Newbie trying to secure his Box... tips?

[Haldane]

Me: UNIX bod.

Mac: Mac-mini
OSX version: 10.mumble (How do you tell from the command line?)
Ethernet Cable: Teh IntarWeb!1! (DHCP via cable box)
Wireless: Household Secure Network (WPA preshared key)

Purpose: It provides a house with internet access via a secured wireless LAN, while providing them with a mail server, firewall protection, a fileserver, a web cache, maybe a public website, and anything else I think of later. (Not bad for a small box by the telly!)

Difficulty: No GUI (I SSH to it from my Nokia 9300 phone)

Problem: I want to close all UDP/TCP ports listening on the Internet, while keeping them open on the wireless LAN.

No, ipfw is not the answer. I want to believe the apps aren't that badly programmed that they listen on all interfaces of a multi-IP firewall (precluding you ever from running different ones on different virtual interfaces!)

No, I'm not installing Linux. If OSX says it's a modern OS it should be able to prove it.

I have made significant progress, but I'm interested in how other people have done it, because *dear GOD* I must be doing something wrong for it to be this difficult!!

In particular: launchd. This appears to be missing an admin interface... or somebody needs to be shot.

PS: That 'Share My Wireless' GUI thing that should have made this *oh* so easy, turned out to be utterly, stunningly, useless. It was nicely connected to the house wireless LAN with WPA, and I click that magic button, and it promptly disconnects, and gives my neighbours open unfettered access to my internet.

That's not just unintuitive, it's downright hazardous!

 

[djdawson]

Actually, I believe ipfw *IS* the answer. You may be able to find options for some apps that allow you to bind their listening ports to individual IP addresses/interfaces, but that's not a universally supported option in my experience. This is exactly what ipfw was designed for, so it's probably the best solution. You might be able to approach what you want to do with "tcpd", but ipfw would be better. There was a shareware GUI ipfw front-end app called "Brickhouse" that people used to like, but it's now called "Flying Buttress" and may no longer be supported. Otherwise there are several ipfw tutorials online that would be worthwhile, some of which are specific to Mac OS X and include examples.

You can still use the old "cron" and "inetd" tools, as well as Apple's not quite as old "StartupItems" approach, but launchd is Apple's new way so it's probably better to use it, too. You can use the freeware utility "Lingon" to configure it, but if all you have is shell access a GUI app won't help much (you might want to look into VNC and see if that's useful to you). Launchd isn't as obtuse as it initially appears - read the man pages for it and the associated "launchd.plist" and "launchctl" pages. Apple also has a document in their Developer area that does a pretty good job of describing how to migrate to launchd from the more traditional *nix configs. Look in the area that describes how to migrate from UNIX to OS X.

HTH - Good luck!

 

[mischief]

Me: UNIX bod.

Mac: Mac-mini
OSX version: 10.mumble (How do you tell from the command line?)
Ethernet Cable: Teh IntarWeb!1! (DHCP via cable box)
Wireless: Household Secure Network (WPA preshared key)

Purpose: It provides a house with internet access via a secured wireless LAN, while providing them with a mail server, firewall protection, a fileserver, a web cache, maybe a public website, and anything else I think of later. (Not bad for a small box by the telly!)

Difficulty: No GUI (I SSH to it from my Nokia 9300 phone)

Problem: I want to close all UDP/TCP ports listening on the Internet, while keeping them open on the wireless LAN.

No, ipfw is not the answer. I want to believe the apps aren't that badly programmed that they listen on all interfaces of a multi-IP firewall (precluding you ever from running different ones on different virtual interfaces!)

No, I'm not installing Linux. If OSX says it's a modern OS it should be able to prove it.

I have made significant progress, but I'm interested in how other people have done it, because *dear GOD* I must be doing something wrong for it to be this difficult!!

In particular: launchd. This appears to be missing an admin interface... or somebody needs to be shot.

