bill's blog

Just another WordPress weblog

Browsing Posts tagged OSX

When booting a UNIX-like OS its sometime necessary to see messages that are printed to screen as the operating system loads. Sometimes you may just want to make sure that a service is starting up correctly but it really comes in handy when trying to troubleshoot a start up issue.

Apple has conveniently hidden these start up messages! BUT You can seeing them on screen by holding down the Command and “v” keys (Command-V) immediately after powering on your Mac.

SO what if you always want to see these messages every time you boot your Mac?

To always boot OSX in verbose mode you’ll need to fire up a terminal session and issue the following command:

sudo nvram boot-args="-v"

If after a period of time you grow tired of seeing these messages scroll across your screen, you can disable verbose booting by issuing the following command:

sudo nvram boot-args=

Sure I have a bunch of apps that will do this… but every once in a while I need to get down and dirty. So here’s a quick way of doing a ping sweep from a command prompt.

$ for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep 'from'; done

Setting up a VPN (or Virtual Private Networking) does not have to be difficult. In fact using Apple’s OSX, it can be down right easy.  VPNs should never be taken lightly. IT is the door to your protected network. If they’re not set up correctly it could leave you and your network assets at risk. There are two main types of VPNs that on can implement on OSX server, PPTP and L2TP. There are pluses and minuses to each and depending on how you/what you’re looking to support will determine which implementation you will use. It’s interesting to note that neither of the two mentioned VPN protocols provide encryption. They are considered tunneling protocols and thus need to rely on other methods to provide the encryption.

PPTP – Is the older of the two most popular tunneling protocols. It relies on either on either MSCHAP-v2 or EAP-TLS for authentication. Additionally, Apple has built in support for both Kerberos authentication and RADIUS. PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt the data that passes through the tunnel. Originally MPPE was only offered with support for a 40bit key. It was later expanded to a 128bit key!

L2TP – Is the newer comer, its latest version (RFC 3931) having been published in 2005. L2TPv3 makes use of IPSec for securing the connection. This is preformed through the use of pre-shared secrets, symmetrical keys or digital certificates. As with any secure connection the hardest part of maintaining the SA is the managing of the keys used. However, once the first connection is made and security confirmed. The passing of pre-shared secrets, keys or digital certificates becomes trivial.

NOTE: It should be noted that that PPTP and L2TP are not the only players in the VPN game. There is two other methods as well, PPP Over SSL and PPP Over SSH.

Configuring your server

Open Server Admin and select the host you wish to administer. Select VPN and click save.

vpn_1.jpg

Figure 1. Services Activation Pane

Turn down the triangle to reveal the VPN configuration pane.

Configuring L2TP Settings

It is as this point that you can decide which tunneling protocol you’re going to support. Setting up the server is pretty simple. Select the check box to enable L2TP. You need to allocate an IP range (remember this is still a point to point connection). Under PPP Authentication select if you want to use the built-in Directory Service plug-ins for user ID and password lookups (you can also chose between MS-CHAPv2 or Kerberos) or point the VPN service to look at a RADIUS server for authentication lookups. Lastly, you need to specify whether you want to use a pre-Share secret or a digital certificate for IPSec Authentication.

vpn_2.jpg

Figure 2. L2TP Configuration Pane

Configuring PPTP Settings

If you need to support older VPN clients PPTP may be a better choice for you. Many experts still contend the PPTP is vulnerable to compromise but with anything else strong passwords make for strong security. Depending on the client that you need to support you may need to allow 40bit encryption keys. This should be avoided if at all possible as 40 bit keys are easily cracked.

vpn_3.jpg

Figure 3. PPTP Configuration Pane

Configuring Client Information Settings

Lastly, you need to “tell” your clients about the network they have just connected to. This could be done on the client side, and may be desirable is some situations. In a lot of ways this is very similar to setting up a DHCP server.

NOTE: If you are running DHCP on the same subnet, make sure that the allocated IP address ranges do not conflict!

vpn_4.jpg

Figure 4. Client Information Settings

NOTE: If no information is added to Network Routing Definitions all traffic is routed through the VPN connection. This may not always be desirable. If bandwidth is a concern, define a network that is private and force all non-private traffic over the client’s Internet connection.

