Mac OS X Security

Rick Hill
UC Davis, Engineering ,Webmaster

Jackie Simmons
UC Davis, Engineering, Deans’ Office

Paul Waterstraat
UC Davis, Geology, Systems Manager

1
 Mac OS X Security
“Trust No One”
Fox Mulder - The X Files
“Computer security is the result of a
long unbroken chain of diligence.”
Paul Waterstraat

• Network Security
• Server Security
• Wired & Wireless Security

2
Enabling and Disabling Services
• Internal Monitoring of Services
• Sharing and Server Settings
• netstat
• host
• lsof
• External Monitoring of Services
• nmap
3
 Mac OS X client
Out of the box, Mac
OS X is pretty
secure.

If you check the

Sharing System
Preference you’ll
find things disabled
by default.

4
 Mac OS X Server
Server Settings.app can show you the status of the
common services that Apple has supplied with Mac
OS X Server. Out of the box, if you don’t enable
any services your machine is pretty secure.

5
 Mac OS X
But how do I know there aren’t other ports or
daemons or service running that leave my machine
vulnerable to the network?

On the next few slides I’ll describe a couple of tools

you can use on the machine itself and from an
external machine to determine which ports are
open and who is connecting to them.

It is most important to become familiar with what your server looks like under
“normal” conditions and load. Otherwise you won’t be able to tell the normal
connections from the hacked connections.
 /usr/sbin/netstat
Use the netstat command to list the active and
pending TCP/IP connections between your machine
and the network. This is a useful tool if you suspect
that someone is breaking into your computer or
using your computer to break into other
computers.

The command’s output displays the host and port

number of each end of the connection, and the
connection’s current status.

The buzzword for this type of thing is “Host Based Analysis.”

 netstat
Use the terminal command netstat to learn on
which ports your computer is listening for
connections.
epaul% /usr/sbin/netstat -a -f inet | grep LISTEN

Active Internet connections

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 localhost.ipp Text *.* LISTEN

tcp4 0 0 localhost.1033 *.* LISTEN

Two ports are open. The ipp port is the CUPS

printing software and port 1033 is netinfo. Both
client and server look like this with nothing enabled.

The localhost to the left of the port numbers in the Local Address column
means that the service will only allow connections from itself. e.g. localhost.ipp
will only allow connections from localhost.

To see this, open a web page to http://localhost:631 or http://127.0.0.1:631.

If there is a star to the left of the service port number, as in *.ipp, then it will
accept connections from anywhere.

As you make your server more server-like by turning on services, use netstat to
see what things look like with those services running.
 Compare that with a Sun Workstation running Solaris 8
Sun Microsystems Inc. SunOS 5.8
amber% netstat -a -f inet | grep LISTEN
TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
localhost.4999 *.* 0 0 24576 0 LISTEN
*.sunrpc *.* 0 0 24576 0 LISTEN
*.ftp *.* 0 0 24576 0 LISTEN
*.telnet *.* 0 0 24576 0 LISTEN
*.shell *.* 0 0 24576 0 LISTEN
*.login *.* 0 0 24576 0 LISTEN
*.exec *.* 0 0 24576 0 LISTEN
*.exec *.* 0 0 24576 0 LISTEN
*.uucp *.* 0 0 24576 0 LISTEN
*.finger *.* 0 0 24576 0 LISTEN
*.time *.* 0 0 24576 0 LISTEN
*.echo *.* 0 0 24576 0 LISTEN
*.discard *.* 0 0 24576 0 LISTEN
*.daytime *.* 0 0 24576 0 LISTEN
*.chargen *.* 0 0 24576 0 LISTEN
*.32771 *.* 0 0 24576 0 LISTEN
*.32772 *.* 0 0 24576 0 LISTEN
*.32773 *.* 0 0 24576 0 LISTEN
*.32774 *.* 0 0 24576 0 LISTEN
*.fs *.* 0 0 24576 0 LISTEN
*.32775 *.* 0 0 24576 0 LISTEN
*.printer *.* 0 0 24576 0 LISTEN
*.lockd *.* 0 0 24576 0 LISTEN
*.dtspc *.* 0 0 24576 0 LISTEN
*.8888 *.* 0 0 24576 0 LISTEN
*.32777 *.* 0 0 24576 0 LISTEN
*.32778 *.* 0 0 24576 0 LISTEN
*.32779 *.* 0 0 24576 0 LISTEN
*.27000 *.* 0 0 24576 0 LISTEN
*.33945 *.* 0 0 24576 0 LISTEN
*.898 *.* 0 0 24576 0 LISTEN
*.5987 *.* 0 0 24576 0 LISTEN
*.34209 *.* 0 0 24576 0 LISTEN
*.6000 *.* 0 0 24576 0 LISTEN
9

