Category: Uncategorized

Posted on

Apple and 4K monitors….

Apple 4k monitor…

For some time I always wished to have a 4k Monitor, Samsung had released one…

The problem is that I can not use the 4k monitor and the thunderbolt monitor at same time with the thunderbolt ports, both are disabled each time I try to connect them…

It only remains the HDMI port, it works fine if I connect the Thunderbolt monitor in one of the Thunderbolt ports and the 4K monitor in the HDMI.

Cons on this configuration:

The 4k Monitor only works at 30hz instead of 60hz and that sucks.

The image is not that good and makes my eyes hurt.

If I connect the 4k monitor in the Thunderbolt port it works ok at 60hz.

Posted on

Why site developers insist in forcing us the language of the country where we are?!

Lately I noticed that the sites started to ignore the configuration in our browsers that inform which language we prefer.

They started to enforce the language related with the ip address and correspondent country…

In a modern society with so many people traveling it does not seem logic being constantly forced to change things in order to read the information, or force people to use languages that are not their native ones.

I started quitting to read some and replace them by others that do not do that auto change.

Here is an example:

(check the selected language in the bottom right, regardless this I have configured on my browser the English language also… )

Google forcing German

Posted on

MAC OS X file system Introduction

Knowing the hierarchical organisation of a file system of a determined operating system is very important for every person that works in security.

This is the normal structure of the Apple file system.
For this we consider that the system has the User1 created.

Hidden folders will be coloured in green.

Normal viewable folders will be coloured in Purple.

/ – the root path of the file system.
/ApplicationsThis directory is where you install apps intended for use by all users of a computer.
/Network This directory contains the list of computers in the local area network.
/SystemThis directory contains the system resources required by OS X to run.
/Users This directory contains one or more user home directories.
/Users/User1/Applications Contains user-specific apps
/Users/User1/Desktop Contains the items on the user’s desktop.
/Users/User1/DocumentsContains user documents and files.
/Users/User1/DownloadsContains files downloaded from the Internet.
/Users/User1/LibraryContains user-specific app files (hidden in OS X v10.7 and later)
/Users/User1/MoviesContains the user’s video files.
/Users/User1/Music Contains the user’s music files.
/Users/User1/PicturesContains the user’s photos.
/Users/User1/PublicContains content the user wants to share.
/Users/User1/SitesContains web pages used by the user’s personal site.

/binContains essential command-line binaries. Typically, you execute these binaries from command-line scripts.
/dev Contains essential device files, such as mount points for attached hardware.
/etc Contains host-specific configuration files.
/sbin Contains essential system binaries.
/tmp Contains temporary files created by apps and the system.
/usr Contains non-essential command-line binaries, libraries, header files, and other data.
/var Contains log files and other files whose content is variable. (Log files are typically viewed using the Console app.)

/Volumes It is the mount point of all drives connected to the system

/Private – destination of some symbolic links

/Net – shortcut access to network drives

/Home

/Cores – Directory for the Core Dumps

/Trashes – Everything that we have putted on trash

/Spotlight – Information related with spotlight

/Developer – Path to old Xcode information

There are two primary techniques for identifying the type of content in a file:

  • Uniform Type Identifiers (UTIs) – string that uniquely identifies a class of entities considered to have a “type.” UTIsprovide consistent identifiers for data that all apps and services can recognise and rely upon.
    • public.text—A public type that identifies text data.
    • public.jpeg—A public type that identifies JPEG image data.
    • com.apple.bundle—An Apple type that identifies a bundle directory.
    • com.apple.application-bundle—An Apple type that identifies a bundled app.
  • Filename extensions – A filename extension is a string of characters appended to the end of a file and separated from the main filename with a period.
Posted on

Kable Deutschland and Dyndns… :( first piece…

Well my Dyndns has stopped working in Kable Deutschland…

I am a bit pissed…

It appears that they have changed from IPv4 to IPv6 and there is somewhere in their network a conversion back to IPv4… 🙁 that I think it is killing my DynDNS functionality…