Ports on your Firewall

One thing you must make sure to perform before your VPN will work is to open the required ports on your firewall. Both protocols make use of different ports can it can be confusing which ports are actually needed. Not just on the host (if you’re running IPFW on the host) but on the network perimeter. So what ports are used?

500       UDP      ISAKMP/IKE
1701      UDP      L2TP
1723      TCP      PPTP
4500      UDP      IKE NAT Traversal *

* NOTE: Port 4500 is also used for Back to My Mac (MobileMe, Mac OS X 10.5 or later)

In Mac OSX Server 10.3 the VPN service uses the following:

1.    PPTP uses the IP-GRE protocol (IP protocol 47).
2.    L2TP/IPsec uses the IP-ESP protocol (IP protocol 50, ESP).

Resources:
http://manuals.info.apple.com/en_US/Network_Services_Admin_v10.5.pdf
http://support.apple.com/kb/TS1629

So last night I was trying to stand up a new replica against my OpenDirectory Master but it kept erroring out with a 1077 error. It was complaining about my credentials being incorrect. At first I though I must have fat fingered it… but after entering in the password one character at a time it still didn’t take. Looking through the slapconfig.log file (located in Library/Logs), I got the following error:


2009-02-09 22:08:02 +0800 - slapconfig -setmacosxodpolicy
2009-02-09 22:08:02 +0800 - slapconfig -createreplica
2009-02-09 22:08:02 +0800 - command: ssh root@192.168.171.10 /usr/sbin/slapconfig -checkmaster diradmin 0 4 4
2009-02-09 22:08:13 +0800 - ssh command failed with status 77
2009-02-09 22:08:13 +0800 - Error: Incorrect username or password. You must enter a directory domain administrator username and password.
(error = 77)

Everything was correct. I could ssh into the server using the root account. I could modify the directory (add/delete/modify accounts) using the diradmin account. But I still couldn’t bind the server. Turns out there is a bug that doesn’t allow you to bind the replica if the diradmin password contains anything but alpha-numerics. Change the password to something simple the replica binds without issue. So much for strong passwords!

Apple’s has had ipfw (ipfirewall) since version 1.2 of OSX. ipfw is the Mac OS X built-in kernel-level IP firewall. Unfortunately, it was tucked away in directories that Apple tried to keep hidden from its users. Originally, Apple felt they were going to be able to shield end-users from the ugliness of the UNIX command line. Apple’s claim to fame has always been its GUI (the Finder), which by the way has yet to be open sourced. Editing the appropriate files with a text editor was not something Mac users were very comfortable doing. Early adopters of OSX had to either delve into the UNIX underpinnings or do without. This caused many users not to make use of ipfw. Fortunately, a graphical user interface was finally added in version 10.2. Unfortunately, the interface was not very robust.

One nice feature to be included in Leopard’s (OSX 10.5) firewall is the addition of an Adaptive Firewall. This allows you the ability to setup firewall rules based on an application rather that a particular port. What this really means for an administrator is, now you don’t have to hunt down which ports to open for say iChat. In the past you had to know UDP ports 5060, 5190, 5297, 5298, 5678, 16384 through 16403 had to be open to allow full functionality; miss one of them and you may spend a day trying to figure out why the video chat doesn’t work. Now all you have to do is specify that you want to allow iChat and the firewall knows which ports to open for you. Apple has a great Knowledge Base article of which ports to open if you’re using a hardware firewall. The article can be found at http://support.apple.com/kb/HT1507. Configuring the firewall has been moved to the Security Preference Pane. Please note: In versions of OSX prior to 10.5 it was found in the Sharing Preference Pane.

figure1Figure 1

The image in figure 1 shows the Application firewall configuration sheet. It is a bit cryptic and needs some explaining. “Allow all incoming connections“ is the same thing as having the firewall turned off. “Allow only essential services” setting turns the firewall on but limits the ports that are opened to a certain few system services, one example being zero-conf. This setting will block file sharing and remote access even though they are turned on! In an article published for Macworld online Rich Mogull explains,

“You should use this option only if you really want to block everything. I use this option when I’m on potentially hostile networks, such as those in hotels or public hotspots, and don’t want to bother with manually turning off all my shared services.” (Mogull, 2008)