PS: That 'Share My Wireless' GUI thing that should have made this *oh* so easy, turned out to be utterly, stunningly, useless. It was nicely connected to the house wireless LAN with WPA, and I click that magic button, and it promptly disconnects, and gives my neighbours open unfettered access to my internet.

That's not just unintuitive, it's downright hazardous!

Frankly, you're asking too much of your Mini.

I love my mini, but you're looking for OS X server. Trying to get the client version to do all of this for you will only frustrate you. Best ease-of-use would be had by combining OS X server (5 or 10 license) with a decent Linksys (Cisco) wireless router.

Set up the Mini to be DMZ'd and lock the router's ports down all you like. The Mini can do all the services you're wanting and more as soon as you install Server.

 

[0007776]

Frankly, you're asking too much of your Mini.

I love my mini, but you're looking for OS X server. Trying to get the client version to do all of this for you will only frustrate you. Best ease-of-use would be had by combining OS X server (5 or 10 license) with a decent Linksys (Cisco) wireless router.

Set up the Mini to be DMZ'd and lock the router's ports down all you like. The Mini can do all the services you're wanting and more as soon as you install Server.

If you have the Intel Mac-Mini then I think that you will have to wait for leopard to get the server version, since if you buy the retail version of Tiger it will only work with PPC macs.

 

[mischief]

If you have the Intel Mac-Mini then I think that you will have to wait for leopard to get the server version, since if you buy the retail version of Tiger it will only work with PPC macs.

Not so: http://www.allmacshop.co.uk/?page=proddetail&prod=29450

The 10.4.7 release is available in UB but will not install on PPC. It must be specifically requested at time of purchase however.

 

[Haldane]

Actually, I believe ipfw *IS* the answer. You may be able to find options for some apps that allow you to bind their listening ports to individual IP addresses/interfaces, but that's not a universally supported option in my experience.

Then they need to be fixed too. Seriously. It is a trivial feature for the programmer to implement and gains them instant securability and flexibility.
Maybe few people will use it, but if you need it, and it isn't there, your only choice is to do things like buying more servers or installing firewalls. All because the programmer didn't write a couple more lines of code.

This is exactly what ipfw was designed for, so it's probably the best solution. You might be able to approach what you want to do with "tcpd", but ipfw would be better.

ipfw can do it, yes (it can do damn near anything) and I'm currently using it to block several ports while I find the correct interface options in samba etc. But this is serious voodoo - are you *sure* you used the right incantations? Did you remember to block IPV6 as *well* as IPV4? Hmm? Whatabout packets that spoof their source IP's? And have you accidentally blocked outgoing TCP connections on that port for the people you're NATing for onto the internet?

Or, you could tell the application *not* to listen on the internet interface, and you won't have to worry about *any* of that.

There was a shareware GUI ipfw front-end app called "Brickhouse" that people used to like, but it's now called "Flying Buttress" and may no longer be supported. Otherwise there are several ipfw tutorials online that would be worthwhile, some of which are specific to Mac OS X and include examples.

Aye, tried that when I was trying to get NAT working. It didn't help as much as I thought, and got uninstalled.

You can still use the old "cron" and "inetd" tools, as well as Apple's not quite as old "StartupItems" approach, but launchd is Apple's new way so it's probably better to use it, too. You can use the freeware utility "Lingon" to configure it, but if all you have is shell access a GUI app won't help much (you might want to look into VNC and see if that's useful to you).

I've used VNC to it down ssh tunnels from my home box. It was painfully slow, and the GUI's are not designed to tell me what I want to know. It was much *much* faster and easier to use ssh.

Launchd isn't as obtuse as it initially appears - read the man pages for it and the associated "launchd.plist" and "launchctl" pages. Apple also has a document in their Developer area that does a pretty good job of describing how to migrate to launchd from the more traditional *nix configs. Look in the area that describes how to migrate from UNIX to OS X.