I am trying to see how I can bypass this issue…

Talking with them is hard (almost impossible, I am dependent on good will from the support team in speaking English…) because I do not speak German… 🙁 so I guess I will need to know how I can reconfigure my devices… 🙂

Most of the pages that speak about similar issues are in German also so they are not much helpful to me…

First lets us know a bit more about the device… (Enumeration)

I asked for the cheapest one… I got an unknown (to me) cable modem CBN brand / model number CH6640E
After some search i found the following manual on the device…
http://www.ktech.no/CG6640E_User_Guide_English.pdf

German Version…
https://www.kabeldeutschland.de/psources/media/Handbuch_compal_cbn_ch6640e.pdf

There are some differences on the manuals… But even this German version has more menus than my device…

More info about the device…

Vendor CBN Inc.
Model CH6640E
Hardware Version 1.0
Firmware Version CH6640-3.5.11.7-NOSH
Boot Version PSPU-Boot(BBU) 1.0.12.19m1-CBN03

Interesting reading, it seems that the device can have wi-fi but some how it is not functional might be because it is not there or because someone disabled it in the firmware… (well I did not ask the wi-fi version to make it cheaper…) I will check this later.

In one of the documents I read that there is 2 special users configured on the device… 🙂

1 – Admin with default password admin for access to the gateway pages user access…
2 – root with default password compalbn for access to the Operator mode… I guess this is the equal to a privilege user… 🙂

Of course Kabeldeutschland has changed the password or disabled this functionality… 😛

the menu schema according with the manuals is not the same also…

It seems that I have some missing menus.

Sadly one of the things that it is missing is the logs webpage…

I will have to find if I can have access to that info in another way. 🙁

In the manual it seems that some firmware have the webpage where we can set up dyndns configuration…
I wonder if they disabled it on purpose or it is my device that does not handle this extra configs… 🙁

Lets try do see what firmware has that option and what are the available firmware… 🙂

Manufacturer…

http://www.icbn.com.tw
That conveniently has his page under construction… 🙁 now at 04-01-2015…

This are the listening ports from inside…

PORT SCAN

PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
53/tcp open domain dnsmasq 2.46
80/tcp open tcpwrapped
554/tcp open tcpwrapped
5000/tcp open sip (SIP end point; Status: 501 Not Implemented)
7070/tcp open tcpwrapped

For now this is all…

 

Posted on

MAC OSX 10.9 Hardening

How to harden your MAC OS X

This is a guide to help all administrators that want to have a well harden MAC OS X Operating system.
This is a reference, your needs might be different but this might be considered a base line for starting the hardening.
The Version for this document is OS X 10.9
I will try to do another for the latest version OS X 10.10 with the differences

I will use the terminal commands to make it easier for administrators to build custom scripts and deploy them in automated way.

1 – Updates

List available software for updates

1

softwareupdate -l

if there is no software that needs to be updated the result will be “no new software available”

Install all Available software

1

sudo softwareupdate -i packagename

Enable Auto Update

Verify the status:

1

defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled

Make sure the result is: 1

Configure auto update:

1

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1

Update applications

Verify the status:

1

defaults read /Library/Preferences/com.apple.storeagent AutoUpdate

Verify the value returned is: 1

Configure App auto update:

1

sudo defaults write /Library/Preferences/com.apple.storeagent AutoUpdate -int 1

Enable system and security update

Verify the status:

1

defaults read /Library/Preferences/com.apple.SoftwareUpdate | egrep '(ConfigDataInstall|CriticalUpdateInstall)'

Value the value returned: ConfigDataInstall = 1; CriticalUpdateInstall = 1;

Configure Security Auto Updates

1

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -int 1 && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -int 1

Configuring System Preferences

Disable Bluetooth

Verify the status:

1

defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState

Verify return value: 0

If value is 1 bluetooth is enabled
Check if there are paired devices:

1

system_profiler | grep "Bluetooth:" -A 20 | grep Connectable

Verify return value: Connectable:Yes

Disable Bluetooth if no device is connected:

1
2

sudo defaults write /Library/Preferences/com.apple.Bluetooth \ ControllerPowerState -int 0
sudo killall -HUP blued

