OS X Fortress: Firewall and Blackhole for Trackers, Attackers, Malware, Adware, and Spammers

Question

Level 1

41 points

OS X Fortress: Firewall and Blackhole for Trackers, Attackers, Malware, Adware, and Spammers

After Apple deprecated the ipfw firewall in favor of PF, I decided to get serious about securing the server from the steady stream of attacks visible on snort and logs. I was also interested in blocking all the known spammers and botnets, and sending all the web trackers into a blackhole, both on the server and for all its clients.

I built a three layer fortress over the kernel, OS, and clients using the excellent BSD pf packet filter and firewall, a hosts file, and proxy.pac file. I use these features:

OS X adaptive firewall
Adaptive firewall to brute force attacks
IP blocks updated about twice a day from emergingthreats.net (IP blocks, compromised hosts, Malvertisers, RBNs) and dshield.org’s top-20
Host blocks updated about twice a day from hphosts.net
Special proxy.pac host blacklisting from hostsfile.org

snort and other detections have fallen to a fraction with a few simple blocking actions. There are no ads, all common web tracking technology is decapitated, and you have common sense blocks of Russian business networks, Chinese backbone attackers, and plenty more. PF cleans up and normalizes the network stream appearing on the OS, yielding a more efficient and reliable LAN. You can use the server as a web proxy, providing the same protection from trackers etc. to LAN and VPN clients on the server itself.

I’ve attached the necessary setup commands and plist files. You’ll also need a macports packages wget, gnupg, and p7zip. Here are the setup instructions and brief description of the contents for your own personal modifications. The setup is flexible enough to proxy through your own squid proxy or ratelimit access to specific sites. The updates all use wget -N, which saves everyone’s bandwidth because it only downloads files with newer timestamps.

Here’s a brief description of the ten files — modify for your own situation.

# PF

pf.conf — PF configuration written for en0 interface.
net.openbsd.pf.plist — Enables the PF firewall at boot.
net.openbsd.pf.brutexpire.plist — Flushes two week old bruteforce IP table blocks, every day.
net.emergingthreats.blockips.plist — Update check of emergingthreats.net IP blocks, once a day
net.dshield.block.plist — Update check of dshield.org’s top-20 bad IPs, every four hours

# /etc/hosts

net.hphosts.hosts.plist — Update check of hphost’s host lists, full and partial, once a day
whitelist.txt — Any hosts in here are deleted from the /etc/hosts blackhole. You need to specify FQDNs AND TLDs in /etc/hosts, i.e. no wildcards.
blacklist.txt — Hosts in here are prepended to the /etc/hosts blackhole. Entries are of the form “127.0.0.1 hostname.domain.net”.
To whitelist or blacklist a site, add it the .txt file, then relaunch the hphost’s plist, which will regenerate /etc/hosts, flush the DNS cache, and reconfigure a squid proxy if running:
sudo launchctl unload -w /Library/LaunchDaemons/net.hphosts.hosts.plist ; sudo launchctl load -w /Library/LaunchDaemons/net.hphosts.hosts.plist

# proxy.pac

net.securemecca.pac.plist — Update check of proxy.pac that blackholes bad hostnames, every two days. Creates a /Library/WebServer/Documents/proxy.pac file based on hostsfile.org’s “King of the PAC,” good hosts are passed through your own JS function FindProxyForURL(). Default use with Safari, OS X clients with System Preferences>Network>Advanced…>Proxies>Automatic Proxy Configuration>http://localhost/proxy.pac.
proxy.pac.orig — A “vanilla” proxy.pac file that sets FindProxyForURL() to return DIRECT.

# delete flash cookies

org.opensource.flashcookiedelete.plist — Delete all Flash Cookies every two hours, except for those created by Macromedia settings, https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_ma nager06.html

Finally, at the browser level, you can install these Safari add-ons from http://fixtracking.com: DoNotTrackMe, DuckDuckGo, Adblock, Safari Javascript Blocker.

