Jump to content
Sign in to follow this  
Harry_The_Bustard

Hack Track

Recommended Posts

I've set up a small network of two G4 Mac minis running 10.4.11 behind a prior generation AirPort Extreme Base Station - one of which is wired into the LAN port and the other reached via 802.11g. Both are running Vine Server 3.0 to allow remote access and I've set up port forwarding for ports 5900 and 5901 - one per Mac - i.e. to allow VNC. Now although I've got strong passwords in place on each I've implemented Remote Login (SSH) to improve connection security - that, of course, requiring port 22 to be forwarded. Everything is fine (save for a known relevant bug in Vine Server) but given that a friend of mine says opening up port 22 is asking for trouble I'd like to know more. (He says he did it and according to a log somewhere there were numerous connection attempts from wherever in the world.) I know this is a big subject and goes beyond just port 22 so pointers to resources on the Internet is all that I'm looking for.

Share this post


Link to post
Share on other sites

Well yes, opening any port to the internet poses a risk, but if you want to connect to your computer remotely, you have no choice. You could change the ports from their non-default, but there's not really much point.

 

And of course you can always invest in a tin foil hat...

Share this post


Link to post
Share on other sites

I guessed so but meant to ask... where (in my configuration at least) can I see a log of attempted connections. Not that I'll lay awake at night after reading them. I'm just curious.

Share this post


Link to post
Share on other sites

Open system prefs -> Security -> Firewall -> Advanced

 

Check enable logging if it's not already, then come back and choose Open Log when you've had logging enabled for a bit. You will need to be an admin user to view the firewall log.

Share this post


Link to post
Share on other sites
that, of course, requiring port 22 to be forwarded. Everything is fine (save for a known relevant bug in Vine Server) but given that a friend of mine says opening up port 22 is asking for trouble I'd like to know more.

A few weeks ago, before a trip, I opened port 22 on my router to forward to my primary Mac so I could accesses it if needed. Later that day, I noticed an absurd amount of network traffic (I run Menu Meters to display network load.) I poked around, and ended up finding in /var/log/secure.log that someone (an IP in China, likely just a proxy waystation) was trying a brute force password attack on port 22 - trying to guess passwords for "root" (which on my Mac is not enabled), "admin", and "mysql". Whoever it was, their program had been banging away at ssh for almost 5 hours, really filling up the log file, too

 

(By the way, in the event of a successful penetration, the first thing any competent hacker does is clear the log.)

 

I was impressed that a previously closed port had been located and attacked in less than half a day after I opened the port. (My router's normally in stealth.) I decided to change my port forwarding on the router to use a different external port for ssh. No sense making it easy for them to find the system, no matter how strong the passwords.

 

It used to be most port-hunting were for 80 (webserver default) or Windows file sharing or instant messaging. Apparently 22 has become a more popular target these days.

 

By the way, when you get your port forwarding set up, http://canyouseeme.org/ is a nice site for checking that your intended port really is accepting connections from outside your LAN.

Share this post


Link to post
Share on other sites

Thanks for the log pointer and the tale of an attack plus advice on a port tester. I left port 22 open for about a week and nothing dubious appeared in the ipfw.log - the port certainly being open from the outside as I tested it via a (non-SSH-secured) connection to a Mac mini - though my friend's experience and the above contributor suggests I should have. I'll check it again when I've worked out how to create an SSH tunnel - something this thread looks like it will help with - the friend of mine who experienced the problem (a Geek's Geek) coming over tonight to see what we can do. (I'm sure I could work it out but two heads are better than one and, besides, he's coming to see my media centre setup - especially the decidedly lush Remote Buddy.) Then again I may wait for Vine Server 3.1 to be released as the current release, 3.0, has a bug in it which means it drops the SSH requirement when it is restarted and I don't want to rely on the 3.1 beta. According to an in-house forum contributer it was due out "very shortly" (see this if you're interested) but with that being said four months ago nearly one does question their project resourcing.

Share this post


Link to post
Share on other sites

It looks like we had success with the creation of an SSH tunnel for VNC purposes last night. However, as I need to get my notes together and read up on the matter I'll have to report back later - hopefully over the weekend.

Share this post


Link to post
Share on other sites

A bit later than planned but here we go...

 

Allow remote access to the Mac which you wish to, er, access remotely - including creating a pathway to the Mac via Port Forwarding if need be - and make sure you know the IP address of the WAN side of the modem. (See this for details of that - albeit when I used an AirPort Express rather than an AirPort Extreme Base Station as now.)

 

Log into the Mac which you wish to use to access the remote one - as an administrator - and launch Terminal.

 

Enter...

 

sudo ssh -L1000:localhost:{vnc.port} {user}@{address}

 

...where...

 

{vnc.port} is the VNC port which you've got open on the remote Mac - e.g. 5900

{user} is a user on the remote Mac

{address} is the IP address of the WAN side of the modem where the remote Mac is

 

At this point enter your (administrator) password on the local Mac - so allowing the secure connection via "privileged" ports - the result of which will be this...

 

The authenticity of host '{address} ({address})' can't be established.

RSA key fingerprint is {fingerprint}.

Are you sure you want to continue connecting (yes/no)?

 

...where {fingerprint} is a long series of hex characters delimited by colons.

 

This gives you the opportunity to check whether the computer to which you have connected is the one you intended to - something which can only be verified on the remote Mac via a local secure connection - guidance on which can be found here.

 

If you are certain it's the right computer then answer "yes" - at which point the message...

 

"Warning: Permanently added '{address}' (RSA) to the list of known hosts."

 

...will be given.

 

Note that once you've been through these hoops the above two things won't happen - i.e. you'll enter the password and you'll jump to this point - so long as, that is, you use the same local Mac and nothing goes pear-shaped.

 

You will then be prompted for the password of the user on the remote Mac - i.e. {user} in the first command. Enter that correctly and you will see something like this...

 

Last login: Fri Mar 6 08:52:15 2009

Welcome to Darwin!

My-Distant-Mac:~ mydistantuser$

 

...so meaning you are connected.

 

You can issue as many Terminal commands as you can shake a USB stick at here but that's not what we're after - rather we simply want to connect via VNC using this secure connection - a simple task given that we've specified that the connection is made to VNC port 5900. So, using Chicken Of The VNC as an example client enter "localhost:1000" into the "Host" field and the VNC password (which you really should have assigned) on the remote Mac in the "Password" field and you're away.

 

I must admit to struggling with some of the concepts - not least how the passwords are not sent in the clear - but I'm assured (by my mate and his brother who dug out most of the answers) that this is the way to do it - Mr Punch too. (I'll read up on it soon.) Of course there may be easier ways - e.g. Vine Viewer from TestPlant (formerly Redstone Software) at a small price - something I'll get once they've moved on to version 3.1 of Vine Server given that 3.0 has bugs in it relating to SSH.

 

Of course "Back To My Mac" does all this - so long as you have Leopard and a .Mac/MobileMe account - but for those who don't this is perhaps the best free option. Well, so long as you have a static IP address on the WAN side of your modem or a means of determining the IP address via the likes of DynDNS as covered in the linked thread.

 

Finally, if you want to know a bit more about security (not least SSH) there are several threads on this forum - e.g. here - another (external) resource being here.

Edited by Harry_The_Bustard

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing

    No registered users viewing this page.

  • Who's Online (See full list)

    There are no registered users currently online

×