Disable Bluetooth Discoverable mode

Verify the status:

1

/usr/sbin/system_profiler SPBluetoothDataType | grep -i discoverable

Verify returned value is: Off

Disable discoverable bluetooth

1
2
3

uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
/usr/bin/defaults write /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid DiscoverableState -bool "no"
/usr/sbin/chown $@ /Users/$@/Library/Preferences/ByHost/com.apple.Bluetooth.$uuid.plist

Show the bluetooth status in the menu bar

Verify the status:

1

defaults read com.apple.systemuiserver menuExtras | grep Bluetooth.menu

Verify the returned value is: /System/Library/CoreServices/Menu Extras/Bluetooth.menu

show status in the status menu bar:

1

defaults write com.apple.systemuiserver menuExtras -array-add "/System/Library/CoreServices/Menu Extras/Bluetooth.menu"

Automatic set Date and time

Verify the status:

1

sudo systemsetup -getusingnetworktime

Verify the output is: Network Time: 0

Configure auto update Date and Time:

1

sudo systemsetup –setnetworktimeserver

Activate Screen Saver

Verify the device status:

1
2
3
4
5
6
7
8
9

UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.* "\(.*\)"$/\1/'`
for i in $(find /Users -type d -maxdepth 1)
      do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID
            if [ -e $PREF.plist ]
                 then
                      echo -n "Checking User: '$i': "
                      defaults read $PREF.plist idleTime 2>&1
            fi
done

Verify the output is the wanted value e.g.: <1200 for <20 than minutes

Verify user configured status:

1

defaults -currentHost read com.apple.screensaver idleTime

Verify the output is the wanted value e.g.: <1200 for <20 than minutes

Configure Screen Saver after 10 minutes:

1

defaults -currentHost write com.apple.screensaver idleTime -int 600

 Secure Screen Saver Corners

Verify the status:

1

defaults read ~/Library/Preferences/com.apple.dock | grep -i corner

Verify that output is not 6 for any key user.

This is the script to disable hot corners but I was not able to find a specific script only for the hot corners that specifically disable screen saver, I will try to do one later.
This was taken from github.

/klynch/827581
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

-- By Richard Kulesus, 2009.  Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure.  This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none.  Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
--  - Initial release
--
tell application "System Events"
	activate
	if UI elements enabled then
		tell expose preferences
			set properties of the top left screen corner to {activity:none, modifiers:{}}
			set properties of the top right screen corner to {activity:none, modifiers:{}}
			set properties of the bottom left screen corner to {activity:none, modifiers:{}}
			set properties of the bottom right screen corner to {activity:none, modifiers:{}}
		end tell
	else
		tell application "System Preferences"
			activate
			set current pane to pane "com.apple.preference.universalaccess"
			display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
		end tell
	end if
end tell
 
tell application "System Preferences" to quit

Confirm if sleep is configured with a value larger than the screen saver

Verify status:

1

pmset -g | grep displaysleep

Configure sleep

1

sudo pmset -c displaysleep 0

If the display sleeps before the screen saver is active the computer may be unlocked and available for an unauthorized user.

Set a Screen Corner to start the screen saver

Verify status:

1

defaults read ~/Library/Preferences/com.apple.dock | grep -i corner

At least on of the corners should have the value of 5 for each user.
If not enable screen corner for the screen saver

An adaptation of the script that was done to enable hot corners that I found on github
In this example is for top left corner.
I did not test this script…

