6 Replies Latest reply: Nov 28, 2013 6:12 PM by sudont
sudont Level 1 Level 1
expertise.macosx
Mac OS X

Hi!

A strange thing happened this morning. I was looking at a video on YouTube, (Hebrew Hammer trailer!), when Little Snitch alerted me to an incoming connection on port 88, trying to connect to krb5kdc. I did a whois on the IP address, and it indicated that it originated with a Chinese ISP. So, being the paranoid sort, I went back to Little Snitch and hit "Deny Forever." Instantly, the translucent curtain dropped, my computer was frozen, and I was advised in four languages to do a hard reboot. This is the first time my five-year-old computer ever froze or crashed.

So, once I repaired the HD and got back up, I took a look at the logs:

 

11/28/13 11:49:55 AMFirewall[80]Allow krb5kdc connecting from 202.206.242.98:63793 to port 88 proto=6

 

There's nothing in any of the Little Snitch logs near this timestamp, and nothing at all in it's spindump log. If Little Snitch caused the crash, shouldn't there be something there? Also, the krb5kdc log is completely empty.

Perhaps I don't know where to look, but I can't figure out what caused the crash/freeze. I know krb5kdc has to do with Kerberos authentication, but don't really understand how it's used, or why. How was the connection allowed, when I tried to deny it? Shouldn't the system's firewall automatically deny incoming connections, unless specifically authorized? Why would someone be trying to connect to my IP on port 88? There are a couple of known exploits involving port 88, but I have no idea how that stuff works. I guess the thing I ultimately want to know is, should I be paranoid and suspicious about all this? If so, what steps should I take?

 

OS 10.6.8

connected via VPN (iPredator)

 

not sure what other info would be helpful,

but happy to supply it on request


MacBook, Mac OS X (10.6.8), Matching white Peterbilt 386
Solved by MrHoffman on Nov 28, 2013 5:44 PM Solved

You're on the Internet.  Your system will get probed.  Frequently.   If you're going to stay connected to the 'net, there's comparatively little you can do but keep your software current, and ignore it.

 

Apple usually only provides fixes for the current and previous version, and security fixes for some older releases.  I wouldn't expect to see much other than critical security updates for 10.6, and it wouldn't surprise me to see those end.

 

Details on the firewall implementation configuration vary by OS X version; 10.6 Snow Leopard Firewall, 10.9 Mavericks Firewall.  10.9 also uses pfctl, ipfw is no longer used.  On Mavericks, launch Terminal.app and use man pfctl for details.

 

Easiest fix?  Stop using that VPN.  Since discontinuing the VPN is probably not going to happen here, whatever the destination of that VPN connection is probably getting probed, and your VPN client apparently isn't firewalling that activity, or isn't configured to firewall it.   I don't know the specifics of how (or if) that VPN client can be configured to firewall traffic on the remote network; most VPNs are intended to connect into a trusted network, and that's apparently not what you're doing here.   If not (or in addition), see if you can get a VPN connection into a remote network that's behind a firewall.

 

Kerberos is a key part of OS X distributed authentication on a network.  It's central to how you can access multiple (usually local) systems without having to enter a login and password on each one.  Now I wouldn't expect to see a KDC running on your Mac, so I'm wondering if Little Snitch grabbed the incoming connection and told you about it, even though you might not be running a KDC.

 

All logs are available via Console.app.

 

There's not all that much information on panics and coredumps, but here's a technote   A crash isn't easy to read; I wouldn't expect to find much of that to be understandable, assuming the coredump is even still around.  On 10.6, IIRC, the core dumps went into /core directory.

 

If you want best practices for security, there are some older Apple Security Guides and the US National Security Agency (NSA) has suggestions

Reply by MrHoffman on Nov 28, 2013 11:21 AM Helpful

Raise your client firewall, ensure you're at the current Little Snitch (or remove it) and of iVPN, and also upgrade off of 10.6.8 to something more current.

 

The KDC is a normal part of Kerberos authentication.

 

I doubt the remote access was tied to the crash, and would initially investigate whether Little Snitch itself was the trigger, or somehow connected to the crash.

 

As for explicitly determining the trigger, some would have to rummage through the crash to see if there's a particular component that's implicated, but that can be a fair chunk of work.


If the attempted Kerberos connection arrived via the VPN — if you're VPN'ing to another open site and not into a trusted, closed network — then that could well be the path the connection arrived, assuming you do have the local firewall raised.

 

IP probes are already endemic, and frequencies of those scans will only increase.  It now takes ~3 minutes to scan the entire IPv4 address space given a sufficiently large network connection, and various folks now perform those scans.

Reply by Linc Davis on Nov 28, 2013 11:19 AM Helpful

Someone on the VPN is trying to attack you. Public VPN services don't necessarily make you any safer, and they may have the opposite effect, as in this case.

All replies

  • MrHoffman Level 6 Level 6
    expertise.macosx
    Mac OS X

    Raise your client firewall, ensure you're at the current Little Snitch (or remove it) and of iVPN, and also upgrade off of 10.6.8 to something more current.

     

    The KDC is a normal part of Kerberos authentication.

     

    I doubt the remote access was tied to the crash, and would initially investigate whether Little Snitch itself was the trigger, or somehow connected to the crash.

