Mac OS X Security (Paul)

Mac OS X Security

Rick Hill UC Davis, Engineering ,Webmaster

Jackie Simmons UC Davis, Engineering, Deans’ Office

Paul Waterstraat UC Davis, Geology, Systems Manager

1 Mac OS X Security

“Trust No One” Fox Mulder - The X Files “Computer security is the result of a long unbroken chain of diligence.” Paul Waterstraat • Network Security • Server Security • Wired & Wireless Security

2 Enabling and Disabling Services • Internal Monitoring of Services • Sharing and Server Settings • netstat • host • lsof • External Monitoring of Services • nmap

3 Mac OS X client

Out of the box, Mac OS X is pretty secure.

If you check the Sharing System Preference you’ll find things disabled by default.

4 Mac OS X Server Server Settings.app can show you the status of the common services that Apple has supplied with Mac OS X Server. Out of the box, if you don’t enable any services your machine is pretty secure.

5 Mac OS X

But how do I know there aren’t other ports or daemons or service running that leave my machine vulnerable to the network?

On the next few slides I’ll describe a couple of tools you can use on the machine itself and from an external machine to determine which ports are open and who is connecting to them.

6

It is most important to become familiar with what your server looks like under “normal” conditions and load. Otherwise you won’t be able to tell the normal connections from the hacked connections. /usr/sbin/netstat Use the netstat command to list the active and pending TCP/IP connections between your machine and the network. This is a useful tool if you suspect that someone is breaking into your computer or using your computer to break into other computers.

The command’s output displays the host and port number of each end of the connection, and the connection’s current status.

7

The buzzword for this type of thing is “Host Based Analysis.” netstat Use the terminal command netstat to learn on which ports your computer is listening for connections.

epaul% /usr/sbin/netstat -a -f inet | grep LISTEN

Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 localhost.ipp T e xt *.* LISTEN tcp4 0 0 localhost.1033 *.* LISTEN Two ports are open. The ipp port is the CUPS printing software and port 1033 is netinfo. Both client and server look like this with nothing enabled.

8

The localhost to the left of the port numbers in the Local Address column means that the service will only allow connections from itself. e.g. localhost.ipp will only allow connections from localhost.

To see this, open a web page to http://localhost:631 or http://127.0.0.1:631.

If there is a star to the left of the service port number, as in *.ipp, then it will accept connections from anywhere.

As you make your server more server-like by turning on services, use netstat to see what things look like with those services running. Compare that with a Sun Workstation running Solaris 8

Sun Microsystems Inc. SunOS 5.8 amber% netstat -a -f inet | grep LISTEN TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State ------localhost.4999 *.* 0 0 24576 0 LISTEN *.sunrpc *.* 0 0 24576 0 LISTEN *.ftp *.* 0 0 24576 0 LISTEN *.telnet *.* 0 0 24576 0 LISTEN *.shell *.* 0 0 24576 0 LISTEN *.login *.* 0 0 24576 0 LISTEN *.exec *.* 0 0 24576 0 LISTEN *.exec *.* 0 0 24576 0 LISTEN *.uucp *.* 0 0 24576 0 LISTEN *.finger *.* 0 0 24576 0 LISTEN *.time *.* 0 0 24576 0 LISTEN *.echo *.* 0 0 24576 0 LISTEN *.discard *.* 0 0 24576 0 LISTEN *.daytime *.* 0 0 24576 0 LISTEN *.chargen *.* 0 0 24576 0 LISTEN *.32771 *.* 0 0 24576 0 LISTEN *.32772 *.* 0 0 24576 0 LISTEN *.32773 *.* 0 0 24576 0 LISTEN *.32774 *.* 0 0 24576 0 LISTEN *.fs *.* 0 0 24576 0 LISTEN *.32775 *.* 0 0 24576 0 LISTEN *.printer *.* 0 0 24576 0 LISTEN *.lockd *.* 0 0 24576 0 LISTEN *.dtspc *.* 0 0 24576 0 LISTEN *.8888 *.* 0 0 24576 0 LISTEN *.32777 *.* 0 0 24576 0 LISTEN *.32778 *.* 0 0 24576 0 LISTEN *.32779 *.* 0 0 24576 0 LISTEN *.27000 *.* 0 0 24576 0 LISTEN *.33945 *.* 0 0 24576 0 LISTEN *.898 *.* 0 0 24576 0 LISTEN *.5987 *.* 0 0 24576 0 LISTEN *.34209 *.* 0 0 24576 0 LISTEN *.6000 *.* 0 0 24576 0 LISTEN 9