/klynch/827581
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

-- By Richard Kulesus, 2009.  Released without license!
-- Use this for whatever!
-- I seriously despise code authors who copyright tiny bits of obvious code
-- like it's some great treasure.  This is small and simple, and if it saves
-- the next guy some time and trouble coding applescript I'll feel good!
--
-- Quickly change all the hot-corners to do what you want.
-- Particularly useful for presentations and full-screen games.
-- Customize the activity of each hot-corner with "all windows/application windows/dashboard/disable screen saver/none/show desktop/show spaces/sleep display/start screen saver"
-- The MODIFIERS are the keys which can be used to supplement hot-corner activation.
-- Here I've set them all to {}, which is none.  Options are "command/control/none/option/shift"
-- Dashboard in a fullscreen application.
--
-- Version 1.0
--  - Initial release
--
 
tell application "System Events"
	activate
	if UI elements enabled then
		tell expose preferences
			set properties of the top left screen corner to {activity:Start Screen Saver, modifiers:{}}
		end tell
	else
		tell application "System Preferences"
			activate
			set current pane to pane "com.apple.preference.universalaccess"
			display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\""
		end tell
	end if
end tell
tell application "System Preferences" to quit

Another option could be the following:

1

defaults write com.apple.dock wvous-tl-corner -string "Start Screen Saver"

Disable Remote Apple Events

Verify status:

1

sudo systemsetup -getremoteappleevents

Verify output is: Remote Apple Events: Off

Disable:

1

sudo systemsetup -setremoteappleevents off

Disable Internt Sharing

Verify:

1

sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | \ grep -i Enabled

no output should be found

Disable:

1
2

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat \ NAT -dict Enabled -int 0
sudo launchctl unload -w /System/Library/LaunchDaemons/ \ com.apple.InternetSharing.plist

Disable Screen Sharing

Verify:

1

sudo launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist

Verify the value returned is: nothing found to load

Disable:

1

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

 Disable Printer Sharing

Verify:

1

system_profiler SPPrintersDataType

The output should show “Shared: No” for all printers. If no printers are present, the above command will yield “Status: The printers list is empty.”

Disable:

1

/usr/sbin/lpadmin -p printer -u allow:[your_username] ENTER

Disable Remote Login

Verify:

1

sudo systemsetup -getremotelogin

Disable:

1

sudo systemsetup -setremotelogin off

Disable DVD or CD Sharing

Verify:

1

sudo launchctl list | egrep ODSAgent

Disable:

1
2

defaults write com.apple.NetworkBrowser EnableODiskBrowsing -bool false
defaults write com.apple.NetworkBrowser ODSSupported -bool false

Disable File Sharing

Verify:

1

sudo launchctl list | egrep '(ftp|nmdb|smdb|AppleFileServer)'

Disable:

1
2
3
4
5
6

sudo launchctl unload -w \ /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
sudo defaults delete \
/Library/Preferences/SystemConfiguration/com.apple.smb.server EnabledServices
sudo launchctl unload -w /System/Library/LaunchDaemons/nmbd.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/smbd.plist

Disable Remote Management

Verify:

1

ps -ef | egrep ARDAgent
Ensure /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Conten ts/MacOS/ARDAgent is not present

Disable:

1

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop

Disable Wake for network Access

Verify:

1

pmset -g | grep womp

Disable:

1

sudo pmset -a womp 0

Disable Sleeping When connected to power

Verify:

1

pmset -g | grep sleep
Output should be 0

Disable:

1

sudo pmset -c sleep 0

Enable File Vault

Verify:

1

diskutil cs list | grep -i encryption
Output should be: Encryption Status: Unlocked and Encryption Type: AES-XTS

Configuration:

1

fdesetup enable -user USERNAME -outputplist &gt; ~/recoverykey.plist

Enable gate Keeper

1

sudo spctl --status

Configuring:

1

sudo spctl --master-enable

Enable Firewall

Verify:

1

defaults read /Library/Preferences/com.apple.alf global state
Output Value should be: 1 or 2

Configuration:

1

defaults write /Library/Preferences/com.apple.alf global state - int
Value 1 for specific services 2 for essential services

Enable Secure Keyboard Entry

Verify:

1

defaults read -app Terminal SecureKeyboardEntry

Output should be: 1
Configuration

1

defaults write -app Terminal SecureKeyboardEntry true

Disable Core Dumps

Verify:

1

launchctl limit core

Disable:

1

launchctl limit core 0,/pre&gt;

Configure Secure Empty Trash

Verify:

1

defaults read ~/Library/Preferences/com.apple.finder EmptyTrashSecurely

Configure:

1

defaults write ~/Library/Preferences/com.apple.finder EmptyTrashSecurely true

Configuring Logging

Configure asl.conf

Verify:

1

sudo egrep "^flags:" /etc/security/audit_control

Ensure at least the following flags are present:

  1. lo – audit successful/failed login/logout events
  2. ad – audit successful/failed administrative events
  3. fd – audit successful/failed file deletion events
  4. fm – audit successful/failed file attribute modification events o -all – audit all failed events across all audit classes

configuration:

  1. Open a terminal session and edit the /etc/security/audit_control file
  2. Find the line beginning with “flags”
  3. Add the following flags: lo, ad, fd, fm, -all.
  4. Save the file.

Retain System Log for 90 days

Verify:

1

grep -i ttl /etc/asl.conf
Verify that the ttl for system.log is greater than 90 days

Configuration:

1

sudo vim /etc/asl.conf

system.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

Retain appfirewall.log for 90 or more days

Verification:

1

grep -i ttl /etc/asl.conf

Verify that the ttl for appfirewall.log is greater than 90 days

Configuration:

1

sudo vim /etc/asl.conf

> appfirewall.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

Retain auth.log for 90 or more days

Verification:

1

grep -i ttl /etc/asl/com.apple.authd

Configuration:

1

sudo vim /etc/asl/com.apple.authd

* file /var/log/authd.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

Enable Security Auditing

Verification:

1

sudo launchctl list | grep -i auditd

Configuration:

1

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

Configure Security Auditing Flags

Verification:

1

sudo egrep "^flags:" /etc/security/audit_control

Ensure at least the following flags are present:

  1. lo – audit successful/failed login/logout events
  2. ad – audit successful/failed administrative events
  3. fd – audit successful/failed file deletion events
  4. fm – audit successful/failed file attribute modification events o -all – audit all failed events across all audit classes

Configuration:

  1. Open a terminal session and edit the /etc/security/audit_control file
  2. Find the line beginning with “flags”
  3. Add the following flags: lo, ad, fd, fm, -all.
  4. Save the file.

Retain Install Log for defined days (xxx)

Verification:

1

grep -i ttl /etc/asl/com.apple.install

Configuration

1

sudo vim /etc/asl/com.apple.install

* file /var/log/install.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=xxx

Network Configurations

Disable Bonjur advertising service

Verification:

1

defaults read /Library/Preferences/com.apple.alf global state

Disable:

1

sudo nano "/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist"

Add string

1
2
3
4
5

ProgramArguments
 
     /usr/sbin/mDNSResponder
     -launchd
     -NoMulticastAdvertisements

Enable Show wifi Status in Menu bar

1

defaults read com.apple.systemuiserver menuExtras | grep AirPort.menu
Output should is: /System/Library/CoreServices/Menu Extras/AirPort.menu

File System permissions and access controls

Secure Home Folders

Verification:

1

ls -l /Users/
Output is: drwx—— and drwx–x–x

Configuration

1

sudo chmod -R og-rwx /Users/

Or

1

sudo chmod -R og-rw /Users/

Repair Permissions Regulary

Verification

1

cat /var/log/system.log* | grep RepairPermissions

Configuration:

1

diskutil repairPermissions /

Check Applications for proper Permissions

Verification:

1

sudo find /Applications -iname "*\.app" -type d -perm -2 -ls
Output should be: drwxr-xr-x

Configuration:

1

sudo chmod -R o-w /Applications/Bad\ Permissions.app/

Check System order for world writable files

Verification:

1

sudo find /System -type d -perm -2 -ls

Configuration:

1

sudo chmod -R o-w /Bad/Directory

Check Library folder for world writable files

Verification:

1

sudo find /Library -type d -perm -2 -ls

Configuration:

1

sudo chmod -R o-w /Bad/Directory

Reduce Sudo Time out Period

Verification:

1

sudo cat /etc/sudoers | grep timestamp
Output should be:Defaults timestamp_timeout=0

Configuration:

1

sudo visudo
add line in the #Defaults specification
Defaults timestamp_timeout=0

Automatically lock the login key chain after 15 minutes of inactivity and when sleeping

Verification:

1

security show-keychain-info

Configuration:

  1. Open Utilities
  2. Select Keychain Access
  3. Select a keychain
  4. Select Edit
  5. Select Change Settings for keychain
  6. Authenticate, if requested.
  7. Select Lock when sleeping setting
Change the Lock after # minutes of inactivity setting for the Login Keychain to 15 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.