     

    As for explicitly determining the trigger, somebody would have to rummage through the crash to see if there's a particular component that's implicated, but that can be a fair chunk of work.


    If the attempted Kerberos connection arrived via the VPN — if you're VPN'ing to another open site and not into a trusted, closed network — then that could well be the path the connection arrived, assuming you do have the local firewall raised.

     

    IP probes are already endemic, and frequencies of those scans will only increase.  It now takes ~3 minutes to scan the entire IPv4 address space given a sufficiently large network connection, and various folks now perform those scans.

  • Linc Davis Level 10 Level 10
    expertise.applications
    Applications

    Someone on the VPN is trying to attack you. Public VPN services don't necessarily make you any safer, and they may have the opposite effect, as in this case.

  • sudont Level 1 Level 1
    expertise.macosx
    Mac OS X

    MrHoffman wrote:

     

    Raise your client firewall, ensure you're at the current Little Snitch (or remove it) and of iVPN, and also upgrade off of 10.6.8 to something more current.

     

    What do you mean by "raise your client firewall?" The firewall is on, of course, and I can see which applications are allowed incoming connections in System Preferences, although "ipfw list" only shows me two rules. They changed the way you access the ruleset some time ago, and I no longer know how to do it. Is Apple even using ipfw as the firewall anymore?
    I'm using Viscosity to connect to the VPN, and that, and Little Snitch are both up to date. As for the OS, it's up to date in terms of security updates, and is likely more suited to this 2009 MacBook than Mavericks.

    The KDC is a normal part of Kerberos authentication.

    Sure, but like I say I really don't know its purpose. Is it used whenever anyone tries to login or connect to my machine?

    I doubt the remote access was tied to the crash, and would initially investigate whether Little Snitch itself was the trigger, or somehow connected to the crash.

    Right. As I said, there is nothing in Little Snitch's crash log. Is it possible that, because of the freeze, no log would've been written? Is there another log I can look at for information on the system crash?

    If the attempted Kerberos connection arrived via the VPN — if you're VPN'ing to another open site and not into a trusted, closed network — then that could well be the path the connection arrived, assuming you do have the local firewall raised.

     

    IP probes are already endemic, and frequencies of those scans will only increase.  It now takes ~3 minutes to scan the entire IPv4 address space given a sufficiently large network connection, and various folks now perform those scans.

    I think that the VPN is likely the source. I'm using the service to connect to the internet. Since I've begun using it, I was also inundated with connection attempts while using Skype.
    I guess I'm still left with the question of how worried I should be, and what steps, if any, I should take to protect myself.

  • MrHoffman Level 6 Level 6
    expertise.macosx
    Mac OS X

    You're on the Internet.  Your system will get probed.  Frequently.   If you're going to stay connected to the 'net, there's comparatively little you can do but keep your software current, and ignore it.

     

    Apple usually only provides fixes for the current and previous version, and security fixes for some older releases.  I wouldn't expect to see much other than critical security updates for 10.6, and it wouldn't surprise me to see those end.

     

    Details on the firewall implementation configuration vary by OS X version; 10.6 Snow Leopard Firewall, 10.9 Mavericks Firewall.  10.9 also uses pfctl, ipfw is no longer used.  On Mavericks, launch Terminal.app and use man pfctl for details.

     

    Easiest fix?  Stop using that VPN.  Since discontinuing the VPN is probably not going to happen here, whatever the destination of that VPN connection is probably getting probed, and your VPN client apparently isn't firewalling that activity, or isn't configured to firewall it.   I don't know the specifics of how (or if) that VPN client can be configured to firewall traffic on the remote network; most VPNs are intended to connect into a trusted network, and that's apparently not what you're doing here.   If not (or in addition), see if you can get a VPN connection into a remote network that's behind a firewall.

     

    Kerberos is a key part of OS X distributed authentication on a network.  It's central to how you can access multiple (usually local) systems without having to enter a login and password on each one.  Now I wouldn't expect to see a KDC running on your Mac, so I'm wondering if Little Snitch grabbed the incoming connection and told you about it, even though you might not be running a KDC.

     

    All logs are available via Console.app.

     

    There's not all that much information on panics and coredumps, but here's a technote   A crash isn't easy to read; I wouldn't expect to find much of that to be understandable, assuming the coredump is even still around.  On 10.6, IIRC, the core dumps went into /core directory.

     

    If you want best practices for security, there are some older Apple Security Guides and the US National Security Agency (NSA) has suggestions

  • sudont Level 1 Level 1
    expertise.macosx
    Mac OS X

    Linc Davis wrote:

     

    Someone on the VPN is trying to attack you. Public VPN services don't necessarily make you any safer, and they may have the opposite effect, as in this case.

    I think you're right, it's from the VPN. You'd think you'd be safer. What can you do to try and have a little anonymity and safety?

  • sudont Level 1 Level 1
    expertise.macosx
    Mac OS X

    Well, I wasn't having any connection attempts getting past my NAT router before I started using iPredator. But I guess it kinda bypasses the router. I'm not married to iPredator, just doing a three-day trial, but I would like to use a VPN, or something, to hide my traffic. I didn't know these kinds of problems were associated with them.

    Thanks for the firewall info, too!