I read a fair amount, but then I needed to ask launchd some questions about what it was doing, and it was unable to tell me.
i.e.
Q: You are listening on port 445. Why?
A: Dunno - grep all my startup files, everywhere, and then read each one individually and parse it in your head.
Q: Okay, what files have you loaded?
A: Dunno - I've got these 'key' value things, but they don't correspond to any filenames, you have to do more grepping. I also can't say if what's in those files is what I actually loaded either. Nor can I tell you if I'm *actually* running those things I loaded.

Have I missed something here? This appears to be the lynchpin of the entire system, and it's 'write-only'.

 

[Haldane]

Frankly, you're asking too much of your Mini.

I love my mini, but you're looking for OS X server. Trying to get the client version to do all of this for you will only frustrate you. Best ease-of-use would be had by combining OS X server (5 or 10 license) with a decent Linksys (Cisco) wireless router.

Set up the Mini to be DMZ'd and lock the router's ports down all you like. The Mini can do all the services you're wanting and more as soon as you install Server.

It wasn't till I started finding out that all the googled up help pages referred to commands I didn't have, that I eventually discovered that OSX 'Server' existed. I was a tad miffed...
I can't in all seriousness spend $$$$ on something that just removes obstacles to using that which I already possess.

This little box has the blood of Unix in its veins. It can do anything it desires if it truly believes in itself. I have achieved everything I have set out to do, but I am not happy with what I had to do to get there. I was hoping I'd missed something.
I am now worried I haven't.

The only thing I have left to do is hook all my services into launchd so they restart on a power failure. This would be a handful of lines in any other Unix.
It's a bleedin nightmare in launchd!
(is that deliberate?)

 

[NaMo4184]

what ever you do don't instal norton antivirus. That's the best advice i can give.

 

[jeremy.king]

Don't most geek's networks just put a firewall device in front of their "server(s)," why not do the same? I don't see the point of running your mini as a file and web server,proxy AND a firewall at the same time. Having another device means you won't need to pluck with ipfw and it will most likely have a nice user friendly gui, not to mention reduce the load on your poor mini.

 

[displaced]

Many, many years ago when I first moved from Debian to OS X, I too was rather at sea when it came to things like this.

ipfw is certainly the solution. However, manually configuring the firewall rules whilst fun for the inner geek, isn't necessary.

When my old iMac G3 (the bubble-shaped one) was acting in a similar role to your Mini, I used an application called BrickHouse which is a powerful front-end to ipfw's abilities.

I'm a little out-of-the-loop regarding that app at the moment. I long since switched to a hardware firewall running in front of my servers. However, a quick Google reveals that BrickHouse has been renamed to Flying Buttress and its homepage is here.

Regarding per-app interface binding: certainly, it's something which should be implemented by the application. Almost every networking daemon I can think of does indeed allow this to be specified in their config files. The two big ones I always limit to internal interfaces are the Windows Sharing (smb) daemons -- smbd and nmbd. Check out man smbd.conf for information.

Also, on the subject of launchd - yeah, I find it a little yucky at times. It's very sophisticated, but it's a little obtuse. Check out Lingon which is a handy GUI that'll let you get an overview of launchd's configuration.

Finally, there's nothing I can think of that OS X Client is missing compared to Server. Sever has many very nice GUI apps to make administration and setup a breeze. However, everything I've wanted to do has been do-able with Client. Many individuals have put together GUI tools to assist people wanting to do advanced things with OS X Client. With some careful reading and visits to sites like macosxhints.com virtually anything's possible. For instance, last night I configured my OS X Client to run as a vpn server, using the very same vpnd daemon that OS X Server runs.

Sometimes I prefer taking the 'dirty' route of configuring network services right down on the bare config files. It's a great way to learn exactly what the service you're trying to use does 'over the wire'. I went as far as to get a UNIX shell account on a remote system from which I could run intrusion tests against my setup.

[edit]

Hmm. Just realised your position regarding SSH-only access (from a phone, no less!).