To turn on OS X Server's adaptive firewall, do this:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

And the setup instructions for OS X. For OS X Server, use DNS to create a private domain such as proxy.domainname.private, then put the proxy.pac.orig file in the directory /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig

# setup

sudo port install wget gnupg p7zip

sudo /usr/bin/cpan install

/usr/bin/cpan Data::Validate::IP

su -

/opt/local/bin/gpg --recv-keys CC37BF7D 155DA479 C83946F0

exit

sudo cp /etc/hosts /etc/hosts.orig

sudo cp /Library/WebServer/Documents/proxy.pac /Library/WebServer/Documents/proxy.pac.orig

# install the files

sudo install -b -B orig pf.conf /etc

sudo install -m 644 net.openbsd.pf.plist /Library/LaunchDaemons

sudo install -m 644 net.openbsd.pf.brutexpire.plist /Library/LaunchDaemons

sudo install -m 644 net.emergingthreats.blockips.plist /Library/LaunchDaemons

sudo install -m 644 net.dshield.block.plist /Library/LaunchDaemons

sudo install -m 644 net.hphosts.hosts.plist /Library/LaunchDaemons

sudo install -m 644 net.securemecca.pac.plist /Library/LaunchDaemons

install -m 644 org.opensource.flashcookiedelete.plist ~/Library/LaunchAgents

sudo mkdir -p /usr/local/etc

sudo install -m 644 whitelist.txt /usr/local/etc

sudo install -m 644 blacklist.txt /usr/local/etc

# daemons

sudo launchctl load -w /Library/LaunchDaemons/net.openbsd.pf.plist

sudo launchctl load -w /Library/LaunchDaemons/net.openbsd.pf.brutexpire.plist

sudo launchctl load -w /Library/LaunchDaemons/net.emergingthreats.blockips.plist

sudo launchctl load -w /Library/LaunchDaemons/net.dshield.block.plist

sudo launchctl load -w /Library/LaunchDaemons/net.hphosts.hosts.plist

sudo launchctl load -w /Library/LaunchDaemons/net.securemecca.pac.plist

launchctl load ~/Library/LaunchAgents/org.opensource.flashcookiedelete.plist

# Launch the OS X web server for the proxy.pac file (OS X, not OS X Server)

sudo apachectl start

Here are the files. Use plutil -lint file.plist to find any cut-and-paste errors.

# PF

pf.conf

#

# Default PF configuration file.

#

# This file contains the main ruleset, which gets automatically loaded

# at startup. PF will not be automatically enabled, however. Instead,

# each component which utilizes PF is responsible for enabling and disabling

# PF via -E and -X as documented in pfctl(8). That will ensure that PF

# is disabled only when the last enable reference is released.

#

# Care must be taken to ensure that the main ruleset does not get flushed,

# as the nested anchors rely on the anchor point defined here. In addition,

# to the anchors loaded by this file, some system services would dynamically

# insert anchors into the main ruleset. These anchors will be added only when

# the system service is used and would removed on termination of the service.

#

# See pf.conf(5) for syntax.

#

# Hardcoded IPs

#mydomain_com = "x.x.x.x"

# $vpn_net == tun0/24 when Tunnelblick creates tun0

vpn_net = "10.8.0/24" # tun0 interface doesn't exist at boot time

# References for modifications:

# The Book of PF by Peter N.M. Hansteen, p. 21

# http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/

# http://support.apple.com/kb/HT5519?viewlocale=en_US&locale=en_US

# http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/

# http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/

# Options

set block-policy return

set fingerprints "/etc/pf.os"

set ruleset-optimization basic

set skip on lo0

# Normalization

# Scrub incoming packets

scrub in all no-df

#

# com.apple anchor point

#

scrub-anchor "com.apple/*"

# Queueing

# Translation

# OpenVPN Server NAT

#

# The Book of PF, p. 21

int_if = "en0"

# tun_if = "tun0" # tun0 doesn't exist at boot time

nat on $int_if inet from { $vpn_net $int_if:network } to any -> ($int_if)

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

dummynet-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"