I count 34 ports listening for connections. And they can come from anywhere.
 netstat
Now, I open a web page http://security.ucdavis.edu,
and an ssh session with quartz.geology.ucdavis.edu.
Use netstat to see what connections are now open.
epaul% /usr/sbin/netstat -a -f inet

Active Internet connections

Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 ammonite.geology.49205 quartz.geology.u.ssh ESTABLISHED
tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHED
tcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHED
tcp4 0 0 ammonite.geology.49201 des067.ucdavis.e.http ESTABLISHED
tcp4 0 0 ammonite.geology.49200 des067.ucdavis.e.http ESTABLISHED
tcp4 0 0 ammonite.geology.49199 des067.ucdavis.e.http ESTABLISHED
tcp4 0 0 ammonite.geology.49198 des067.ucdavis.e.http ESTABLISHED
tcp4 0 0 localhost.1033 localhost.968 ESTABLISHED
tcp4 0 0 localhost.968 localhost.1033 ESTABLISHED
tcp4 0 0 localhost.ipp *.* LISTEN
tcp4 0 0 localhost.1033 *.* LISTEN

10
I’ve opened up an ssh session to quartz.geology.ucdavis.edu and opened a web
page to http://security.ucdavis.edu (des067.ucdavis.edu), which, in turn, has
links to:
http://wdcs.trendmicro.com/dcs.gif () and http://www.trendmicro.com/
syndication/images/pb_trend_white.gif

WKS tend to run on “privliged ports” < 1024 on which they listen for
connections.

Out going connections tend to be on high numbered ports > 1024

Open the Activity window in Safari to see all the connections that it takes to
build the web page.
 netstat
First, here’s the ssh connection to quartz:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 ammonite.geology.49205 quartz.geology.u.ssh ESTABLISHED

Next are the connection that result from opening

the web page at security.ucdavis.edu
tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHED
tcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHED
tcp4 0 0 ammonite.geology.49201 des067.ucdavis.e.http ESTABLISHED
tcp4 0 0 ammonite.geology.49200 des067.ucdavis.e.http ESTABLISHED
tcp4 0 0 ammonite.geology.49199 des067.ucdavis.e.http ESTABLISHED
tcp4 0 0 ammonite.geology.49198 des067.ucdavis.e.http ESTABLISHED

But where’s security.ucdavis.edu? The host command

shows us that it’s an alias for des067.ucdavis.edu
epaul% /usr/bin/host security.ucdavis.edu
security.ucdavis.edu is a nickname for des067.ucdavis.edu
des067.ucdavis.edu has address 169.237.11.67

11

Or, for the command line challenged, you can use the Network Utility’s Lookup
function.
 netstat
You may have noticed that netstat displays only 22
characters of host and port information.
tcp4 0 0 ammonite.geology.49203 192.35.210.223.http ESTABLISHED
tcp4 0 0 ammonite.geology.49202 a192-35-210-200..http ESTABLISHED

Use -n to show addresses as numbers.

epaul% /usr/sbin/netstat -a -f inet -n

Active Internet connections

Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 169.237.93.100.49205 169.237.93.2.22 ESTABLISHED
tcp4 0 0 169.237.93.100.49218 192.35.210.200.80 ESTABLISHED
tcp4 0 0 169.237.93.100.49216 192.35.210.223.80 ESTABLISHED
tcp4 0 0 169.237.93.100.49215 169.237.11.67.80 ESTABLISHED
tcp4 0 0 169.237.93.100.49214 169.237.11.67.80 ESTABLISHED
tcp4 0 0 169.237.93.100.49213 169.237.11.67.80 ESTABLISHED
tcp4 0 0 169.237.93.100.49212 169.237.11.67.80 ESTABLISHED

