Security Basics mailing list archives
Re: Mac OS X Server Security Questions
From: David Haines <david () coresolutiongroup com>
Date: Sat, 16 Apr 2005 19:57:23 -0400
Sorry for your difficulties, but you really started out with a "bash-Apple" thread, that was mostly a vent and gave no real details of any sort whatsoever. That is what formed the basis of my original reply. For starters, go to System Prefernces/Sharing to shut off ssh. I'd recommend that, as it is enabled by default on OS X server. It's a known, current issue that many are hacking ssh via dictionary-type attacks.Mind you, now with your dedicated Firewall in place, it's a moot point unless you're forwarding traffic for port 22
If you must use ssh, edit the /etc/sshd_config file, and find the line: #Protocol 1,2 and change it to: Protocol 2 then find: #PermitRootLogin yes and change it to: PermitRootLogin no change: #PermitEmptyPasswords no to PermitEmptyPasswords no (ie: uncomment that line) Once you've setup ssh keys, (see below), go back and change: #PasswordAuthenticatioin yes to: PasswordAuthentication no You may just want to disable ssh login entirely (System Preferences, Sharing, uncheck "remote login") but it has its uses. After any of the changes above, toggle off/on "remote login" in the sys-pref panel, or use: sudo kill -KILL $(ps | grep 'sshd' | awk '{print $1}') You can also edit /etc/xinetd.d/ssh to: only_from = 10.0.0.0 and can also add: no_access = 61.0.0.0/8 or whatever the ip-range of your hacker was Then setup an ssh dsa-key, read the article here http://www.macdevcenter.com/pub/a/mac/2004/07/13/inside_ssh_pt2.html? page=2 you might want to start here, and read through the author's series on SSH for OS X: http://www.macdevcenter.com/pub/a/mac/2004/07/09/inside_ssh_pt1.html For the firewall in OS X server, the initial setup is very basic, and you'll want to get into the "Advanced" settings. However, as you've noted, I'd have gone with a dedicated appliance vs the software firewall as well, as you quickly did. Are you using the server in "standalone" mode or running it as an Open Directory Master ? What services are running on the machine, apart from (I'd presume) AFP ? Don't use the System Preferences / Sharing for filesharing, that's equivalent to using the standard user-level Control Panels on a Windows server to "configure" services (as in, not). You're side-stepping the whole Server layer when doing this. PS: please don't call it X-server, that implies a linux or unix X-windows "server". On Apr 9, 2005, at 7:01 PM, Brad Berson wrote:
Great stuff, Javier, thank you. More info to read!!! I probably need to watch my wording more carefully here. First the workstation vs server thing, now the "hardware vs software firewall" thing. You're absolutely correct, it's all software; the idea behind my remark was simply that a firewall on the host is not going to be as robust. Sadly we know that bloody well everything has vulnerabilities. No question a dual border DMZ is a great idea, though probably overkill for some. Sorry about the apparent bashing but I'm really frustrated with vendors this week, and the last thing I needed to hear is that I can't be helped because something's not supported. -Brad -----
Current thread:
- Re: Mac OS X Server Security Questions David Haines (Apr 18)
- Re: Mac OS X Server Security Questions Ansgar -59cobalt- Wiechers (Apr 19)