# Filtering

# Pass by default

pass all

# Antispoof

# This breaks ping, DNS on OS X Server

#antispoof log quick for { lo0 $int_if } inet

# Block to/from illegal destinations or sources

block drop in log quick from no-route to any

block drop in log quick from urpf-failed to any

# This is observed on OS X

#block drop in log quick on $int_if from any to 255.255.255.255

# Local net

pass quick from { lo0 $int_if } to any

# Whitelist

#table <whitelist> const { $mydomain_com }

#pass in quick from <whitelist>

# Block brute force attacks

table <bruteforce> persist

block drop log quick from <bruteforce>

# Emerging Threats Open Source, http://rules.emergingthreats.net/fwrules/

# http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

table <emerging_threats> persist file "/usr/local/etc/emerging-Block-IPs.txt"

block drop log quick from <emerging_threats> to any

# http://rules.emergingthreats.net/blockrules/compromised-ips.txt

table <compromised_ips> persist file "/usr/local/etc/compromised-ips.txt"

block drop log quick from <compromised_ips> to any

# http://rules.emergingthreats.net/blockrules/rbn-ips.txt

table <rbn_ips> persist file "/usr/local/etc/rbn-ips.txt"

block drop log quick from <rbn_ips> to any

# http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

table <rbn_malvertisers_ips> persist file "/usr/local/etc/rbn-ips.txt"

block drop log quick from <rbn_malvertisers_ips> to any

# dshield.org block list

table <dshield_block_ip> persist file "/usr/local/etc/dshield_block_ip.txt"

block drop log quick from <dshield_block_ip> to any

# ICMP

icmp_types = "echoreq"

pass inet proto icmp from $int_if:network to any icmp-type $icmp_types

pass inet proto icmp from any to $int_if icmp-type $icmp_types

# allow out the default range for traceroute(8):

# "base+nhops*nqueries-1" (33434+64*3-1)

pass out on $int_if inet proto udp from any to any port 33433 >< 33626

# Allow critical system traffic

pass in quick inet proto udp from port bootps to port bootpc

pass out quick inet proto udp from port bootpc to port bootps

# LAN services: block access, except from localnet

lan_udp_services = "{ domain, 5001, postgresql }"

lan_tcp_services = "{ domain, auth, nntp, www, \

311, 3128, 5001, 5900:5909, privoxy, postgresql, \

8123 }"

block in proto tcp from any to { lo0 $int_if } port $lan_tcp_services

block in proto udp from any to { lo0 $int_if } port $lan_udp_services

pass in quick inet proto udp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_udp_services

pass in quick inet proto tcp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_tcp_services

# Internet services

internet_udp_services = "{ https, 500, openvpn, \

1701, 4500, 5060, 5190, 5297, 5298, 5678 }"

internet_tcp_services = "{ 995, 1640, 1723, 2195, \

2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \

8008, 8443, 8800, 8843 }"

pass in proto udp from any to { lo0 $int_if } port $internet_udp_services

pass in proto tcp from any to { lo0 $int_if } port $internet_tcp_services

# ssh really restrictive

pass in inet proto tcp from any to { lo0 $int_if } port ssh \

keep state (max-src-conn 5, max-src-conn-rate 5/2, \

overload <bruteforce> flush global)

# web, mail more restrictive

pass in inet proto tcp from any to { lo0 $int_if } \

port { smtp, https, imap, submission, imaps, eyetv } \

keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \

overload <bruteforce> flush global)

net.openbsd.pf.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.openbsd.pf.plist</string>

<key>Program</key>

<string>/sbin/pfctl</string>

<key>ProgramArguments</key>

<array>

<string>/sbin/pfctl</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>ServiceDescription</key>

<string>OpenBSD Packet Filter (pf)</string>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

</dict>

</plist>

net.openbsd.pf.brutexpire.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.openbsd.pf.brutexpire.plist</string>

<key>Program</key>

<string>/sbin/pfctl</string>

<key>ProgramArguments</key>

<array>

<string>/sbin/pfctl</string>

<string>bruteforce</string>

<string>expire</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>OpenBSD Packet Filter bruteforce table expiration</string>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