I count 34 ports listening for connections. And they can come from anywhere. netstat Now, I open a web page http://security.ucdavis.edu, and an ssh session with quartz.geology.ucdavis.edu. Use netstat to see what connections are now open.

epaul% /usr/sbin/netstat -a -f inet

Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 ammonite.geology.49205 quartz.geology.u.ssh ESTABLISHED tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHED tcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHED tcp4 0 0 ammonite.geology.49201 des067.ucdavis.e.http ESTABLISHED tcp4 0 0 ammonite.geology.49200 des067.ucdavis.e.http ESTABLISHED tcp4 0 0 ammonite.geology.49199 des067.ucdavis.e.http ESTABLISHED tcp4 0 0 ammonite.geology.49198 des067.ucdavis.e.http ESTABLISHED tcp4 0 0 localhost.1033 localhost.968 ESTABLISHED tcp4 0 0 localhost.968 localhost.1033 ESTABLISHED tcp4 0 0 localhost.ipp *.* LISTEN tcp4 0 0 localhost.1033 *.* LISTEN

10 I’ve opened up an ssh session to quartz.geology.ucdavis.edu and opened a web page to http://security.ucdavis.edu (des067.ucdavis.edu), which, in turn, has links to: http://wdcs.trendmicro.com/dcs.gif () and http://www.trendmicro.com/ syndication/images/pb_trend_white.gif

WKS tend to run on “privliged ports” < 1024 on which they listen for connections.

Out going connections tend to be on high numbered ports > 1024

Open the Activity window in Safari to see all the connections that it takes to build the web page. netstat First, here’s the ssh connection to quartz:

Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 ammonite.geology.49205 quartz.geology.u.ssh ESTABLISHED Next are the connection that result from opening the web page at security.ucdavis.edu

tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHED tcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHED tcp4 0 0 ammonite.geology.49201 des067.ucdavis.e.http ESTABLISHED tcp4 0 0 ammonite.geology.49200 des067.ucdavis.e.http ESTABLISHED tcp4 0 0 ammonite.geology.49199 des067.ucdavis.e.http ESTABLISHED tcp4 0 0 ammonite.geology.49198 des067.ucdavis.e.http ESTABLISHED

But where’s security.ucdavis.edu? The host command shows us that it’s an alias for des067.ucdavis.edu

epaul% /usr/bin/host security.ucdavis.edu security.ucdavis.edu is a nickname for des067.ucdavis.edu des067.ucdavis.edu has address 169.237.11.67 11

Or, for the command line challenged, you can use the Network Utility’s Lookup function. netstat You may have noticed that netstat displays only 22 characters of host and port information.

tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHED tcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHED Use -n to show addresses as numbers. epaul% /usr/sbin/netstat -a -f inet -n

Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 169.237.93.100.49205 169.237.93.2.22 ESTABLISHED tcp4 0 0 169.237.93.100.49218 192.35.210.200.80 ESTABLISHED tcp4 0 0 169.237.93.100.49216 192.35.210.223.80 ESTABLISHED tcp4 0 0 169.237.93.100.49215 169.237.11.67.80 ESTABLISHED tcp4 0 0 169.237.93.100.49214 169.237.11.67.80 ESTABLISHED tcp4 0 0 169.237.93.100.49213 169.237.11.67.80 ESTABLISHED tcp4 0 0 169.237.93.100.49212 169.237.11.67.80 ESTABLISHED Use the host command to look up names.