Do not enable the “root” account

Verification:

1

dscl . -read /Users/root AuthenticationAuthority
Output value should be: No such key: AuthenticationAuthority

Configuration:

  1. Open System Preferences,
  2. Uses & Groups.
  3. Click the lock icon to unlock it.
  4. In the Network Account Server section,
  5. click Join or Edit.
  6. Click Open Directory Utility.
  7. Click the lock icon to unlock it.
  8. Select the Edit menu
  9. Disable Root User.

Disable automatic login

Verification:

1

defaults read /Library/Preferences/com.apple.loginwindow | grep autoLoginUser

Configuration:

1

sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

Require a password to wake the computer from sleep or screen saver

Verification:

1

defaults read com.apple.screensaver askForPassword

Configuration:

1

defaults write com.apple.screensaver askForPassword -int 1

Require an administrator password to get access to system-wide preferences

Verification:

  1. In System Preferences: Security,
  2. General tab
  3. under Advanced,
  4. verify “Require an administrator password to get access to system-wide preferences” is checked.

Configuration:

  1. In System Preferences:
  2. Security,
  3. General tab under Advanced,
  4. check “Require an administrator password to access system-wide preferences”
  5. Disable ability to login to another user’s active and locked session

Verification:

1

grep -i "group=admin,wheel fail_safe" /etc/pam.d/screensaver

Remediation:

1

sudo vi /etc/pam.d/screensaver
  1. Locate account required pam_group.so no_warn group=admin,wheel fail_safe
  2. Remove “admin,”
  3. Save

Complex passwords must contain an Alphabetic Character

Verification:

1

pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresAlpha

Configuration:

1

sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Complex passwords must contain a Numeric Character

Verification:

1

pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol

Configuration:

1

sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15

requiresNumeric=1 requiresAlpha=1 requiresSymbol=1″

Complex passwords must contain a Symbolic Character

Verification:

1

pwpolicy -getglobalpolicy | tr " " "\n" | grep requiresSymbol

Configuration:

1

sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Set a minimum password length

Verification:

1

pwpolicy -getglobalpolicy | tr " " "\n" | grep minChars

Configuration:

1

sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Configure account lockout threshold

Verification:

1

pwpolicy -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts

Configuration:

1

sudo pwpolicy -setglobalpolicy "maxFailedLoginAttempts=5 minChars=15 requiresNumeric=1 requiresAlpha=1 requiresSymbol=1"

Create an access warning for the login window

Verification:

1

defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText

Configuration:

Add text with elevated privileges:

1

sudo defaults write /Library/Preferences/com.apple.loginwindow \ LoginwindowText "your text here"

Remove Text with elevated privileges

1

sudo defaults delete /Library/Preferences/com.apple.loginwindow \ LoginwindowText

Do not enter a password-related hint

Verification:

  1. Open System Preferences
  2. Select Users & Groups
  3. Highlight the user
  4. Select Change Password
  5. Verify that no text is entered in the Password hint box

Configuration:

  1. Open System Preferences
  2. Select Users & Groups
  3. Highlight the user
  4. Select Change Password
  5. Verify that no text is entered in the Password hint box

Secure individual keychain items

Verification:

  1. Open Utilities
  2. Select Keychain Access
  3. Double-click keychain
  4. Select Access Control
  5. Verify if the box next to “Ask for Keychain Password” is checked

Configuration:

  1. Open Utilities
  2. Select Keychain Access
  3. Double-click keychain
  4. Select Access Control
  5. Check box next to “Ask for Keychain Password”

Create specialized keychains for different purposes

Verification:

  1. Open Utilities
  2. Select Keychain Access
  3. Verify there are multiple keychains listed under Keychains on the upper left-hand
    side of the window

Configuration:

  1. Open Utilities
  2. Select Keychain Access
  3. Select File
  4. Select New Keychain
  5. Input name of new keychain next to Save As
  6. Select Create
  7. Drag and drop desired keychain items into new keychain from login keychain

Display login window as name and password

Verification:

1

defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME

Configuration:

1

sudo defaults write /Library/Preferences/com.apple.loginwindow \ SHOWFULLNAME -bool yes

Disable “Show password hints”

Verification:

1

defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint

Configuration:

1

sudo defaults write /Library/Preferences/com.apple.loginwindow \ RetriesUntilHint -int 0

Disable guest account login

Verification:

1

sudo defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled
Output should be: 0

Configuration:

1

sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO

Disable “Allow guests to connect to shared folders”

Verification:

1

defaults read /Library/Preferences/com.apple.AppleFileServer | grep -i guest
Output should be guestAccess = 0;

for SMB sharing:

1

defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server | grep -i guest
Output should be AllowGuestAccess = 0;

Configuration:

AFP configuration:

1

sudo defaults write /Library/Preferences/com.apple.AppleFileServer \ guestAccess -bool no

SMB Configuration:

1

sudo defaults write \ /Library/Preferences/SystemConfiguration/com.apple.smb.server \ AllowGuestAccess -bool no

Turn on filename extensions

Verification

1

defaults read NSGlobalDomain AppleShowAllExtensions

Configuration

  1. Select Finder
  2. Select Preferences
  3. Check Show all filename extensions

Disable the automatic run of safe files in Safari

Verification:

1

defaults read com.apple.Safari AutoOpenSafeDownloads

Output should be: 0
Configuration:

1

defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no
Posted on

Code name "Poodle" vulnerability

This vulnerability might be another that will cause some changes on the internet.
It seems that uses the fallback to 3.0 to create a man in the middle opportunity to disclosure information.

This is a interesting paper about it.
Solution at the moment is disable SSL 3.0, this might create problems with legacy users or users that have older browsers because they might not be able to access the site.
It might have a positive side, force everybody to use safer protocols. 🙂 and recent clients.

More information here:
https://www.openssl.org/~bodo/ssl-poodle.pdf

How to check if you are secure suing mmap
nmap –script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.hjfr-info.com

How to check if you are secure using openssl
openssl s_client -connect www.hjfr-info.com:443

Posted on

Sandworm…

It seems that a new vulnerability on SSL is being used on spy games to the west. 🙂

This information was disclosure by the http://www.isightpartners.com/2014/10/cve-2014-4114/

For what is told on the internet has soon has Microsoft releases the patch, more info on it will be delivered about it.

The vulnerability code:
cve-2014-4114

Posted on

Configure a default gateway in a CISCO router (gateway of last resource)

Default routes are used to direct packets addressed to networks not explicitly listed in the routing table.

There are 3 possibilities to configure this.

  1. ip default-gateway
  2. ip default-network
  3. and ip route 0.0.0.0 0.0.0.0

Lets start by the first.

1 – The ip default-gateway command differs from the other two commands. It should only be used when ip routing is not enabled on the Cisco router.

For instance, if the router is a host in the IP world, you can use this command to define a default gateway for it. You might also use this command when your low-end Cisco router is in boot mode in order to upload a Cisco IOS Software image to the router.

In boot mode, the router does not have ip routing enabled.

2 – you can use ip default-network when ip routing is active on the Cisco router. When you configure ip default-network the router considers routes to that network for installation as the gateway of last resort on the router.

HJFR_Router#configure terminal
HJFR_Router#ip route 170.70.24.0 255.255.255.0 131.108.99.2
HJFR_Router(config)#ip default-network 170.70.0.0
HJFR_Router(config)#^Z

HJFR_Router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 170.70.24.0 to network 170.70.0.0

 *   170.70.0.0/16 is variably subnetted, 2 subnets, 2 masks
S*      170.70.0.0/16 [1/0] via 170.70.24.0
S       170.70.24.0/24 [1/0] via 131.108.99.2
     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S*   198.10.1.0/24 [1/0] via 161.44.192.2

3 – Creating a static route to network 0.0.0.0 0.0.0.0 is another way to set the gateway of last resort on a router. As with the ip default-network command, using the static route to 0.0.0.0 is not dependent on any routing protocols. However, ip routing has to be enabled on the router.