</dict>

</plist>

net.emergingthreats.blockips.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.emergingthreats.blockips.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/blockrules/compromised-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/blockrules/rbn-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt ; /sbin/pfctl -f /etc/pf.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>Emerging Threats PF Update</string>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

</dict>

</plist>

net.dshield.block.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.dshield.block.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt && /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt.asc && /opt/local/bin/gpg --verify /usr/local/etc/block.txt.asc /usr/local/etc/block.txt && /usr/bin/perl -ane 'use POSIX; use Data::Validate::IP; my $vip=Data::Validate::IP->new; if (/^\w*#/) { print; } elsif ($vip->is_ipv4($F[0]) & $vip->is_ipv4($F[1]) & isdigit($F[2]) & (0<= $F[2] & $F[2]<=32)) { print $F[0], "/", $F[2], "\n"; }' /usr/local/etc/block.txt > /tmp/dshield_block_ip.txt && /usr/bin/install -m 644 -g admin -S /tmp/dshield_block_ip.txt /usr/local/etc/dshield_block_ip.txt ; /bin/rm -f /tmp/dshield_block_ip.txt ; /sbin/pfctl -f /etc/pf.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>dshield.org top 20 block list</string>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

</dict>

</plist>

# /etc/hosts

net.hphosts.hosts.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.hphosts.hosts.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /etc/hosts.orig || /usr/bin/install -m 644 -S /etc/hosts /etc/hosts.orig ) && /bin/cp /etc/hosts.orig /tmp/hosts && /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/download/hosts.zip && /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/hphosts-partial.asp && /usr/bin/unzip -o /usr/local/etc/hosts.zip -d /tmp/hphosts && /opt/local/bin/gpg --verify /tmp/hphosts/hosts.txt.sig /tmp/hphosts/hosts.txt && ( /bin/test -f /usr/local/etc/whitelist.txt || /usr/bin/printf '\n# whitelisted hosts (FQDN and DN) will be deleted from hphost'"'"'s host.zip\n#\n' > /usr/local/etc/whitelist.txt ) && /usr/bin/printf '\n# hpHosts hosts.txt from http://hosts-file.net/download/hosts.zip:\n' > /tmp/hosts-block.txt && /bin/cat /tmp/hphosts/hosts.txt | tr -d '\015' >> /tmp/hosts-block.txt && /usr/bin/printf '\n# hpHosts hphosts-partial.asp from http://hosts-file.net/hphosts-partial.asp:\n' >> /tmp/hosts-block.txt && /bin/cat /usr/local/etc/hphosts-partial.asp | tr -d '\015' >> /tmp/hosts-block.txt && ( /bin/test -f /usr/local/etc/blacklist.txt && /bin/cat /usr/local/etc/blacklist.txt >> /tmp/hosts ) && /usr/bin/grep -v -E "`/usr/bin/perl -ane 'BEGIN{$s=qw#\\s+(#}; { if (!/^\w*#/&length($F[0])>0){$s = $s . $F[0] . qw(|);}} END{$s = substr($s,0,length($s)-1) . qw#)\\s*#; $s=~s/\\./\\\\./g; print $s;}' /usr/local/etc/whitelist.txt`" /tmp/hosts-block.txt >> /tmp/hosts && /usr/bin/install -m 644 -S /tmp/hosts /etc/hosts ; /bin/rm -fr /tmp/hosts /tmp/hphosts /tmp/hosts-block.txt ; /usr/bin/dscacheutil -flushcache ; /opt/local/sbin/squid -k check && /opt/local/sbin/squid -k reconfigure</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>hpHosts.org hosts file update</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>

whitelist.txt

# whitelisted hosts (FQDN and DN) will be deleted from hphost's host.zip

www.drugstore.com

drugstore.com

www.evite.com

evite.com

blacklist.txt

# blacklisted hosts of the form "127.0.0.1 hostname.tld" appened to /etc/hosts

127.0.0.1 www.ahostnamethatyouwanttoblackholebutwillneveractuallyseeontheinternet.net

