A strange thing happened this morning. I was looking at a video on YouTube, (Hebrew Hammer trailer!), when Little Snitch alerted me to an incoming connection on port 88, trying to connect to krb5kdc. I did a whois on the IP address, and it indicated that it originated with a Chinese ISP. So, being the paranoid sort, I went back to Little Snitch and hit "Deny Forever." Instantly, the translucent curtain dropped, my computer was frozen, and I was advised in four languages to do a hard reboot. This is the first time my five-year-old computer ever froze or crashed.
So, once I repaired the HD and got back up, I took a look at the logs:
|11/28/13 11:49:55 AM||Firewall||Allow krb5kdc connecting from 220.127.116.11:63793 to port 88 proto=6|
There's nothing in any of the Little Snitch logs near this timestamp, and nothing at all in it's spindump log. If Little Snitch caused the crash, shouldn't there be something there? Also, the krb5kdc log is completely empty.
Perhaps I don't know where to look, but I can't figure out what caused the crash/freeze. I know krb5kdc has to do with Kerberos authentication, but don't really understand how it's used, or why. How was the connection allowed, when I tried to deny it? Shouldn't the system's firewall automatically deny incoming connections, unless specifically authorized? Why would someone be trying to connect to my IP on port 88? There are a couple of known exploits involving port 88, but I have no idea how that stuff works. I guess the thing I ultimately want to know is, should I be paranoid and suspicious about all this? If so, what steps should I take?
connected via VPN (iPredator)
not sure what other info would be helpful,
but happy to supply it on request
You're on the Internet. Your system will get probed. Frequently. If you're going to stay connected to the 'net, there's comparatively little you can do but keep your software current, and ignore it.
Apple usually only provides fixes for the current and previous version, and security fixes for some older releases. I wouldn't expect to see much other than critical security updates for 10.6, and it wouldn't surprise me to see those end.
Details on the firewall implementation configuration vary by OS X version; 10.6 Snow Leopard Firewall, 10.9 Mavericks Firewall. 10.9 also uses pfctl, ipfw is no longer used. On Mavericks, launch Terminal.app and use man pfctl for details.
Easiest fix? Stop using that VPN. Since discontinuing the VPN is probably not going to happen here, whatever the destination of that VPN connection is probably getting probed, and your VPN client apparently isn't firewalling that activity, or isn't configured to firewall it. I don't know the specifics of how (or if) that VPN client can be configured to firewall traffic on the remote network; most VPNs are intended to connect into a trusted network, and that's apparently not what you're doing here. If not (or in addition), see if you can get a VPN connection into a remote network that's behind a firewall.
Kerberos is a key part of OS X distributed authentication on a network. It's central to how you can access multiple (usually local) systems without having to enter a login and password on each one. Now I wouldn't expect to see a KDC running on your Mac, so I'm wondering if Little Snitch grabbed the incoming connection and told you about it, even though you might not be running a KDC.
All logs are available via Console.app.
There's not all that much information on panics and coredumps, but here's a technote A crash isn't easy to read; I wouldn't expect to find much of that to be understandable, assuming the coredump is even still around. On 10.6, IIRC, the core dumps went into /core directory.