Note: IGRP does not understand a route to 0.0.0.0. Therefore, it cannot propagate default routes created using the ip route 0.0.0.0 0.0.0.0 command. Use the ip default-network command to have IGRP propagate a default route.

EIGRP propagates a route to network 0.0.0.0, but the static route has to be redistributed into the routing protocol.

In earlier versions of RIP, the default route created using the ip route 0.0.0.0 0.0.0.0 was automatically advertised by RIP routers. In Cisco IOS Software Release 12.0T and later, RIP does not advertise the default route if the route is not learned via RIP. It might be necessary to redistribute the route into RIP.

OSPF and IS-IS does not propagate the default routes created by the command: ip route 0.0.0.0 0.0.0.0. Additionally, this default route can not be redistributed into OSPF or IS-IS using the redistribute command.

Use the default-information originate command to generate a default route into an IS-IS or OSPF routing domain.

HJFR_Router#configure terminal
HJFR_Router(config)#ip route 0.0.0.0 0.0.0.0 170.170.3.4
HJFR_Router(config)#^Z
HJFR_Router#

HJFR_Router#show ip route
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
 U - per-user static route, o - ODR

Gateway of last resort is 170.170.3.4 to network 0.0.0.0
170.170.0.0/24 is subnetted, 2 subnets
C 170.170.2.0 is directly connected, Serial0
C 170.170.3.0 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 170.170.3.4
HJFR_Rotuer#
Posted on

Table to help Subnetting

This table has the goal to make the manual subnet calculation more easy and fast. It gives us the number of bits necessary or the number of hosts depending on the needs.

Number of necessary bits for H 8 7 6 5 4 3 2 1
Number of Hosts 256 128 64 32 16 8 4 2 NA
Number of necessary Bits for N 1 2 3 4 5 6 7 8
Value of “Subnet Mask” 0 128 192 224 240 248 252 254 255
Number of Valid Networks 1 2 4 8 16 32 64 128 N/A

 

The Number of host is the total amount of hosts, valid and invalid.

e.g.:

We want to know the value of a subnet to host 10 machines.
To meet that aim our network administrator gives us the following network 192.168.1.0 to subnet.

Classical way is:

To host 10 machines we will need to use the following calculation formula: 2^n-2=10 being N the number of bits that we will need.

N=4

2^4-2 = 14

So to meet the goal our binary octet should look like this:

NNNNHHHH

4 Bits for Networking (N) and 4 bits for Hosts (H).

Our network would have a subnet mask of: 2^7+2^6+2^5+2^4=128+64+32+16=240

Numbers translated:

2^7 is the value of the firs N from left to right.

2^6 is the Value of the second N from left to right.

2^5 is the value of the Third N from left to right

2^4 is the value of the Fourth N from left to Right

Now Lets see how the table can make this faster:

First we need 10 hosts so it is necessary to search a value that is close to 10 but bigger.

So we see the value 16 Green also we could meet the number by searching the number of necessary bits 4.

Then we just go down in the column and check the values,  “Subnet Mask” 240  and the number of networks is 16.

Number of necessary bits for H 8 7 6 5 4 3 2 1
Number of Hosts 256 128 64 32 16 8 4 2 NA
Number of necessary bits for N 1 2 3 4 5 6 7 8
Value of “Subnet Mask” 0 128 192 224 240 248 252 254 255
Number of Subnets 1 2 4 8 16 32 64 128 N/A

 

Our network would be the 192.168.1.0 with the Mask 255.255.255.240 with the Network address of 192.168.1.0, first valid ip address 192.168.1.1 and the last valid ip address 192.168.1.14, the broadcast address will be the 192.168.1.15

Hope this helps everybody in their daily work.