Wednesday, April 6, 2011

Port 88 open on Mac OS X - KDC monitoring daemon

If you enable either File Sharing (AFP or SMB), Mac OS X 10.5.6 will have not only the AFP or SMB ports, but also port TCP/88 open. The daemon on this port is kdcmond(8), which is described as “KDC monitoring daemon – Open Directory Single Sign On”. Most people who are not connected to a Mac OS X Server-based network probably don't need this service.

If you would like to disable this daemon, you need to change the launchd(8) configuration, which is accomplished by this one-liner:

Disable:
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.kdcmond.plist
Enable:
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.kdcmond.plist
Note that these commands edit the above files, implying that the effects may be undone by future updates from Apple.

Tuesday, April 5, 2011

Mac OS X VPN and L2TP for Android / iPhone and iPad devices (or others l2tp)

From: http://blog.theilluminatedengineer.com/?p=136
--- Ugh. The link to the original is good, I'll use it as long as its there, but I put this here to keep it just in case the other guys site goes down. Good article, props to the author... I got mine working.

-


Step 1: An Introduction

There are lots and lots of different types of VPN setup and I honestly don’t understand how most of them work. I do know that we will be using the L2TP protocol.

The phone will need 3 things to connect to the VPN server on the mac; a user name, password and a shared secret. The user name and password correspond to an account on the local computer. The shared secret is a code known only to the server and client and is used to secure the connection.

Were going to do a lot of tasks on the command line as the root user so start up the OSX terminal and enter the command:

1
$ sudo -s
and give it your password when it asks.

Step 2: Store a secret key in the OSX Key Chain

The shared key will be stored in the OSX Key Chain, this puts it some place secure rather than storing it in plain text where it can be seen by anyone with access to the box.

Ideally the shared key should be complex and hard to guess. Personally I use a 64 character random hexadecimal key from https://www.grc.com/passwords.htm but you may want to use something a little less awkward to type in.

To store this run the command:
$ sudo security add-generic-password -a com.apple.ppp.l2tp \
-s com.apple.net.racoon -T /usr/sbin/racoon -p "shared key" \
/Library/Keychains/System.keychain
Replace “shared key” with whatever shared key you picked above.

The VPN server is two part. The actual server is called vpnd but there is a second task called racoon. Racoon is, I believe, responsible for setting up the initial connection and handling the security. The “-T” option in the above command gives racoon permission to access the keychain and read the value

Step 3: Configure the VPND service

VPND takes it configuration from a standard plist configuration file. Start up vi (or the editor of your choice) and edit the file:

/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
The file content should be:

{
ActiveServers = ("com.apple.ppp.l2tp");
Servers = {
"com.apple.ppp.l2tp" = {
Addresses = ("XXX.XXX.XXX.XXX");
DNS = {OfferedSearchDomains = (); OfferedServerAddresses = (); };
IPv4 = {
ConfigMethod = Manual;
DestAddressRanges = ("YYY.YYY.YYY.YYY", "ZZZ.ZZZ.ZZZ.ZZZ");
OfferedRouteAddresses = ();
OfferedRouteMasks = ();
OfferedRouteTypes = ();
};
Interface = {SubType = L2TP; Type = PPP; };
L2TP = {
IPSecSharedSecret = "com.apple.ppp.l2tp";
IPSecSharedSecretEncryption = Keychain;
Transport = IPSec;
};
PPP = {
AuthenticatorPlugins = (DSAuth);
AuthenticatorProtocol = (MSCHAP2);
IPCPCompressionVJ = 0;
LCPEchoEnabled = 1;
LCPEchoFailure = 5;
LCPEchoInterval = 60;
VerboseLogging = 1;
DSACLEnabled = 1;
Logfile = "/var/log/ppp/vpnd.log";
};
Server = {
Logfile = "/var/log/ppp/vpnd.log";
MaximumSessions = 128;
VerboseLogging = 1;
};
};
};
}
There are three values above that you need to set for your own network:

Set the value marked XXX.XXX.XXX.XXX to the IP address of the server. If you have more than 1 network interface set it to the one you want the server to listen on (e.g 192.168.2.10).
The values YYY.YYY.YYY.YYY and ZZZ.ZZZ.ZZZ.ZZZ indicate the range of IP addresses the VPN server should assign to clients when they connect. Make sure this range isn’t in use by any other computers or DHCP servers and its big enough for the number of clients you want to connect. (e.g 192.168.2.100 and 192.168.2.120).
It’s important the file has the correct permisions:

chown root:admin \
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
chmod u+w,a+r,a-x \
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
Step 4: Set up launchd to start the vpnd service at startup

We need to make sure the vpnd server starts up each time we restart the computer, doing it manually would get boring quickly.