epaul% /usr/bin/host 192.35.210.200 200.210.35.192.IN-ADDR.ARPA domain name pointer a192-35-210-200.deploy.akamaitechnologies.com 12

The ssh port is now displayed as 22, and the http port as 80. /etc/services The file /etc/services is a comprehensive list of well known network services and the ports on which they run.

epaul% /bin/cat /etc/services

# Network services, Internet style # ... echo 7/tcp echo 7/udp discard 9/tcp sink null systat 11/tcp users #Active Users chargen 19/tcp ttytst source #Character Generator ftp-data 20/tcp #File Transfer [Default Data] ftp 21/tcp #File Transfer [Control] ssh 22/tcp #Secure Shell Login telnet 23/tcp # 24/tcp any private mail system smtp 25/tcp mail #Simple Mail Transfer ... wnn6_DS 26208/tcp #Wnn6 (Dserver) 13

Note that it is presently the policy of IANA to assign a single well-known port number for both TCP and UDP; hence, most entries here have two entries even if the protocol doesn't support UDP operations.

Updated from RFC 1700, “Assigned Numbers” (October 1994). All ports are included. Here’s another netstat display

epaul% /usr/sbin/netstat -f inet -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 theoffice.geolog.ssh terpsichore.geol.49152 ESTABLISHED tcp4 0 0 theoffice.geolog.49174 palladium.geolog.49770 ESTABLISHED tcp4 0 0 theoffice.geolog.49174 onyx.geology.ucd.49162 ESTABLISHED tcp4 0 0 theoffice.geolog.49174 dunite.geology.u.49228 ESTABLISHED tcp4 0 0 theoffice.geolog.49174 amazonite.geolog.49158 ESTABLISHED tcp4 0 0 theoffice.geolog.afpov amazonite.geolog.49153 ESTABLISHED tcp4 0 0 theoffice.geolog.49174 neuromancer.geol.49156 ESTABLISHED tcp4 0 0 theoffice.geolog.afpov smilodon.geology.49154 ESTABLISHED

We see an ssh connection and AppleShareIP (afpovertcp) connections, but what’s running on port 49174? A grep for 49174 in /etc/services finds nothing.

epaul% /usr/bin/grep ssh /etc/services ssh 22/tcp #Secure Shell Login ssh 22/udp #Secure Shell Login

epaul% /usr/bin/grep 49174 /etc/services

epaul% 14 /usr/sbin/lsof Some of the ports on which the computer is listening have no corresponding entries in /etc/ services and so are listed only by number. But we can use lsof, list open files, to show what process is listening on port 49174.

epaul% /usr/bin/sudo /usr/sbin/lsof -i:49174

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mmserver 536 root 7u inet 0x03d64a6c 0t0 TCP *:49174 (LISTEN) mmserver 536 root 12u inet 0x03d6175c 0t0 TCP theoffice.geology.ucdavis.edu:49174->chalcedony.geology.ucdavis.edu:49441 (ESTABLISHED) mmserver 536 root 13u inet 0x03d0e1dc 0t0 TCP theoffice.geology.ucdavis.edu:49174->neuromancer.geology.ucdavis.edu:49156 (ESTABLISHED) We see that mmserver, the MeetingMaker Server, is running on port 49174. 15 Add entries to /etc/services You can add your own entries for services you use to the /etc/services file. Such as… automount 1023/udp #Automounter itunes 3689/tcp #iTunes ichat 5298/tcp #iChatAgent mmserver 49174/tcp #Meeting Maker server Then netstat will display the service name instead of the port number. Also use service names with lsof. epaul% /usr/sbin/netstat -a -f inet Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 33304 neuromancer.geol.itune ammonite.geology.49163 ESTABLISHED tcp4 0 0 neuromancer.geol.itune ammonite.geology.49157 ESTABLISHED ... epaul% sudo /usr/sbin/lsof -i:itunes COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME iTunes 421 epaul 14u inet 0x02779f4c 0t0 TCP *:itunes (LISTEN) iTunes 421 epaul 17u inet 0x03089cbc 0t0 TCP neuromancer.geology.ucdavis.edu:itunes-> ammonite.geology.ucdavis.edu:49171 (ESTABLISHED) iTunes 421 epaul 18u inet 0x0277acbc 0t0 TCP neuromancer.geology.ucdavis.edu:itunes-> ammonite.geology.ucdavis.edu:49157 (ESTABLISHED) 16 nmap Use nmap from an external host (e.g. your desktop) to scan your servers for open ports.

