Despite impressions to the contrary, Macintoshes running Mac OS X
are not magically protected from being broken into by intruders or
otherwise compromised through security vulnerabilities. As a stark
reminder, Karen Eft, the campus IT Policy Manager, wrote us today
that "unfortunately, the incidence of [Mac OS X security] problems
[on campus] has increased lately."
She cited a particular instance this week of a compromised
Macintosh that was running an unauthorized IRC server; SNS
hypothesized that the machine likely was broken into by someone
running a script that repeatedly submitted various, commonly-selected
usernames and passwords until it found the right combination to log
into an account with administrative privileges on that Macintosh via
Remote Login (SSH).
See below for some hints about how to protect your own Macintoshes
from this type of attack. Comments and further suggestions are
welcomed; please post them to the MAGNet and/or UCB Security lists.
Aron Roberts
Workstation Software Support Group
-- There are several ways to identify whether Remote Login is enabled. One of the simplest is to select "System Preferences..." from the Apple menu, and click the "Sharing" icon. (In newer versions of Mac OS X, you might then also need to click the "Services" tab in the Sharing preferences pane.) If there is a checkmark next to the "Remote Login" service, in the scrolling list of services in the Sharing preferences pane, your Macintosh is running that service, and thus is potentially vulnerable to being broken into by someone using a similar script, especially if one or more user accounts might have a relatively weak password. If Remote Login - essentially the ability to access a shell account on your Macintosh from another computer, in order to run commands on your Macintosh remotely - isn't necessary, or is only needed on rare occasions, the safest course is to simply turn that service off. You can do so by clicking the box next to "Remote Login" in the Sharing preferences, to remove the checkmark from that box. Note: you may first need to click the lock icon in the lower-left corner of the preferences window, and enter the name and password of an administrator's account, in order to make this change. If you do need to run the Remote Login service on one or more Macintoshes, however, then you'll also need to protect it from being attacked on every computer where it is running. As a starting point, make sure that every user's password on those Macintoshes meets the strength requirements of the campus Minimum Security Standards for Networked Devices: http://security.berkeley.edu:2002/MinStds/Passwords.html In addition, you should use one or more methods of supplemental protection for the Remote Login service. One simple way to help protect that service is to use Norton Personal Firewall (NPF), the campus's site-licensed personal firewall software for Mac OS X. This software is available on the Connecting@Berkeley 2005 CD <http://cab.berkeley.edu>, and also can be downloaded from the WSSG Software website <http://software.berkeley.edu>. If Norton Personal Firewall is installed on a Macintosh, you can open that application by double-clicking its (alias) icon, which is located in the main Applications folder ("/Applications"). In the main NPF window, make sure that there is a check in the box next to "Enable Norton Personal Firewall", and that the words "The firewall is enabled. This computer is protected." appear directly below. In the scrolling list below "Protect these Internet services:" at left, scroll down until you see "Secure remote login (ssh)". Then click on that name, to highlight it. To the right, you'll see the options for protecting that service. Click the "Incoming" tab. Below "Access settings for 'Secure remote login (ssh)'", make sure that the option chosen in the pop-up menu is either "Deny all" - for times when you wish to temporarily disable access to that service altogether - or "Allow these addresses". If you select the latter, you can enter the IP addresses of one or more trusted computers - that will be the only ones allowed to access the Remote Login service on that Macintosh - by clicking the "New" button. For other suggestions about how you can protect the Remote Login service, ranging from restricting logins based on username or IP address, to requiring public key-based authentication, please see: "Modify Remote Login server to block scripted attacks" http://www.macosxhints.com/article.php?story=2005021023215253 including the many comments which follow this article. One reasonably brief and high-level overview of many additional steps you can take to make Macintoshes running Mac OS X more secure is: Stephen de Vries "Securing Mac OS X" October 15, 2004 http://www.informit.com/articles/article.asp?p=343277&seqNum=4&rl=1 Note that the instructions in this article, in part, refer to Mac OS X's built-in firewall, ipfw, rather than to Norton Personal Firewall, but the concepts used in those sections can also be applied to configuring NPF. ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about MAGNet, its meetings and events, and its mailing list, including information on subscribing and unsubscribing, see the MAGNet Web site at <http://magnet.berkeley.edu/>.Received on Tue Mar 15 12:36:54 2005
This archive was generated by hypermail 2.1.8 : Tue Mar 15 2005 - 12:36:54 PST