127.0.0.1 ahostnamethatyouwanttoblackholebutwillneveractuallyseeontheinternet.net

# proxy.pac

net.securemecca.pac.plist-for-osx

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.securemecca.pac.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /Library/WebServer/Documents/proxy.pac.orig || /usr/bin/install -m 644 -S /Library/WebServer/Documents/proxy.pac /Library/WebServer/Documents/proxy.pac.orig ) && /bin/cp /Library/WebServer/Documents/proxy.pac.orig /tmp/proxy.pac.orig && /opt/local/bin/wget -N -P /usr/local/etc http://securemecca.com/Downloads/AutoPac_EN.unx.7z && /opt/local/bin/7za x -aoa -o/tmp /usr/local/etc/AutoPac_EN.unx.7z AutoPac_EN.unx && /opt/local/bin/gpg --verify /tmp/AutoPac_EN.unx/proxy_en.sig /tmp/AutoPac_EN.unx/proxy_en && /usr/bin/printf '// *Modified for domainname.com*\n// King of the PAC from http://securemecca.com/pac.html:\n' > /tmp/proxy.pac && /usr/bin/sed -E 's/return[ \t]+normal/return MyFindProxyForURL(url.toString(), host)/g' /tmp/AutoPac_EN.unx/proxy_en >> /tmp/proxy.pac && /usr/bin/sed -E 's/function[ \t]+FindProxyForURL/function MyFindProxyForURL/' /tmp/proxy.pac.orig >> /tmp/proxy.pac && /usr/bin/install -m 644 -g admin -S /tmp/proxy.pac /Library/WebServer/Documents/proxy.pac ; /bin/rm -fr /tmp/proxy.pac /tmp/proxy.pac.orig /tmp/AutoPac_EN.unx</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>securemecca.com King of the PAC Modification</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>

net.securemecca.pac.plist-for-osxserver

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.securemecca.pac.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig || /usr/bin/install -m 644 -S /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig ) && /bin/cp /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig /tmp/proxy.pac.orig && /opt/local/bin/wget -N -P /usr/local/etc http://securemecca.com/Downloads/AutoPac_EN.unx.7z && /opt/local/bin/7za x -aoa -o/tmp /usr/local/etc/AutoPac_EN.unx.7z AutoPac_EN.unx && /opt/local/bin/gpg --verify /tmp/AutoPac_EN.unx/proxy_en.sig /tmp/AutoPac_EN.unx/proxy_en && /usr/bin/printf '// *Modified for mydomain.com*\n// King of the PAC from http://securemecca.com/pac.html:\n' > /tmp/proxy.pac && /usr/bin/sed -E 's/return[ \t]+normal/return MyFindProxyForURL(url.toString(), host)/g' /tmp/AutoPac_EN.unx/proxy_en >> /tmp/proxy.pac && /usr/bin/sed -E 's/function[ \t]+FindProxyForURL/function MyFindProxyForURL/' /tmp/proxy.pac.orig >> /tmp/proxy.pac && /usr/bin/install -m 644 -g admin -S /tmp/proxy.pac /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac ; /bin/rm -fr /tmp/proxy.pac /tmp/proxy.pac.orig /tmp/AutoPac_EN.unx</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>securemecca.com King of the PAC Modification</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>

proxy.pac.orig

function FindProxyForURL(url, host)

{

return "DIRECT";

// return "PROXY localhost:3128";

}

# delete flash cookies

org.opensource.flashcookiedelete.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>org.opensource.flashcookiedelete.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/usr/bin/find ~/Library/Preferences/Macromedia/Flash\ Player ! -path ~/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/settings.sol -delete</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>Delete Flash Cookies</string>

</dict>

</plist>

OS X Mavericks (10.9), OS X Server, EyeTV HD, Turbo.264 HD

Posted on Dec 20, 2013 12:03 PM

Reply

Answer 1

Apr 6, 2017 6:24 PM in response to essandess

After installing, can you give an easy way to know that "all systems are go" and that it is running as expected? Only thing I've been able to get to is:

