Mac OS X Security Tips
I believe no operating system is really more secure than the next, largely because people write software and sometimes people make mistakes. It is these mistakes (or bugs) that can lead to security vulnerabilities. What makes an operating system secure is the ability to easily configure it.
Mac OS X has one of the more secure default installations. However, as OS X gains popularity, attackers tend to take notice. We see more hacking tools, articles, and security incidents related to OS X as time goes on. Thankfully OS X's BSD-based subsystems make it very configurable, especially when it comes to security settings, which helps to set it apart from the rest. Below are some tips to get you started securing OS X.
Applying Software Updates
OS X comes with an automated software update feature. Just as in windows, this should be configured to download updates as often as possible and automatically install them.
Automatically applying patches can be risky. Patches sometimes break things, so use caution when enabling this feature.
This can be done in System Preferences -› Software Update.
Make certain your settings match the ones displayed in Figure 1. This tells OS X to check for updates everyday and automatically download updates when they are available. The software update feature can also be instantiated via the command line. Open the Terminal and enter:
sudo /usr/sbin/softwareupdate –i –r 2>&1 >>
If your system is up to date you should see the following output in /Library/Logs/autosoftwareupdate.log:
Software Update Tool
Copyright 2002-2003 Apple Computer, Inc.
Your software is up to date.
The command line tool is useful to update systems remotely using SSH.
User Accounts & Passwords
There are many ways in which to secure account settings, user login properties, and passwords in OS X. A good place to start is in System Preferences -› Accounts.
If you click on Login Options you can change some of the default login settings. The options next to Display Login Window as: give you the options to list all valid users on the login screen or make a user type a valid username. You should configure your system not to list all valid users in the login screen by choosing Name and password. A list of users is valuable information to be giving away so you should require that users manually enter their username.
Also on this screen you can disable automatic logins and fast user switching. While these are nice features, they do not help to enforce security on your computer. You do this by unchecking Automatically log in as: and Enable fast user switching.
You will also notice in Figure 2 that there are separate accounts for the system and the user. It is important that you create an unprivileged user that you will login with each time you use your OS X system. When you need to perform a function that requires administrative privileges, OS X will automatically prompt you for the administrative password. This is an excellent security feature that you should take advantage of (and one that is not as easy to implement on Windows systems). Note that Tiger automatically takes advantage of KeyChain's password tool (which can help you create secure passwords).
Use good passwords for your system! A “good” password is at least 8 characters long, mixing upper and lower case, and includes a mixture of numbers, letters, and characters. For more information see the Brown University Computing Passwords Policy, Section 3 at www.brown.edu/cis/policy/password.html.
The firewall in OS X is based on the BSD firewall ipfw and is not enabled by default. One of the first things you should do when configuring your OS X system for the first time is go to System Preferences -› Sharing -› Firewall and click Start. This will enable the firewall. When you enable services in the Services tab, the firewall will automatically permit the ports that service needs to function.
The system preferences panel does not give you access to many of the features available in ipfw. For example, the firewall that comes with Panther (10.3) does not block UDP ports by default (OS X 10.4 Tiger has an option for this). If you go to a terminal window on a 10.3 system and list the firewall rules manually, you can see the firewall rules that apply:
$ sudo ipfw list
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 220.127.116.11/3 to any in
02040 deny tcp from any to 18.104.22.168/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02070 allow tcp from any to any 22 in
12190 deny tcp from any to any
65535 allow ip from any to any
In the resulting output screen, the first column is a unique id number for each rule, followed by the action (allow/deny), protocol (TCP, UDP, ICMP), and source and destination information. If you look closely at policy id number 12190 you will notice it denies all TCP traffic. The next rule, id 65535, allows all other traffic. This means that any UDP packets will be permitted into the system.
There are many other firewalling options that are missing, such as allowing or blocking other protocols like ICMP, specifying source IP addresses to allow or block, and applying different firewall rules to different interfaces (such as Airport). Those familiar with UNIX should be comfortable working with command line scripts to configure ipfw (for more information, open Terminal and type "man ipfw"). You can also use “mfw” ( http://sial.org/howto/osx/firewall/ ) to manage multiple command line firewall rulesets.
Those who are not so familiar with UNIX may want to check out one of the following GUI tools that give access to more firewall features. However, please note that you can do considerable damage to your firewall as a result of uninformed actions.
Brickhouse ( http://personalpages.tds.net/~brian_hill/brickhouse.html ) – Provides access to many advanced features in an easy to use GUI. Works with 10.3 and 10.4. Shareware, $25.00 per computer.
Firewalk X ( http://www.pliris-soft.com/products/firewalkx/ ) – No, not the popular testing tool, “Firewalk”, that bypasses firewall rules, but “Firewalk X” another GUI for the OS X firewall. Includes such features as rule scheduling and application restriction (like zone alarm). Currently only supports 10.1.x-10.3.x. Shareware, $34.99 per computer.
SunShield ( http://www.sunprotectingfactory.com/sunShield/shield_news.html ) – A multi-language firewall GUI for OS X that features advanced logging and rule templates. Free, though donations are welcome via PayPal.
Remote Access with SSH
Like most UNIX-based systems, OS X comes with OpenSSH for remote command line access and file transfers. You should use this instead of FTP or TELNET protocols, which would send your usernames, passwords, and all data in clear-text over the network. SSH uses encryption and a better overall security model. However, the default installation of SSH in OS X can be configured more securely.
For more information on OpenSSH, open the Terminal utility and type " man ssh " after the prompt, or view an SSH tutorial for OS X at http://itexpress.ucdavis.edu/help/tutorials/openssh.shtml.
To do this, you need to modify the /etc/sshd_config and change the following values:
The Port options tells the SSH server which port to listen on. If you are truly paranoid you can change the port to something other than 22. If you do this, be certain to adjust the firewall and use the -p option to the SSH client, telling it to connect to a different port.
The protocol line instructs SSH to only accept SSH protocol version 2 requests, as protocol version 1 had its share of problems and does not use as strong an encryption algorithm as protocol version 2.
If you have a static IP address assigned to your OS X system you should list the listen address explicitly. This prevents your system from listening on other interfaces for SSH, such as the Airport adapter. By default, logging is not enabled in the configuration file. I use the DEBUG level logging, which is verbose, but tells you who is accessing your system.
On the next line we disallow root logins.
With these settings in place, an invalid login attempt on this system would look like this:
Aug 26 16:38:40 localhost sshd: Connection from 192.168.23.14 port 42768
Aug 26 16:38:42 localhost sshd: reverse mapping checking getaddrinfo for somehost.domain.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 26 16:38:43 localhost sshd: Failed password for root from 192.168.23.14 port 42768 ssh2
The SSH log provides us with information about each connection attempt. The first entry tells us that 192.168.23.14 initiated a connection to our host via SSH. SSH by default will attempt to perform a reverse DNS lookup (IP -› hostname) for each connection attempt. We see from the above that the reverse lookup has failed, indicating that the connection could be malicious. The last line shows that the user attempted to login as root unsuccessfully.
There are many tools and techniques available to help secure OS X. This article provides an introduction to just a few in order to get you started. See the next section for more OS X security resources.
Author: Paul Asadoorian, GCIA, GCIH
Date: September 14, 2005