Editing the config files on a per-daemon process is the only way to go in this case. You may either edit the ipfw rules manually, or leave the firewall disabled and edit each daemon's config separately (e.g. postfix - mail, squid - webcache, apache - http), using each daemon's man page to discover the 'bind', 'interface' or 'listen' parameter.

This is exactly the way I'd do this on a Linux system without a GUI. Sure, there are some ncurses-based terminal utils on many linux distros that provide daemon configuration, but again, I'd much rather see my settings right there in the .conf file. Personally, I'd both firewall as appropriate as well as binding daemons to the correct interface -- two layers of protection are better than one

launchd's more of a pain from the terminal. launchctl is about as nice an interface as you're going to get at present (unless there's other tools out there). I'm very used to messing with xinetd, and perhaps it's my familiarity with xinetd that's hampering my ability to grasp launchd. From the man pages and apple docs, launchd looks very good, but I find the configuration a bit ass-backwards in places However, xinetd's still available on OS X - I just checked my (relatively) untampered 10.4.8 installation on my MacBook Pro, and xinetd's running. So, if you're setting up your own services and are more comfortable with xinetd, use it! Plus, any of the multitude of linux xinetd configuration and management scripts will work with the OS X incarnation of xinetd.

You'd do well to install webmin on your mini, too

As for the performance hit on the mini -- really not a problem. My internet connection's 10Mbit and the old G3 iMac routed traffic via NAT at full speed with barely any load. It served dynamic (PHP) apache sites, kept a local mail spool and also a local caching dns server without breaking a sweat.

 

[displaced]

Quick additional comment (posted separately, since my last reply was a rambling shambles!)

Thinking about it, webmin is perfect for your use.

Out of the box, it can configure many of the daemons provided with OS X. Additionally, it will also configure any additional things you install (squid, etc.)

Plus, you can set up great custom commands, accessible via the web pages. For example, my 'media centre(ish)' Mac Mini is running webmin. I've created a custom Webmin command to burn disk images on the mini. I insert a blank disk, visit Webmin, select the image file via webmin's file browser, and off it goes! There's several pared-down themes for the Webmin interface that should work great with your Nokia. Plus, with a little creativity, you can create a stripped-down Webmin screen providing access to only the important features you want. Like most Unix systems, there's a fair bit of voodoo to get things perfect, but the power and stability is worth it!

 

[Haldane]

Coo - thankee - that's very useful info

I'll see if I can use webmin via w3m against localhost over ssh

 

[displaced]

Coo - thankee - that's very useful info

I'll see if I can use webmin via w3m against localhost over ssh

Glad to help!

Just a point -- you don't necessarily have to go in via ssh to use webmin securely. Webmin ships with a http server (miniserve.pl) which supports https. You can configure miniserve to bind only to the internal interface (check out miniserve.conf), then browse the served web pages from your phone's web browser.

By the way, that comment in your first post regarding the behaviour of the internet connection sharing is not something I've ever seen. With the Mac connected to my cable modem via ethernet, the option correctly shared (using natd) the cable connection across my WPA-protected wireless network exactly as expected. Something's not quite right with your setup if it's messing up your security.

For intrusion testing, I use a shell account from www.silenceisdefeat.org. The account includes a fully up-to-date nmap utility which you can run against your external IP address to test for open ports and machine visibility.

 

[djdawson]

I think you'll still need ipfw

In your original post you mentioned providing firewall services. I don't see any way to do that without using ipfw, unless you're not going to allow hosts behind the Mac to access the Internet at all.

 

[erikv]

For instance, last night I configured my OS X Client to run as a vpn server, using the very same vpnd daemon that OS X Server runs.

Can you share the details of how you accomplished this? I'm currently having a problem with Confirm Authentication dialog box that pops up every time I want to connect to my vpn server machine. Clicking "Allow Once" works, "Always Allow" does not. Once the vpn connection is closed, subsequent connection attempts cause that dialog box to come up again.

I posted my question on the thread at MacOSXHints, but haven't gotten a response from anyone yet.

Thanks in advance!