The last option is “Set Access for Specific Services And Applications”. This gives you access to OSX’s Application Firewall. The basic configuration here is to select an application and then determine if you want to allow or block the network traffic going it. The Application Firewall then determines which ports to open (see figure 2). This provides for broad strokes rather than precise cuts. This is good for the casual user but not if you want or need finer control. If that is the case, you’ll need to configure ipfw using a third party application (discussed latter in this section).

figure2

Figure 2

There are two more features that should be turned on. They can be found by selecting the “Advanced…” button (see figure 2).

figure3Figure 3

The sheet that is presented when you select the “Advanced…” button allows for the enabling of logging and stealth mode (figure 3). Logging should be selected. As you start to secure your machine, you will come across situations where your firewall isn’t performing the way it should. It is a really great place to start looking for problems with your rule base. The logs detail out which rule was triggered, where (destination) the rule was triggered from, and which service was trying to be accessed. Additionally, after your firewall is properly configured it is essential to monitor this log. It will tell you where your machine is being attacked/probed and from where. Once you have this information you can tighten up firewall rules even further by enabling rule that block the attacker IP address or IP range.

Stealth mode should be enabled! But what is Stealth mode? IP based data communications can be broken down into 3 main areas.

1. TCP (or Transmission Control Protocol) is a connection based IP protocol.
2. UDP (or User Datagram Protocol) is a connectionless protocol
3. ICMP (or Internet Control Message Protocol)

Stealth mode deals specifically with one and three. They are both connection based and because of this the IP stack creates what is called a handshake between the two hosts that are trying to communicate. This handshake can be used by an attacker to probe a target machine to see which services are being run. Once this is done the attacker can then start executing attackers against the service with know vulnerabilities. Stealth mode drops the connection so that it appears to the attacker that your machine isn’t even there. The attacker sees nothing and hopefully will move onto easier prey.

One interesting thing to note with regard to the OSX 10.5’s implementation of its Application Firewall is that it creates digital signatures of the application allow using “Set Access for Specific Services and Applications”. This can present a significant problem with applications that write data back into the .app folder. One application that comes to mind is Skype.

As mentioned before the Application Firewall is great for the average user but what if you want more control? Over the years, many software developers have tried to recreate the wheel and distribute their own firewalls. These applications for the most part made setting up a firewall much more Mac like but at the cost of network performance. These third party firewalls sat on top of the networking stack rather than tying directly into ipfw. Other software developers concentrated on developing a better interface over the top of ipfw. Mac OSX’s firewall is built in as part of the core UNIX system software, so it’s a secure and efficient firewall implementation that, when enabled, won’t negatively affect network performance (White, 2008). One such third party front-end application is WaterRoof written by Hany El Imam. WaterRoof lets you add and remove rules with a simple interface. You can also set some network options and you can backup configuration and install a startup script. You can see logs and create simple or graphic statistics (El Imam, 2007).

Another nice feature of ipfw is that they can be used to both limit the network traffic trying to get to a host as well as limit what types of traffic the host can send. In corporate environments, more often than not usage of the Internet is dictated by policies. Some of these policies may and often do restrict the FTP’ing from a users desktop out onto the Internet. Trying to configure this with OSX’s built in graphic tools can be a bit restrictive. You can block an application but not necessarily the ports that that application uses to communicate with other servers on. Understanding that this is a fine line, this is where third party applications come into play. WaterRoof make that very simple. It has a built in wizard that guides you through the process.

figure4Figure 4

In figure 4, rule 1000 reads: deny ip from me to any dst-port 21,20. Translated out into English the rule is deny my machine (me) from making a connection on port 21,20 (the ports used by FTP) to anyone else (any dst). So let’s test this. In the Terminal output below, is a telnet session to an ftp server located at ip address 192.168.25.75. Normally one should see this:

mission-control:~ billheese$ telnet 192.168.25.75 21
Trying 192.168.25.75...
Connected to 192.168.25.75.
Escape character is '^]'.
220- -----------------------------------------------------------------
220- Conair's Creative FTP Server - Unauthorized Access is Prohibited!
220- The local time is Thu Jul 10 16:00:11 2008.
220- You are connected from 192.168.25.215.
220- -----------------------------------------------------------------
220- ftpcreative.st.conair.com FTP server (Version: Mac OS X Server 10.3.9 003 - +GSSAPI) ready.

