OS X firewall - how to make it actually work
in [UK Mac]
|
From: James Taylor on 21 Jan 2010 08:05 Richard Tobin wrote: > James Taylor wrote: > >>> I don't follow this. Are you suggesting that some malware >>> already on your machine would run netcat? > >> Yes. > > Of course, you're already in trouble at this point. Oh sure, but typically the initial infection vector is a small thing whose first job is to download the full malware. If you can detect and prevent that malware drop taking place then you're much better off. > Why can netcat do things that the malware itself can't? Are you > suggesting that netcat would be an application trusted by the > firewall? Apparently, Apple have pre-signed many of the standard OS components to allow them access through the firewall without needing explicit rules in the firewall or asking for user permission. Their logic seems to be that only newly dropped malware can do evil and only by accessing the net directly. It didn't occur to them that programs can call other programs to do evil. They should have put explicit allow rules in so users can see what is allowed by default and remove those rules to stop it. >> It could for instance connect back to the hacker and present him >> with a remote shell, send personal data, passwords, ssh keys, >> captured keystrokes, and all the other standard mischief. > > You're talking about outgoing connections here. Does the application > firewall concern itself with them at all? It certainly should, but maybe they deliberately left that for LittleSnitch so as not to put a third-party product out of business. I haven't tested that because I have LitteSnitch anyway. > I would have thought it was too tedious to control outgoing > connections by application (rather than port). No, that's the whole point of an "application" firewall as opposed to a network level firewall. -- James Taylor
From: Warren Oates on 21 Jan 2010 08:32 In article <7rqjb7Ff6fU1(a)mid.individual.net>, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > I've been tinkering with this on and off for months. I'm getting > desperate now. I'm on the point of wiping VMware and even OS X off my > brand new MacBook Pro and installing Linux with KVM just so I can get a > properly secured VM hosting environment for my work. That's a good use of an expensive MBP. Why did you buy a Mac in the first place - there's lots of ways to run Linux cheaper. -- Very old woody beets will never cook tender. -- Fannie Farmer
From: David Sankey on 21 Jan 2010 08:32 In article <0cjgl5p24mgmlq0qe9ptbm3c3k23higltg(a)4ax.com>, Jaimie Vandenbergh <jaimie(a)sometimes.sessile.org> wrote: > On Thu, 21 Jan 2010 12:24:47 +0000, David Sankey > <David.Sankey(a)stfc.ac.uk> wrote: > > >My previous post suggested ways of configuring the firewall to do what > >you want. But turning off the unwanted daemons is also no bad thing. > > > >The NSA hardening guide describes what you need to do: > ><http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf> > > There's a lot of good stuff over there. Browsing from > http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml > is interesting. > > No mentions of Flash that I can find! In addition to the two guides listed there there is also the Corsaire one <http://research.corsaire.com/whitepapers/080818-securing-mac-os-x-leopar d.pdf> but this isn't totally up to date (in particular the description of StartUpItems...) Kind regards, Dave
From: James Taylor on 21 Jan 2010 08:32 David Sankey wrote: > James Taylor wrote: > >> But it's an application firewall isn't it? So it should allow me to >> specify which processes are allowed incoming and outgoing network >> access. > > I've dipped into this thread from time to time and am slightly confused. > > From the Leopard security guide I see that Apple claim that the > following system services that are still allowed to receive incoming > connections: > > configd: Implements DHCP and other network configuration services. > mDNSResponder: Implements Bonjour. > racoon: Implements Internet Key Exchange (IKE). There are others too, which they don't mention. > In deed if I look in /Library/Preferences/com.apple.alf.plist Oh you wonderful man! Thank you, thank you! I'm looking at it now. Perhaps a severe culling of this file is all I need. > I see /usr/sbin/configd, /usr/sbin/mDNSResponder and /usr/sbin/racoon > listed as the only exceptions. I see quite a few other things too. There are seven explicitauths including full languages that would provide quite a lot of power for an exploit to use for downloading code, connecting a reverse shell, or further scanning of the network all without any user warnings. There's also a section called signexceptions wit a lot of entries. I have to assume they've been signed in such a way that malware couldn't just modify or replace them. However, this begs the question of whether the non-signed "explicitauths" above can be modified or replaced by malware thus making a mockery of the firewall entirely. > Your complaint certainly has included mDNSResponder, I don't recall if > you also wanted to block configd and racoon at the hypervisor level. Yes I do. They're not needed. The hypervisor doesn't need any presence on the network. I only wish it to make the physical (layer 0) connection via ethernet or wi-fi and leave the rest to VMware's guests. > Either delete these exceptions from > /Library/Preferences/com.apple.alf.plist Great idea. Will do. > or, for Bonjour, configure ipfw to block udp 5353 in and out and enable > it as per prescription in the security guide (but this of course is > blocking them for your VMs as well). No, that's not what I want. I may actually be actively probing for or passively listening for MDNS in one of the guests. > I'd play with the first suggestion first. > > I note en passant that /usr/bin/nc is in the explicitauths... Indeed. I'm off to get something to eat, then there's going to be some savage butchery to this file when I get back. Thank you so much. -- James Taylor
From: James Taylor on 21 Jan 2010 08:34
David Sankey wrote: > The NSA hardening guide describes what you need to do: > <http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf> Oooh, nice find. I'll take a look. Thanks Hmmm, mind you, I hesitate to download and view a carefully crafted PDF file from the likes of the NSA!!! -- James Taylor |