For this how-to, you need;

- an Apple Airport wireless base station.

- Airport Utility

- OS X 10.4 or higher (yes, Leopard is fine)

- your Mac’s installation discs if you don’t have the Developer tools installed yet.

Ready? Let’s go!

Step One: First of all, authenticate with your wireless network and open your Airport Utility. You should see something like this;

Note the name of the base station here; we will need it later. As you can see in the source list on the left, mine’s “Prokyon”. Click “Manual Setup”, and once the settings have been loaded, select “Advanced” from the toolbar.

This is the selection of tabs you will find under “Advanced”. The first tab, “Logging & SNMP”, is the tab we need. Check ‘allow SNMP’ (it doesn’t have to be over WAN, as this will allow you to monitor statistics over the internet, exposing a possible security hole). That’s it for Airport Utility for now. Save the settings and quit the utility.

Step Two: Now we’re going to set up MRTG. You can get an easy-to-use binary from here; follow the basic instructions, namely;

Open a terminal,

cd (directory containing )mrtg-2.9.4-mosx.tgz

su

enter your root password

tar xzf mrtg-2.9.4-mosx.tgz

cd mrtg-2.9.4-mosx

./install.sh

exit

If all goes well, you now have ‘mrtg’ installed. Test it by typing ‘mr’ at the command line followed by pressing the ‘tab’ key. It should, given you don’t have other utilities installed beginning with ‘mr’, autocomplete to ‘mrtg’.

Step Three: Now, before we start setting up MRTG to use the SNMP services of your router, let’s test if it actually works. Open a terminal, and enter;

snmpwalk -v 2c -c public -M /usr/share/snmp/mibs:$HOME/share/mibs -m+AIRPORT-BASESTATION-3-MIB (Base station name).local 1.3.6.1.4.1.63.501

All on one line. In this case, replace ‘-c public’ with either the community string you set in the Airport Utility (’-c thestringyouentered’) - if you left this blank in the Airport Utility, it either defaults to ‘public’ or your base station password. Try both; it will either time out or spit out a huge amount of information. Also replace ‘Base station name’ with your base station name, as I told you to note in the first step. Mine would be ‘Prokyon.local’. Done filling the blanks? Press enter, and let it roll.

If it times out, check if SNMP is enabled or restart your Airport (also remember to check if the community string you set with the -c flag is either ‘public’ or your password). If it gives an error about missing something, download the Airport MIB from Apple and copy it to “/usr/share/snmp/mibs” (you can ‘Go to folder’ with CMD+Shift+G in Finder to reach this directory), then try again.

You should get a whole lot of output in your terminal. Working? Great, let’s go to the next step.

Step Four: Along with MRTG, we installed a utility called ‘cfgmaker’, that will generate MRTG configuration files for us. In the terminal, we will have to generate such a configuration. Don’t sweat, it’s very painless.

cfgmaker public@192.168.2.5 > ~/mrtg.cfg

Ensure that ‘public’ is your community string. As described in the last step, this is most likely either your base station password (-not- the network password) or just ‘public’. 192.168.2.5 is my router’s IP address in this case; you should check what yours is, either by doing a ‘port scan’ with the Network Utility on your Mac, or by checking with your network preferences in System Preferences. It’s possibly also listed in the trusty Airport Utility. Fill in your IP address (ensure the community string and the IP address are separated by just a ‘@’) and let it do its job. The file ‘mrtg.cfg’ has been generated in your home directory.

Step Five: Now we can let MRTG do it’s first run. For sharing on the local network, I placed my MRTG web-pages and graphs in “~/Sites/MRTG/” - note that ‘~’ stands for /Users/myname/ here - as it is also very convenient. If you want to go on the safe side and do the same thing, make the directory in advance; MRTG -will not- do this for you.

Edit the newly generated mrtg.cfg with an editor like TextMate or nano (in the terminal). For the least hassle, I will describe using nano in your terminal to add the final changes to let MRTG know where to put its files.

nano ~/mrtg.cfg

Is what you need to type into your terminal. You’ll see something a bit like this;

Move your cursor to the line “# FOR UNIX” and delete the single leading hash mark (#) in the line beneath it. Enter the path of where you want to store the files here, as you can see, I chose /Users/superuser/Sites/mrtg/, as my account’s short name is ’superuser’. To save the changes, press CTRL+X, and “Y”.

Step Six: Now we will run the MRTG application. Since on Leopard, MRTG complained that I used a Unicode environment, I set the shell’s environment variable ‘LANG’ to ‘C’ before using it. The whole command to run MRTG then looks like this;

env LANG=C mrtg ~/mrtg.cfg

This is provided you followed my instructions and your .cfg file is located in ~/ (your user directory). If all goes well, MRTG should just do its thing and return your control over the prompt after a second or a few. If it outputs errors, check the steps to see if you didn’t do something a bit different. You can now check your directory (~/Sites/mrtg/ for me) to see your first graphs.

