On 1/18/07 10:34 AM, "Dave Schroeder" <das (at) doit.wisc (dot) edu [email concealed]> wrote:

>> One problem with modifying the firewall rules, such as they are, is
>> that
>> programmatic changes will prevent further rules modifications from
>> the GUI.
>> This situation has existed on Mac OS X for years, up to at least
>> Tiger. What
>> about using adding/removing/managing tcpwrappers dynamically for
>> sshd with
>> xinetd, instead of changing the ipfw2 rules? That, at least,
>> wouldn't have
>> an unfortunate side effect on the firewall GUI.
>
> Actually, what I think this means is that *Apple* should be
> proactively providing functionality like this that reflects system
> administration best practices as part of OS X itself, so that you
> don't need to break the GUI.
>
>> Also, from my reading on configuring SSH, it seems like the
>> following are
>> also useful changes, some of which address the "timeout" earlier in
>> the
>> thread (and are options described in the man page). I've picked
>> these up
>> from various sites over time, and half the battle is just knowing
>> what the
>> options are named and how they might help.
>>
>> * Disable Protocol 1
>> * Consider, of course, disabling PasswordAuthentication
>> * Set LoginGraceTime
>> * Explicitly disable PermitRootLogin
>> * Explicitly disable PermitEmptyPasswords
>> * Set MaxStartups
>> * Liberal use of (Allow|Deny)(Users|Groups), particularly in a
>> Directory
>> Services environment
>
> Again, I think a lot of these things should be default configurations
> for ssh on Mac OS X/Mac OS X Server.
>
>> These are not going to prevent attacks but my reading is that
>> careful setup
>> can at least slow them down and perhaps mitigate some problems
>> associated
>> with them.
>
> These won't "prevent" the attacks themselves, but even some simple
> changes to the ssh config will stop many brute force ssh password-
> guessing attacks in their tracks.

I've submitted feature/enhancement requests with Apple on almost all of your
comments, Dave. I completely agree that the default SSH config should be
hardened, that the firewall GUI and programmatic changes should work
together, and so on. The more people submit these kinds of requests, the
more weight the requests have ... so I'd urge anyone else who cares to
submit them as well.

As much as some may not think that Apple is responsive (which I choose not
to debate, whether I agree with it or not), my feeling is that if the vendor
provides a feedback channel and I want something changed, it's my
responsibility to give the vendor that feedback. If the vendor/developer
doesn't make those changes (or make them as quickly as I'd like), at least
I've done my part. I can continue to exert whatever pressure is available to
me, perhaps gently. I also realize, having worked with several vendors
successfully this way, that there are multiple priorities as well as
development/testing cycles involved, so I try to have some patience. :)

--
Jeremy

[ reply ]