Archive for the ‘Guide’ Category

Securing OS X using ipfw

Thursday, April 22nd, 2010

Recently I began using strongvpn to allow connections to my computer from the outside via vpn.

On my mac I have Screen Sharing, Apache2, and ssh running. Thinking about security, before I started using the VPN service my computer could only be seen by people on campus, but now however my machine is open to the whole world on those ports.

I wanted to block Screen Sharing and Apache from outside connections but still allow myself to visit my mac on campus. To do this I did some quick research on ipfw, below are the commands I used to setup blocking connections besides those on campus.

sudo ipfw -f flush

sudo ipfw add 02055 deny tcp from any to any 5900 in

sudo ipfw add 02054 allow tcp from 128.153.0.0/16 to any 5900 in

sudo ipfw add 02070 deny tcp from any to any 80 in

sudo ipfw add 02069 allow tcp from 128.153.0.0/16 to any 80 in

sudo ipfw list

Below is an explanation of the rules above:

sudo ipfw -f flush // removes all the current rules

sudo ipfw add 02055 deny tcp from any to any 5900 in // blocks all incoming connections on port 5900 which is what vnc uses (Screen Sharing)

sudo ipfw add 02054 allow tcp from 128.153.0.0/16 to any 5900 in

This makes it so only people with an ip address of 128.153.xxx.xxx can connect on port 5900. If I had done 128.153.0.0/32 only people from 128.153.0.xxx could connect

Next we need to create a script that will set these rules on reboot / start.

To do so we will create a file called loadipfwrules.sh in /usr/local/bin and paste the rules from above in it. Next we want to set the correct permissions on the file so run

sudo chmod 0755 loadipfwrules.sh

Next we will want to make the .plist file that will call our script at startup. We will make a file in /Library/LaunchDaemons under any name. In this example we will call it ipfwrules.plist. The plist file should contain the following:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST
1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>ipfwloadrules</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/loadipfwrules.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>GroupName</key>
<string>wheel</string>
</dict>
</plist>

Tags: , , ,
Posted in Guide, OS X | No Comments »

Anonymous FTP in Snow Leopard

Monday, April 5th, 2010

A while back I need to let a friend of mine transfer some large files across the network on campus so I enabled the FTP in OS X and setup the anonymous user account. I got the following from the Mac OS X Hints website:

To enable anonymous FTP in Snow Leopard, just execute the following commands in Terminal:

$ sudo dscl . -create /Users/ftp
$ sudo dscl . -create /Users/ftp NFSHomeDirectory /path/to/ftp/folder

Replace /path/to/ftp/folder with the path to the directory that the guest account will have access to. To disable anonymous access, use this command:

$ sudo dscl . -delete /Users/ftp

You may have to restart the FTP daemon by stopping File Sharing and starting it again in System Preferences. Although I didn’t test it in Leopard, I see no reason why it shouldn’t work there as well.

Posted in Guide, OS X | No Comments »

Setting up https in Ubuntu 9.10 running Apache 2

Friday, February 12th, 2010

I run a Apache webserver off my hp tablet when I’m not using it, and recently I’ve been wanting to sit down and learn about ssl and https and implement it. I did some googling on the topic and figured out how to go about setting it up. I thought it might be helpful to compile all the information along with the original links so people don’t have to bounce from website to website like I did.

Just for knowledge I am using Ubuntu 9.10 with Apache 2.2.12 and I am running this from within my dorm room where only people on campus can see my server, this might not be a good idea if you are using this on a more public server.

- Getting Started / HTTPS Configuration -

The mod_ssl module adds an important feature to the Apache2 server – the ability to encrypt communications. So what we want to do is run the following command to enable SSL:

sudo a2enmod ssl

There is a default HTTPS configuration file in /etc/apache2/sites-available/default-ssl. In order for Apache to provide HTTPS, a certificate and key file are also needed. To configure Apache to use this we next run this command:

sudo a2ensite default-ssl

All that is left now is to restart Apache so the changes are applied. You can just type the following:

sudo service apache2 restart OR sudo /etc/init.d/apache2 restart

[ Ubuntu's Documentation ]

- Force the browser from HTTP to HTTPS -

Next I wanted to make sure anyone who visited my server would be forced to use https. To do so I did the following, which might not be the best way but it was certainly the easiest way. For more information on why this isn’t the best way consult the links provided.

To enable .htaccess in Apache, you need to edit /etc/apache2/sites-available/default. You want to change the line AllowOverride None to AllowOverride All in the portion of the text as seen below in your default file.


<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Next just restart Apache with one of the commands as listed above.

[ Enable .htaccess Documentation ]

Finally I just added a .htaccess file to the /var/www with the following:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

Posted in Guide, Linux | No Comments »