saved Messages transcripts (here, we’ll set it to /Volumes/Pegasus/Book:

sudo serveradmin settings jabber:savedChatsLocation = "/Volumes/Pegasus/Book"

To see a full listing of the options, just run settings with the jabber service:

sudo serveradmin settings jabber

The output lists each setting configurable

jabber:s2sRestrictDomains = no
jabber:authLevel = "STANDARD"
jabber:savedChatsLocation = "/Library/Server/Messages/Data/message_archives"
jabber:sslKeyFile = ""
jabber:enableXMPP = yes
jabber:initialized = yes
jabber:jabberdClientPortSSL = 5223
jabber:sslCAFile = ""
jabber:requireSecureS2S = no
jabber:savedChatsArchiveInterval = 7
jabber:hostsCommaDelimitedString = ""
jabber:jabberdDatabasePath = "/Library/Server/Messages/Data/sqlite/jabberd2.db"
jabber:jabberdS2SPort = 5269
jabber:hosts:_array_index:0 = ""
jabber:jabberdClientPortTLS = 5222
jabber:enableSavedChats = no

To stop the service:

sudo serveradmin stop jabber

And to start it back up:

sudo serveradmin start jabber

It’s also worth noting something that’s completely missing in this whole thing: Apple Push Notifications… Why is that important? Well, you use the Messages application to communicate not only with Mac OS X and other jabber clients, but you can also use Messages to send text messages. Given that there’s nothing in the server that has anything to do with texts, push or anything of the sort, it’s worth noting that these messages don’t route through the server and therefore still require an iCloud account. Not a huge deal, but worth mentioning that Messages server doesn’t have the same updates built into the Messages app. Because messages don’t traverse the server, there’s no transcripts.

“This is what I do, darlin’. This is what I do.”

August 2nd, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,

The Dock is, by default, anchored to the middle of the screen. However, in some environments you may want to have it skewed to one side of the screen. In order to do this Apple provides the ability to use pinning. Pinning will pin the dock to the start, end or middle; by default it’s pinned to the middle. If you pin the dock to the start and it’s either on the right or left side of the screen then it will appear to be skewed towards the top. If you pin it to the start and it’s on the bottom then it will skew to the left of the screen. In order to pin the dock to the start you can use the following command:

defaults write pinning -string start

Once you’ve changed the pinning position you will not immediately see a change. First you need to kill the Dock. You can do this by rebooting or simply using the killall command using Dock as a pattern:

killall Dock

If you pin the dock to the end and it’s either on the right or left side of the screen then it will appear to be skewed towards the bottom of the screen. If you pin it to the end and it’s on the bottom then it will skew to the right of the screen. In order to pin the dock to the end you will use the following command:

defaults write pinning -string end

To go back to the default settings, just pin the dock to the middle:

defaults write pinning -string middle

November 5th, 2009

Posted In: Mac OS X, Mass Deployment

Tags: , , , , ,