Starting boot tasks is handled on OSX by the launchd service. Create a new plist file using vi (or your editor of choice) at:

/System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
Put in the following content:




Label
com.apple.ppp.l2tp
ProgramArguments

/usr/sbin/vpnd
-x
-i
com.apple.ppp.l2tp

OnDemand



It’s important the file has the correct permisions:

1
2
chown wheel /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
chmod u+w,a+r,a-x /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
There is two ways to get this file to read in and the server to start. You can reboot your computer or you can issue the following command:

1
launchctl load /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist
You should now have a running vpnd fully configured and ready to connect to. We can check this by examining the log files:

1
tail -f /var/log/ppp/vpnd.log
This file should contain lines of the form:

1
2010-05-26 01:38:10 BST Listening for connections...
If it doesn’t your going to need to start doing some debuging. Check the contents of the /var/log/ppp/vpnd.log or /var/log/system.log for useful messages. The comments on the Mac OSX Hints page have a lot of usefull information on things that could go wrong.

Step 5: Configure the Firewall

Make sure that your firewall / router is configured to forward UDP on ports 500, 1701 and 4500 to the server box.

There are so many different routers out there that you’ll need to go read the manual or search online for how to setup your specific brand.

Step 6: Configure the iPhone

If everything above went well you should now have a fully running and secured VPN server that can be accessed from any place on the internet.

To set your iPhone up to use the server go through the following steps:

Open the settings app
Select “General” > “Network” > “VPN”
Add a new VPN configuration
Set the VPN type to L2TP
Configure the following settings:
Description: Anything you want
Server: The IP Address of your server (This is the public address given to you by your internet provider. Depending on your provider this address may change frequently. I recommend setting up a dns alias account with http://www.dyndns.com/ to make this step easier and more robust)
Account: The user name of an account on the server (this can be the one you normally log in as)
RSA SecureID: Off
Password: The password for the account you set above
Secret: The shared secret you picked above (enjoy typing in the 64 character hex key if you used it. It’s worth it!)
Send All Traffic: Yes
Turn the VPN connection on via the switch at the top of the “General” > “Network” > “VPN” page. A switch also appears near the top of the launch screen of the settings application
Once your connected you should see a blue “VPN” icon in the bar at the top of the iPhone screen
Some of these settings could use going over in more detail. The VPN connection uses two levels of protection. The first is a user name and password that can be used to log on to the server machine, you can use your normal user account or create a new one with less permissions. The second is the shared key, which wraps up the entire communication. The longer and more complex your shared key is the harder it will be to break.

The “Send All Traffic” option tells the iPhone to send all traffic over the VPN connection, not just traffic directed at the VPN server. You want this on as it protects all of your traffic to any site by encrypting it and sending it to your VPN server before it then makes it out on to the internet. This makes it almost impossible for someone to monitor what your doing when your on a public WIFI or using 3G. It also has the effect of making your public IP address appear to be that of your home internet connection, in theory this lets you use UK restricted web sites when you’re out of the county (iPlayer etc.), but it may not work if the site uses more than just IP to determine where you are.

If you have any problems check the /var/log/ppp/vpnd.log or /var/log/system.log files for useful messages. The comments on the Mac OSX Hints page have a lot of useful information on things that could go wrong (keep an eye out for the dreaded MD5CHAP error that seemed to plague people on older versions of OSX, though I didn’t see it on 10.6).

Hopefully that’s you now up and running.

Thursday, March 3, 2011

grep, od, and dos2unix - Need to fix some crappy files that won't grep?

Recently I had to write a program to extract about 2500 passwords from a Novell eDirectory. That was all well and good, until I sent said output of file to a user who mangled the format on a Windows Machine. The user opened it in Excel or Notepad (or something...who knows...) and then worked with it, and send it back to me to pull the users they'd left in the file out of the Novell eDirectory.

Well that file wasn't in a format grep liked. How long did it take me to figure that out...quite a while, because there's nothing that looks different about the file to the naked eye (or naked editor.)

After googling and feeling very greptarded, I came upon the solution. I identified that the file I previously had and the file I receieved back had different octal values (man od) - I then used dos2unix to reconvert the file to a format grep would work with... grep really didn't like grepping on the improperly formatted file. Very strange... Simple magic... it worked, and the day was saved.

Aside from that, Novell, Netware, and eDirectory are crap. Unfortunately the place I work is still utilizing several servers that run it. Everything else is switched to Microsoft Windows and Active Directory (and my division which runs UNIX (HP-UX and RHEL))