Re: Mac OS X Server Security Questions

[David Haines <david () coresolutiongroup com>]

Sorry for your difficulties, but you really started out with a
"bash-Apple" thread, that was mostly a vent and gave no real details of
any sort whatsoever. That is what formed the basis of my original
reply.

For starters, go to System Prefernces/Sharing to shut off ssh.
I'd recommend that, as it is enabled by default on OS X server.

It's a known, current issue that many are hacking ssh via
dictionary-type attacks.

Mind you, now with your dedicated Firewall in place, it's a moot point 
unless you're forwarding traffic for port 22

If you must use ssh, edit the /etc/sshd_config file, and find the line:
#Protocol 1,2
and change it to:
Protocol 2

then find:
#PermitRootLogin yes
and change it to:
PermitRootLogin no

change:

#PermitEmptyPasswords no
to
PermitEmptyPasswords no    (ie: uncomment that line)

Once you've setup ssh keys, (see below), go back and change:
#PasswordAuthenticatioin yes
to:
PasswordAuthentication no

You may just want to disable ssh login entirely (System Preferences,
Sharing, uncheck "remote login")
but it has its uses.

After any of the changes above, toggle off/on "remote login" in the
sys-pref panel, or use:

sudo kill -KILL $(ps | grep 'sshd' | awk '{print $1}')

You can also edit /etc/xinetd.d/ssh
to:
only_from       = 10.0.0.0

and can also add:
no_access       = 61.0.0.0/8

or whatever the ip-range of your hacker was

Then setup an ssh dsa-key, read the article here
http://www.macdevcenter.com/pub/a/mac/2004/07/13/inside_ssh_pt2.html?
page=2

you might want to start here, and read through the author's series on
SSH for OS X:
http://www.macdevcenter.com/pub/a/mac/2004/07/09/inside_ssh_pt1.html

For the firewall in OS X server, the initial setup is very basic, and
you'll want to get into the "Advanced" settings.
However, as you've noted, I'd have gone with a dedicated appliance vs
the software firewall as well, as you quickly did.

Are you using the server in "standalone" mode or running it as an Open
Directory Master ?
What services are running on the machine, apart from (I'd presume) AFP ?

Don't use the System Preferences / Sharing for filesharing, that's
equivalent to using the standard user-level Control Panels on a Windows
server to "configure" services (as in, not). You're side-stepping the
whole Server layer when doing this.


PS: please don't call it X-server, that implies a linux or unix
X-windows "server".

On Apr 9, 2005, at 7:01 PM, Brad Berson wrote:

> Great stuff, Javier, thank you.  More info to read!!!
>
> I probably need to watch my wording more carefully here.  First the
> workstation vs server thing, now the "hardware vs software firewall"
> thing.  You're absolutely correct, it's all software; the idea behind
> my
> remark was simply that a firewall on the host is not going to be as
> robust.  Sadly we know that bloody well everything has vulnerabilities.
>
> No question a dual border DMZ is a great idea, though probably overkill
> for some.
>
> Sorry about the apparent bashing but I'm really frustrated with vendors
> this week, and the last thing I needed to hear is that I can't be
> helped
> because something's not supported.
>
>
> -Brad
> -----