Use the host command to look up names.

epaul% /usr/bin/host 192.35.210.200
200.210.35.192.IN-ADDR.ARPA domain name pointer
a192-35-210-200.deploy.akamaitechnologies.com
12

The ssh port is now displayed as 22, and the http port as 80.
 /etc/services
The file /etc/services is a comprehensive list of
well known network services and the ports on
which they run.
epaul% /bin/cat /etc/services

# Network services, Internet style

#
...
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
systat 11/tcp users #Active Users
chargen 19/tcp ttytst source #Character Generator
ftp-data 20/tcp #File Transfer [Default Data]
ftp 21/tcp #File Transfer [Control]
ssh 22/tcp #Secure Shell Login
telnet 23/tcp
# 24/tcp any private mail system
smtp 25/tcp mail #Simple Mail Transfer
...
wnn6_DS 26208/tcp #Wnn6 (Dserver)

13

Note that it is presently the policy of IANA to assign a single well-known port
number for both TCP and UDP; hence, most entries here have two entries even
if the protocol doesn't support UDP operations.

Updated from RFC 1700, “Assigned Numbers” (October 1994). All ports are
included.
 Here’s another netstat display
epaul% /usr/sbin/netstat -f inet -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 theoffice.geolog.ssh terpsichore.geol.49152 ESTABLISHED
tcp4 0 0 theoffice.geolog.49174 palladium.geolog.49770 ESTABLISHED
tcp4 0 0 theoffice.geolog.49174 onyx.geology.ucd.49162 ESTABLISHED
tcp4 0 0 theoffice.geolog.49174 dunite.geology.u.49228 ESTABLISHED
tcp4 0 0 theoffice.geolog.49174 amazonite.geolog.49158 ESTABLISHED
tcp4 0 0 theoffice.geolog.afpov amazonite.geolog.49153 ESTABLISHED
tcp4 0 0 theoffice.geolog.49174 neuromancer.geol.49156 ESTABLISHED
tcp4 0 0 theoffice.geolog.afpov smilodon.geology.49154 ESTABLISHED

We see an ssh connection and AppleShareIP (afpovertcp)

connections, but what’s running on port 49174? A grep for
49174 in /etc/services finds nothing.
epaul% /usr/bin/grep ssh /etc/services
ssh 22/tcp #Secure Shell Login
ssh 22/udp #Secure Shell Login

epaul% /usr/bin/grep 49174 /etc/services

epaul%

14
 /usr/sbin/lsof
Some of the ports on which the computer is
listening have no corresponding entries in /etc/
services and so are listed only by number. But we
can use lsof, list open files, to show what process is
listening on port 49174.
epaul% /usr/bin/sudo /usr/sbin/lsof -i:49174

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

mmserver 536 root 7u inet 0x03d64a6c 0t0 TCP *:49174 (LISTEN)
mmserver 536 root 12u inet 0x03d6175c 0t0 TCP
theoffice.geology.ucdavis.edu:49174->chalcedony.geology.ucdavis.edu:49441
(ESTABLISHED)
mmserver 536 root 13u inet 0x03d0e1dc 0t0 TCP
theoffice.geology.ucdavis.edu:49174->neuromancer.geology.ucdavis.edu:49156
(ESTABLISHED)

We see that mmserver, the MeetingMaker Server, is

running on port 49174.
15
 Add entries to /etc/services
You can add your own entries for services you use to the
/etc/services file. Such as…
automount 1023/udp #Automounter
itunes 3689/tcp #iTunes
ichat 5298/tcp #iChatAgent
mmserver 49174/tcp #Meeting Maker server