epaul% /sw/bin/nmap -sT amber.geology.ucdavis.edu Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on amber.geology.ucdavis.edu (169.237.93.62): (The 1572 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 32771/tcp open sometimes-rpc5 ... 32779/tcp open sometimes-rpc21 Remote operating system guess: Solaris 8 early access beta through actual release Uptime 15.757 days (since Tue May 20 15:35:09 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds 17

Standard disclaimer: nmap has been known to crash systems that it is probing, to crash routers and switches on the network, and to take down printers with wimpy IP stacks.

Let your network operations center know that you will be conducting scans.

Also check with your local network policy about what conditions scanning is permitted. Not to Sound Paranoid, But... How do you know that your copies of netstat, lsof, top, Process Viewer, and other apps have not been hacked so that they hide the ports and processes that the hacker is using? Programs like Tripwire can be installed to note changes in your system files/applications and notify you of any changes. http://sourceforge.net/projects/tripwire Brian Hill has written CheckMate that implements a tripwire-like algorithm for Mac OS X. http://personalpages.tds.net/~brian_hill 18 CheckMate

CheckMate installs as a System Preference

19 CheckMate Export a copy of your files and checksums and put this somewhere other than the computer you've scanned.

20 CheckMate

You can do manual scans as well as automated ones.

21 Eavesdropping and Snooping

No matter how tightly secured you computer configuration may be, once your information begins traveling over the network it’s vulnerable to eavesdropping. A bad guy doesn’t need to attack your computer directly to gain access to your sensitive information. No talent, programming, or networking experience is required to eavesdrop on a network. The software works like this: 1. You connect to the network 2. You start it. 3. You tell it to record passwords or packets. 4. You take your recorded passwords and go. 22 Shared, Switched, or Wireless All Networks Are Vulnerable! Session hijacking was previously very difficult. Ettercap can be used to implement a man-in-the- middle attack without its user having any knowledge of networking or spoofing. Ettercap can sniff packets between any two hosts on a switched LAN. It can log passwords for TELNET, FTP, POP, SMB, SSH1, HTTP, X11, IMAP4, SNMP, IRC, SOCKS5, ICQ… Beginning with Mac OS X Server 10.2, AppleShare connections can be automatically tunneled via ssh, providing full, end-to-end, encryption of the traffic. 23

Ettercap is so scary because of its ability to easily do ARP cache poisoning. Typically machines send out an ARP request asking for the address of another machine, and it receives a reply. In APR poisoning the replies are sent without a request being made. The sniffer basically tells the rest of the network that IT IS every machine on the network, and subsequently receives traffic for those machines.

On the other hand, ettercap also has an ARP poisoning detector. So you can use this to detect the bad guys. Enabling SSH connections on server

24

SSH connections to the AppleShare server are not very well documents.

Page 239 of MacOSXServer_AdminGuide_121902.pdf says:

6 Select “Enable Secure Connections” if you want to allow client to connect using secure AFP (uses SSH). Connecting to the File Server

25

On each client...