This is my MRTG output directory, and as you can see, it generated files with (your router IP address).html as a name, with a number appended to indicate the interface. Several interfaces exist on the Airport Extreme; the most interesting ones are the WAN and ATH0 interfaces, respectively your internet connection port and the wireless interface. The graphs for these, provided you run MRTG periodically, show the data throughput graphed over time. Now, since it is a bit tiresome to run MRTG all day in your terminal, we need something to do that -for- us.

Step Seven: Fortunately, there’s an excellent tool for adding such a ‘daemon’ function to our system. Running Leopard, mind that there is an extra step here, which I will let Tiger users do as well for certainty. Download ‘Lingon’, Peter Borg’s excellent GUI for launchd, OS X’s initialisation system and more. Once the download has completed, run it, and open a terminal.

In the terminal, we’re going to make a shell script with the single line of instructions that loads up MRTG. Let’s use nano for convenience again, so enter;
nano mrtg.sh
and enter the command you used to run MRTG ( env LANG=C mrtg ~/mrtg.cfg in my case), but add the complete paths this time. My command would look like this;

env LANG=C /opt/local/bin/mrtg Users/superuser/mrtg.cfg

Exit and save again with Ctrl + X. Remember to make sure the paths are accurate and the command works (test run it in your terminal to see if you get any errors). Place the shell-script somewhere out of your user directory, like /Users/Shared/, and switch to Lingon.

In Lingon, press ‘New’ and make an appropriate choice; you can use these settings as an example;

At the bottom, you can see I let it run every three minutes. You can make it run as often as you want. Save settings, and depending on your choice of Agent, reboot or log out to make the changes happen.

Congratulations! If all went well, you should have an auto-updating set of graphs now. You can choose to do two things now; check these graphs occasionally, or present them on your desktop using GeekTool like I did. Geektool’s website is down right now, so download it from last post and install it to your System Preferences by double-clicking the preference pane in the disk image.

Last Step: Once it’s installed, System Preferences opens and shows you the preference pane. Make sure you have just System Preferences shown so you can see your entire desktop (most importantly, the top left). Add an item to the left list; and set something like this;

The blue rectangle is the active overlay that will contain the image you choose. You can set a refresh interval (I use 10 seconds because it’s the default), resize the image, and place it wherever you like. Although GeekTool is old (well, it hasn’t seen a lot of updates), it’s well coded in that it won’t vanish when you use Exposé or even Spaces.

My result can be seen here; if there’s demand for it, I will upload the PSD of my little ‘comm station’ overlay so you can use it with whatever wallpaper you desire. Perhaps I will write a second part with how to put this into a widget form, and tracking the amount of users on your wireless network and graphing other miscellaneous statistics. Enjoyed this how-to? Comments / blog reactions / email is welcome!

digg it!

It’s been a ‘diggy’ day yesterday; There was a considerable amount of traffic.

Wow, what a friendly inauguration of my blog! As you can see, I’ve transferred a neat 6 gig in one day. I was silently hoping for this, because the follow-up required at least some people of who I could verify that they had read it. First off, more pretty figures and graphs.

Mac User total: 10122
Mac Users that have been on the page for more than 5 minutes: 5238 (51,75%)

Now, what am I getting at with all these stats? Well, raw access logs, like any webserver generates, contain information that the readers’ browsers sent to me. I am not into the whole American-ISP thing (I’m Dutch, myself), but it seemed to me a big share of the readers was American, and a whoppping 0,8% used Tor, which means 81 people (I think that is a lot, actually). Anyway, it wasn’t all that important, since last time I checked, portscanning was legal. What, Sebastiaan, you scanned these people? Yep. Let me first say a few words about this.

When I want to determine if people, say, followed my leads, and put their firewall on, put on UDP filtering, or even deleted the two rules that allowed in UDP traffic from the two magical ports; CUPS and Bonjour. Unfortunately, UDP is a very difficult protocol to do portscanning with, as it’s workings differ very much from TCP - a connection-based protocol. I need to use packets that ’speak the language’ of the protocol I am trying to find. I know my target services, namely NTP (Network Time), CUPS (Printing Daemon), and Bonjour. So, it would be difficult to enumerate what hosts have enabled their firewall (there isn’t really a way to tell what is dropping the packet, or I’d have to do a traceroute with every scan, which is possible, but a bit unwieldy). It is, however, easy to enumerate people who have not enabled UDP scanning, or have specifically removed the rules that allow UDP traffic into these ports (recieving an ICMP packet with port unreachable or administratively prohibited assumed in this test, by me, that it was blocked at the source). Thus, I can test the amount of people who have taken the advice and don’t need Bonjour and CUPS.