Then netstat will display the service name instead of

the port number. Also use service names with lsof.
epaul% /usr/sbin/netstat -a -f inet
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 33304 neuromancer.geol.itune ammonite.geology.49163 ESTABLISHED
tcp4 0 0 neuromancer.geol.itune ammonite.geology.49157 ESTABLISHED
...
epaul% sudo /usr/sbin/lsof -i:itunes
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
iTunes 421 epaul 14u inet 0x02779f4c 0t0 TCP *:itunes (LISTEN)
iTunes 421 epaul 17u inet 0x03089cbc 0t0 TCP
neuromancer.geology.ucdavis.edu:itunes->
ammonite.geology.ucdavis.edu:49171 (ESTABLISHED)
iTunes 421 epaul 18u inet 0x0277acbc 0t0 TCP
neuromancer.geology.ucdavis.edu:itunes->
ammonite.geology.ucdavis.edu:49157 (ESTABLISHED)

16
 nmap
Use nmap from an external host (e.g. your desktop)
to scan your servers for open ports.
epaul% /sw/bin/nmap -sT amber.geology.ucdavis.edu
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on amber.geology.ucdavis.edu (169.237.93.62):
(The 1572 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
21/tcp open ftp
23/tcp open telnet
37/tcp open time
79/tcp open finger
111/tcp open sunrpc
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
32771/tcp open sometimes-rpc5
...
32779/tcp open sometimes-rpc21
Remote operating system guess: Solaris 8 early access beta through actual release
Uptime 15.757 days (since Tue May 20 15:35:09 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds

17

Standard disclaimer: nmap has been known to crash systems that it is probing,
to crash routers and switches on the network, and to take down printers with
wimpy IP stacks.

Let your network operations center know that you will be conducting scans.

Also check with your local network policy about what conditions scanning is
permitted.
 Not to Sound Paranoid, But...
How do you know that your copies of netstat, lsof,
top, Process Viewer, and other apps have not been
hacked so that they hide the ports and processes
that the hacker is using?
Programs like Tripwire can be installed to note
changes in your system files/applications and notify
you of any changes.
http://sourceforge.net/projects/tripwire
Brian Hill has written CheckMate that implements a
tripwire-like algorithm for Mac OS X.
http://personalpages.tds.net/~brian_hill
18
 CheckMate
CheckMate installs as a System Preference

19
 CheckMate
Export a copy of your files and checksums and put this
somewhere other than the computer you've scanned.

20
 CheckMate
You can do manual scans as well as automated ones.

21
 Eavesdropping and Snooping
No matter how tightly secured you computer
configuration may be, once your information begins
traveling over the network it’s vulnerable to
eavesdropping. A bad guy doesn’t need to attack
your computer directly to gain access to your
sensitive information. No talent, programming, or
networking experience is required to eavesdrop on
a network. The software works like this:
1. You connect to the network
2. You start it.
3. You tell it to record passwords or packets.
4. You take your recorded passwords and go.
22
 Shared, Switched, or Wireless
All Networks Are Vulnerable!
Session hijacking was previously very difficult.
Ettercap can be used to implement a man-in-the-
middle attack without its user having any knowledge
of networking or spoofing. Ettercap can sniff packets
between any two hosts on a switched LAN. It can
log passwords for TELNET, FTP, POP, SMB, SSH1,
HTTP, X11, IMAP4, SNMP, IRC, SOCKS5, ICQ…
Beginning with Mac OS X Server 10.2, AppleShare
connections can be automatically tunneled via ssh,
providing full, end-to-end, encryption of the traffic.
23

Ettercap is so scary because of its ability to easily do ARP cache poisoning.

Typically machines send out an ARP request asking for the address of another
machine, and it receives a reply. In APR poisoning the replies are sent without a
request being made. The sniffer basically tells the rest of the network that IT IS
every machine on the network, and subsequently receives traffic for those
machines.

On the other hand, ettercap also has an ARP poisoning detector. So you can use
this to detect the bad guys.
 Enabling SSH connections on server

24

SSH connections to the AppleShare server are not very well documents.

Page 239 of MacOSXServer_AdminGuide_121902.pdf says:

6 Select “Enable Secure Connections” if you want to allow client to connect

using secure AFP (uses SSH).
 Connecting to the
File Server

25

On each client...