$ sudo sh ./osxfortress_boot_check

No ALTQ support in kernel

ALTQ related functions disabled

Reply

Answer 2

essandess Author

Level 1

41 points

Dec 20, 2013 7:48 PM in response to essandess

Also, now that L2TP is fixed on OS X Server, use this nat command to allow both native OS X Server L2TP and OpenVPN connections:

int_if = "en0"

nat on $int_if inet from 10.8.0/24 to any -> ($int_if)

Reply

Answer 3

essandess Author

Level 1

41 points

Dec 29, 2013 11:02 AM in response to essandess

Here's a modification to pfctl configuration and block table updates that creates an anchor for the block tables and avoids breaking existing connections. Rather than 'pfctl -f /etc/pf.conf', reload the tables using 'pfctl -a blockips -T load -f /usr/local/etc/blockips.conf'.

Replace the open source blocks in pf.conf with these commands:

# PF

# Open Source IP blocks

# Refresh with pfctl -a blockips -T load -f /usr/local/etc/blockips.conf

anchor 'blockips' label "Open Source IP Blocks"

load anchor 'blockips' from '/usr/local/etc/blockips.conf'

Create the new file /usr/local/etc/blockips.conf :

# Define tables and drop rules for open source IP blocks

# Reload with:

# pfctl -a blockips -T load -f /usr/local/etc/blockips.conf

# Emerging Threats Open Source, http://rules.emergingthreats.net/fwrules/

# http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

table <emerging_threats> persist file "/usr/local/etc/emerging-Block-IPs.txt"

block drop log quick from <emerging_threats> to any

# http://rules.emergingthreats.net/blockrules/compromised-ips.txt

table <compromised_ips> persist file "/usr/local/etc/compromised-ips.txt"

block drop log quick from <compromised_ips> to any

# http://rules.emergingthreats.net/blockrules/rbn-ips.txt

table <rbn_ips> persist file "/usr/local/etc/rbn-ips.txt"

block drop log quick from <rbn_ips> to any

# http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

table <rbn_malvertisers_ips> persist file "/usr/local/etc/rbn-malvertisers-ips.txt"

block drop log quick from <rbn_malvertisers_ips> to any

# dshield.org block list

table <dshield_block_ip> persist file "/usr/local/etc/dshield_block_ip.txt"

block drop log quick from <dshield_block_ip> to any

Modify the two plists that update the block tables:

net.emergingthreats.blockips.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.emergingthreats.blockips.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/blockrules/compromised-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/blockrules/rbn-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>Emerging Threats PF Update</string>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

</dict>

</plist>

net.dshield.block.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.dshield.block.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt&& /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt.asc && /opt/local/bin/gpg --verify /usr/local/etc/block.txt.asc /usr/local/etc/block.txt && /usr/bin/perl -ane 'use POSIX; use Data::Validate::IP; my $vip=Data::Validate::IP->new; if (/^\w*#/) { print; } elsif ($vip->is_ipv4($F[0]) & $vip->is_ipv4($F[1]) & isdigit($F[2]) & (0<= $F[2] & $F[2]<=32)) { print $F[0], "/", $F[2], "\n"; }' /usr/local/etc/block.txt > /tmp/dshield_block_ip.txt && /usr/bin/install -m 644 -g admin -S /tmp/dshield_block_ip.txt /usr/local/etc/dshield_block_ip.txt ; /bin/rm -f /tmp/dshield_block_ip.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>dshield.org top 20 block list</string>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

</dict>

</plist>

Reply

Answer 4

davidh

Level 4

1,890 points

Aug 1, 2014 8:24 AM in response to essandess

Thanks very much for this !

Would/could you please post the net.dshield.block.plist script without character conversions for the script within the launchd plist ?
I'd greatly prefer to run that within a separate script & invoke said script via launchd.

Thank-you again.