For this particular purpose of mass-scanning (don’t do this at home), I used a tailored and proven tool, scanrand. It’s a port scanner by Dan Kaminsky and it’s blazing fast. It uses SYN packets, like Nmap can deal out with the -sS option, and these TCP semi-connections go mostly unnoticed, especially by the OS X built-in firewall. Scanrand actually is able to output results in SQL, which is very handy, as you can just query your results. Hey, I can do that with my access logs too. I haven’t feeded the SQL data into scanrand, but did manage to distill a list of the Mac users that have been reading for more than 5 minutes, with the IP addresses. After making sure it’s bandwidth was limited, I set it free.
The results? People use firewalls! Most connections fail by virtue of the host in question being behind NAT (which means a router with a LAN behind it). However, a significant number still allows me to verify. Oohh, output.

That’s scanrand having fun, to see if people are online or not. Results; out of the 5238 users, a few hours later, 59,55% (3119) is online. After a cursory analysis of the scans’ packet dump, I can determine by MAC address what computer is a Mac without a router before it, or a router of some sorts. Time to go on to the second phase, detecting services. For this, I use unicornscan, the former udpscan, which has very nice UDP scanning, and database support. unicornscan -B631 (or 5353 for Bonjour) -r200 -mU $target:631 (or 5353) -E >> ~/scanresults.tmp does the job here, with a basic script that greps ps and does a count of the amount of unicornscan processes. -r defines rate, as unicornscan is blazing, and must be limited, -mU is UDP scanning, and -E shows unreachable ports as well. I cap at about ten concurrent scans. The address goes into $target, naturally. It’s great, because this stuff simply doesn’t show a line of output, it just runs, and after a few hours, I got my results. Results.

Now for the numbers;

Eligible Readers: 3119
Readers with NAT: 2304
Readers without NAT: 815
Readers with open ports: 479
Readers with closed ports: 336
Readers already offline or Blocked: 6

What is there to say, apart from the not so shocking statistic that very few people switch off their router or Mac, is that a very cool 41.23% has followed my advice thoroughly and deleted those rules. Way to go, baby (provided these UDP scans are in any way accurate)! I am glad there are a lot of people who found this how-to useful and checked over their OS X.

digg this!

This is a folow-up on my earlier how-to “A more secure OS X before Leopard“. I have split this article from the results of the scan following the last article. I recommend following the first how-to before this one, if you haven’t read it, and see what potentially insecure defaults you can change without interfering with your daily activities. Some things touched there that I will not discuss here are;

- Filevault
- Turning on your Firewall
- Bluetooth
- Making a new, unprivileged user

Further securing OS X is something for the truly paranoid, although some of the tips in here are handy for people who do feel like a checklist of things they could do to secure their Mac further. I am one of those very paranoid people, and I like to be in control of what happens on my computer. There are, once again, basic, intermediate, and advanced tips and little tricks in here, this time clearly divided in difficulty.

- Disable your Microphone input and / or iSight if you aren’t using them This hint, from the NSA Hardening guide, is a very good way to protect against any way for an intruder to physically eavesdrop on you, and any Quicktime component can access your iSight. There might be vulnerabilities looming on the horizon. The most desirable first is the iSight, as it has a real privacy concern if it were to be compromised. It’s as simple as a copy and paste into your Terminal. It won’t be painful, just open it for now.

/usr/bin/sudo /bin/chmod a-rwx /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer

I will be explaining why I use full paths to commands later on. This simple line will make sure no user level process can access the module that interacts with the iSight. To restore;

/usr/bin/sudo /bin/chmod a+r /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer
(I had this all mixed up. Thanks Greg)

Many thanks to techslaves. To disable your Microphone as well, you can set it’s input volume to zero in the Sound preference pane, under the “Input” tab.

- Enable Secure Keyboard Entry in the Terminal It’s that simple. It’s in the “File” menu in the menu bar.

- Disable IPv6 if you aren’t using it. Why? Potential vector for attack. To fix this, go to the Network configuration pane. Select the connection you want to use for internet access, and click here;

And now make sure it is set as below;

- Disable automatic Movie playback. What if there were to be an iSight vulnerability by delivery in a Quicktime file? We wouldn’t want it to just play without us asking. Go to the Quicktime preference pane, browser tab;

- Set your software updater to check more frequently. Of course, we like to be ready for fixes. This goes without any picture, because this is too trivial. Just go to the preference pane of Software Update.