Click Options… and enable Secure Connections

 Default Connection

26

Note that top of the box lets you know that AppleShare will be making this
connection using the “Two-Way Encrypted Password” method.
Disable Clear Text Password (unless you need it to connect to legacy
AppleShare servers.)
Enable “Allow Secure Connections using SSH”

To ensure every AFS connection attempt makes use of SSH, you’ll need to
modify a general preference file. Edit each user’s ~/Library/Preferences/
.GlobalPreferences.plist file and locate the key. This key has a dictionary
object with various attributes related to AFS. In this dictionary, locate the key:
afp_cleartext_allow and make the value false.
<key>afp_cleartext_allow</key> <false/>
 Preferred Connection

27

Next, locate the key afp_ssh_force and make it true:

<key>afp_ssh_force</key> <true/>

How do you tell if the connection that gets established is really secure and
encrypted?

These two changes prevent authentication credentials from being sent in the
clear text, and that all successful AFS connections are tunneled over ssh. With
each conection attempt, ssh is launched with options to forward some arbitrary
local port to the AFS port (548) on the remote server. If the remote server
dowsn’t have SSH enabled, or the host verification fails, the AFS connection
attempt will also fail. [Mac OS X Security; Potter, Norvell, and Wotring; New
Riders Publishing, 2003]
 Secure AFP Connection
If you succeed in making a secure connection you
should briefly see the following dialog box after you
click OK and before you are presented with the list
of mountable volumes on the remote AFP server.

netstat will show an ssh connection to the server

instead of an afpoverip connection.
[ammonite:~] testing% netstat -a -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
...
tcp4 0 0 ammonite.geology.49462 theoffice.geolog.ssh ESTABLISHED
...
28

If you have set the afp_ssh_force key to true and you attempt to connect to a
server that does not support ssh and secure AFP connections. you will get a
“Login Failed” box, “Unknown user, incorrect password, or log on is disabled.
Please retype the username and password or contact the server’s administrator.
OK.” No mention of unable to make secure connection. Click OK, but then you
can’t cancel the Authentication Status box. You can kill it with a command-dot,
though.

Sweet! not!
 For client-to-client connections
you can create your own SSH
tunnels manually.
Assuming the remote AFP server is running SSH and
you have a username and password for the server,
you can tunnel AppleShare traffic from port 548 on
the server to port 10548 on your local machine
using ssh.

epaul% ssh <username@afp-server> -L 10548:127.0.0.1:548

29

This creates an SSH tunnel from port 10548 on the localhost (127.0.0.1) to the
AFP port (548) on the remote afp-server host.
 Encrypted AppleShare
Then use the Connect to Server… in the Finder to
securely access your files and information using
afp://127.0.0.1:10548

30

Now “Connect to Server” to port 10548 on the localhost

(afp://127.0.0.1:10548)

So this does a file server connection to port 10548 on the local machine which,
in turn, is tunneled through SSH to the remote afp-server and forwarded to the
AFP port (548).

Click connect and see the login box from the remote afp-server.
 Use Vapor to Create Tunnels
Vapor can be used to create tunnels for a variety of
protocols without using the command line.
http://www.afp548.com/Software/Vapor

31

Same idea, different services.

VaporSec from the same outfit can be used to construct IPsec tunnels.

It’s a bit more complicated than I’m indicating here. But it’s all documented on
the site.
 Resources
Mac OS X Maximum Security
John Ray & William C. Ray
Sams, 1st Edition, 2003

Practical Unix & Internet Security

Simon Garfinkel, Gene Spafford & Alan Schwartz
O’Reilly, 3rd Edition, 2003

“DD’s Ultimate Guide to Mac OS X Security”

http://homepage.mac.com/macbuddy/SecurityGuide.html

32

See also:

“Building Internet Firewalls”; Elizabeth D. Zwicky, Simon Cooper, & D. Brent

Chapman; O’Reilly, 2nd Edition, 2000.

“Mac OS X Security”; Bruce Potter, Preston Norvell, Brian Wotring; New Riders
Publications, 1st Edition, 2003.
 Contact Information

Rick Hill
[email protected]

Jackie Simmons
[email protected]

Paul Waterstraat
[email protected]
computing.geology.ucdavis.edu/security/macosx

33