But when the rule is activated you see this:

mission-control:~ billheese$ telnet 192.168.25.75 21
Trying 192.168.25.75...
telnet: connect to address 192.168.25.75: Permission denied
telnet: Unable to connect to remote host

Side Note: This administrator didn’t do such a good job at securing this host. The last line of the FTP banner clearly states which operating system the server is running and which options were compiled into the version of the FTP software the system is running. It is this information that an attacker can use to target a particular exploit against this host.

One last thing of extreme importance when dealing with configuring your firewall… Think twice before committing any change to a firewall on a remote host! If the configuration is not done properly you could lock yourself out with the only way of getting back in is through the console.

Resources:

El Imam, H., (2007), WaterRoof IPFW firewall frontend, Retrieved on Feb 2, 2009 from http://www.hanynet.com/waterroof/index.html

Mogull, R., (2008, Mar 20), How to configure Leopard’s firewall, Retrieved on Feb 3, 2009 from http://www.macworld.com/article/132558/2008/03/connect2504.html?t=234

White, K.M., (2008), Apple Training Series: Mac OS X Support Essentials (2nd Edition), Berkeley, CA: Peach Pit Press

The SED utility works by sequentially reading a file, line by line, into memory. It then performs all actions specified for the line and places the line back in memory to dump to the terminal with the requested changes made ( Dulaney, 2003). SED is about pattern matching. So let’s say I want to find all the possible address that are hitting my web server. As an OSX system administrator, I’m very often asked to change the files names for a directory full of files. A perfect example of this is Apple’s Finder (GUI) often hides the dot three extension of a file. Some text editors don’t always write out file names to disk correctly and after spending a day writing config files, people will end up with a configuration directory filled with files that end with .txt.

bheese$ ls ~/my_app/config     mysql.conf.txt    php.ini.txt   webserver.conf.txt

The application will fail to launch because it is not expecting the .txt extension after the file name. One way to correct this is to use sed within the csh. So:

dhcp102:config bheese$ csh
[dhcp102:~/my_app/config] bheese% ls mysql.conf.txt php.ini.txt webserver.conf.txt
[dhcp102:~/my_app/config] bheese% foreach filename (*.txt) foreach? mv $filename `echo $filename | sed 's/.txt//g'` foreach? end
[dhcp102:~/my_app/config] bheese% ls mysql.conf php.ini webserver.conf

As you can see I’ve removed the .txt file extension for all files in the directory. Yes this could be done through the Finder one file at a time, but the point here is using the power of UNIX to do this for all file at one time. AWK is a programming-language tool used to manipulate text. The utility scans each line of a file, looking for patterns that match those given on the command line. If a match is found, it takes the next programming step ( Dulaney, 2004). Let’s say that I export all the names in my Entourage address book to a flat file.

CT 06810 Heese  William  40   Paul Street         Danbury
CA 95014 Jobs   Steve    1    Infinite Loop       Cupertino
DC 20500 Bush   George   1600 Pennsylvania Avenue Washington

Now let’s say that I wanted to create some mailing labels. I could just copy and past I suppose, but I could also run the file through awk and have it print out the way the Post Office is expecting addresses to be. I could issue the following command.

awk '{print $4,$3 ; print $5,$6,$7 ; print $8", "$1"\t"$2"\n"}' export > label.txt

The nice thing about this is:
1. I formatted the output of one application to be used within another application.
2. I can reuse this script time and time again whenever I need to create mailing labels from contact within my Entourage address book

You will notice that nowhere is actual data used. It all relies on variable that I assigned and manipulated. Sure you could do either these two example a bunch of different ways but as an admin you need to use what works for you. The point is it doesn’t matter how you go about editing the files. It’s about NOT having to touch each file separately.

Resources: Dulaney, E., (2004, January 16) AWK: The Linux Administrators’ Wisdom Kit, Retrieved on February 15, 2008 from http://www.oracle.com/technology/pub/articles/dulaney_awk.html Dulaney, E., (2003, December 19), Using the sed Editor, Retrieved on February 15, 2008 from http://www.oracle.com/technology/pub/articles/dulaney_sed.html