- Ensure that access for assistive devices is disabled. In the preference pane for Universal Access. You can also make your cursor insanely big here, which is nice.

- Use a firewall accessory application like Glowworm FW Lite, or Little Snitch . Speaks for itself. Lets you decide if you want applications to connect to something.

- Set an Open Firmware Password. OF Passwords can be subverted in some ways (the password is nulled when RAM configuration is changed), but it is a hindrance. This works differently for PowerPC Macs and Intel Macs, because the latter use EFI and the other Open Firmware. For PowerPC, use the tool in Utilities to change your password. You can also boot with Command-Option-O-F pressed, to enter the OF prompt. From there, enter your newly set password, and type;
setenv security-mode full

To set full security mode, the most secure mode.
For Intel Macs. Apple has not yet provided security extensions to the EFI. You can use the Open Firmware Password Utility to set an EFI password, but that’s about it. Perhaps in the future, we will see rEFIt become TPM-aware (see advanced section).

- Use a more reliable DNS service. It may even speed up your internet. OpenDNS is dubbed by some to be more reliable and secure than an arbitrary DNS server of your ISP. No real argument against that. To set OpenDNS’s DNS servers as yours, go to the Network preference pane, and select the interface you use for internet access.

Simply set this field, present under the TCP/IP tab in your interface of choice, to these addresses, or go to OpenDNS yourself to verify (hey, I could offer you IP’s of MY DNS server, so don’t thread lightly).

- Set a login-window warning banner. (Courtesy of the Corsaire Report) Simply type;
/usr/bin/sudo /usr/bin/open /Library/Preferences/com.apple.loginwindow.plist
in the terminal. This opens the preference file of your loginwindow application.

Make sure where the suggestion for the password is, like my bogus text here, completely empty. Mine says “Grensschutzgruppe en Bas Haring”. Password hints may be a risk to the security of your system. Now, back on topic. Simply click the New Sibling button, and add the sibling LoginwindowText. Add some intimidating text, like;
This is a private computer system and is for authorised use only.
Any or all use of this system and all files on this system may be intercepted and monitored.
Unauthorised or improper use of this system may result in disciplinary and/or legal action. By
continuing to use this system you indicate your awareness of and consent to these terms and conditions
of use.

- Lock your keychain. By default, the keychain that stores your passwords, is always unlocked. No one can read your passwords, but programs are able to access your passwords, if they created the password. Use the Keychain Access application to set another password than your login password for the keychain. It will then prompt you for your keychain password every time an item is needed, and it will be open for a configurable period, which defaults to 5 minutes.

- Use Encrypted Disk Images. To secure file, or nest encrypted files even deeper in filevault, you can use the Disk Utility to create secure disk images.

- Set a more critical umask. (command courtesy of Corsaire write-up) The default umask allows all users to read each other’s new files. This command disables this;
/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 23

- Enable Process Auditing. (command courtesy of Corsaire write-up) This will log commands executed by all users. One line;
/usr/bin/sudo /bin/mkdir /var/account && /usr/bin/sudo /usr/bin/touch /var/account/acct && /usr/bin/sudo /usr/sbin/accton /var/account/acct
It will now run from startup.

- Force SSH to use SSH2. You can edit the ssh configuration like this;
/usr/bin/sudo /usr/bin/nano /etc/sshd_config
Now replace the line that reads “#Protocol 2, 1″ with “Protocol 2″. Lose the comment mark, otherwise it won’t work.

- Use full paths to command names. This security measure, coined mostly by Rixstep (the author of the brilliant ACP), ensures Bash or defaults path poisoning is no longer an attack avenue. Although the bash developers didn’t consider it to be a real issue, Rixstep’s CLIX (an essential accessory to any power user, and it is free) has path resolving and builtin measures against path poisoning.

- Keep an eye on startup scripts in launchd. Lingon can be used to monitor what starts up automatically. It’s an excellent GUI utility.

- Keep an eye on running services. I use the simple iServeBox for this. A simple GUI to enable or disable services, handy if you know what you are doing.

- Compile and run Bastille-OSX on a regular basis.Bastille for OS X is a hardening assessment tool. It goes recommended for anyone that knows what he or she is doing. Perl-Tk on OS X might be a useful resource in this effort.
- Compile and implement SEDarwin. PPC-only for now, SEDarwin is an adaptation of the open Darwin kernel at the heart of OS X to support the Mandatory Access Control framework. It is, of course, based off SELinux.
- Use the Trusted Platform Module in your Mac. This is, only if it has one. The first generation of Macbook Pro’s have a TPM, for example. Do an ioreg;

/usr/sbin/ioreg | /usr/bin/grep -i tpm

The output should look like this, and not any differently;

| +-o TPM