Click Options… and enable Secure Connections Default Connection

26

Note that top of the box lets you know that AppleShare will be making this connection using the “Two-Way Encrypted Password” method. Disable Clear Text Password (unless you need it to connect to legacy AppleShare servers.) Enable “Allow Secure Connections using SSH”

To ensure every AFS connection attempt makes use of SSH, you’ll need to modify a general preference file. Edit each user’s ~/Library/Preferences/ .GlobalPreferences.plist file and locate the key. This key has a dictionary object with various attributes related to AFS. In this dictionary, locate the key: afp_cleartext_allow and make the value false. afp_cleartext_allow Preferred Connection

27

Next, locate the key afp_ssh_force and make it true: afp_ssh_force

How do you tell if the connection that gets established is really secure and encrypted?

These two changes prevent authentication credentials from being sent in the clear text, and that all successful AFS connections are tunneled over ssh. With each conection attempt, ssh is launched with options to forward some arbitrary local port to the AFS port (548) on the remote server. If the remote server dowsn’t have SSH enabled, or the host verification fails, the AFS connection attempt will also fail. [Mac OS X Security; Potter, Norvell, and Wotring; New Riders Publishing, 2003] Secure AFP Connection If you succeed in making a secure connection you should briefly see the following dialog box after you click OK and before you are presented with the list of mountable volumes on the remote AFP server.

netstat will show an ssh connection to the server instead of an afpoverip connection.

[ammonite:~] testing% netstat -a -f inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) ... tcp4 0 0 ammonite.geology.49462 theoffice.geolog.ssh ESTABLISHED ... 28

If you have set the afp_ssh_force key to true and you attempt to connect to a server that does not support ssh and secure AFP connections. you will get a “Login Failed” box, “Unknown user, incorrect password, or log on is disabled. Please retype the username and password or contact the server’s administrator. OK.” No mention of unable to make secure connection. Click OK, but then you can’t cancel the Authentication Status box. You can kill it with a command-dot, though.

Sweet! not! For client-to-client connections you can create your own SSH tunnels manually.

Assuming the remote AFP server is running SSH and you have a username and password for the server, you can tunnel AppleShare traffic from port 548 on the server to port 10548 on your local machine using ssh.

epaul% ssh -L 10548:127.0.0.1:548

29

This creates an SSH tunnel from port 10548 on the localhost (127.0.0.1) to the AFP port (548) on the remote afp-server host. Encrypted AppleShare Then use the Connect to Server… in the Finder to securely access your files and information using afp://127.0.0.1:10548

30

Now “Connect to Server” to port 10548 on the localhost (afp://127.0.0.1:10548)

So this does a file server connection to port 10548 on the local machine which, in turn, is tunneled through SSH to the remote afp-server and forwarded to the AFP port (548).

Click connect and see the login box from the remote afp-server. Use Vapor to Create Tunnels

Vapor can be used to create tunnels for a variety of protocols without using the command line. http://www.afp548.com/Software/Vapor

31

Same idea, different services.

VaporSec from the same outfit can be used to construct IPsec tunnels.

It’s a bit more complicated than I’m indicating here. But it’s all documented on the site. Resources Mac OS X Maximum Security

John Ray & William C. Ray Sams, 1st Edition, 2003

Practical Unix & Internet Security Simon Garfinkel, Gene Spafford & Alan Schwartz O’Reilly, 3rd Edition, 2003

“DD’s Ultimate Guide to Mac OS X Security” http://homepage.mac.com/macbuddy/SecurityGuide.html

32

See also:

“Building Internet Firewalls”; Elizabeth D. Zwicky, Simon Cooper, & D. Brent Chapman; O’Reilly, 2nd Edition, 2000.

“Mac OS X Security”; Bruce Potter, Preston Norvell, Brian Wotring; New Riders Publications, 1st Edition, 2003. Contact Information

Rick Hill [email protected]

Jackie Simmons [email protected]

Paul Waterstraat [email protected] computing.geology.ucdavis.edu/security/macosx

33