Reply

Answer 5

essandess Author

Level 1

41 points

Aug 1, 2014 9:02 AM in response to davidh

It's a one-liner:

/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt && /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt.asc && /opt/local/bin/gpg --verify /usr/local/etc/block.txt.asc /usr/local/etc/block.txt && /usr/bin/perl -ane 'use POSIX; use Data::Validate::IP; my $vip=Data::Validate::IP->new; if (/^\w*#/) { print; } elsif ($vip->is_ipv4($F[0]) & $vip->is_ipv4($F[1]) & isdigit($F[2]) & (0<= $F[2] & $F[2]<=32)) { print $F[0], "/", $F[2], "\n"; }' /usr/local/etc/block.txt > /tmp/dshield_block_ip.txt && /usr/bin/install -m 644 -g admin -S /tmp/dshield_block_ip.txt /usr/local/etc/dshield_block_ip.txt ; /bin/rm -f /tmp/dshield_block_ip.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf

Reply

Answer 6

davidh

Level 4

1,890 points

Aug 1, 2014 10:30 AM in response to essandess

Great, thanks ! I understood what the Perl was doing, but couldn't properly translate some/all of the characters you'd translate/accommodated for listing directly within the plist (arguments) itself.

Also note the RBN lists are now deprecated & no longer at the exact URL(s) you originally specified.
For example, see http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers.rules
which is empty of any actual rules/info, and states:

"

THIS RULESET HAS BEEN OBSOLETED!! This file is left to simply note this fact.

#

# More information available at doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

"

Cheers.

Reply

Answer 7

essandess Author

Level 1

41 points

Aug 2, 2014 10:23 AM in response to davidh

Thanks! I see that both rbn pages have been obsoleted now. The above setup is easily modified by removing the related wget commands from net.dshield.block.plist and commenting out or deleting these from the blockips.conf file.

Reply

Answer 8

essandess Author

Level 1

41 points

Sep 6, 2014 9:56 AM in response to essandess

Update and fix:

Use the new file net.hphosts.hosts.plist below to avoid this problem.

I was experiencing TLS authentication problems with many apps and servers. Mail.app would fail for all accounts, iCloud Keychain stopped working, as did Adobe Updater and EyeTV program updates and more. I was unable to fix the problem and was tentatively blaming some unidentified OS X TLS bug. Apple Enterprise support helped uncover a problem with the /etc/hosts file created by net.hphosts.hosts.plist -- the hosts list from hosts-file.net/download/hosts.zip contains numerous nonconforming domain names (specifically, names that begin with a hyphen).

By copying /etc/hosts.orig back to /etc/hosts, then shutdown then safe boot and login, then shutdown, then normal boot, all my TLS problems vanished and everything began working again. There are several known fragility issues with OS X and /etc/hosts, and this apparently is another one.

I updated the script in net.hphosts.hosts.plist to use the perl module Data::Validate::Domain to only add valid domain names to /etc/hosts. This has been working fine ever since. Here are the updates:

sudo /usr/bin/cpan Data::Validate::Domain

net.hphosts.hosts.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.hphosts.hosts.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /etc/hosts.orig || /usr/bin/install -m 644 -S /etc/hosts /etc/hosts.orig ) && /bin/cp /etc/hosts.orig /tmp/hosts && /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/download/hosts.zip && /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/hphosts-partial.asp && /usr/bin/unzip -o /usr/local/etc/hosts.zip -d /tmp/hphosts && /opt/local/bin/gpg --verify /tmp/hphosts/hosts.txt.sig /tmp/hphosts/hosts.txt && ( /bin/test -f /usr/local/etc/whitelist.txt || /usr/bin/printf '\n# whitelisted hosts (FQDN and DN) will be deleted from hphost'"'"'s host.zip\n#\n' > /usr/local/etc/whitelist.txt ) && /usr/bin/printf '\n# hpHosts hosts.txt from http://hosts-file.net/download/hosts.zip:\n' > /tmp/hosts-block.txt && /bin/cat /tmp/hphosts/hosts.txt | tr -d '\015' | /usr/bin/perl -ane 'use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }' >> /tmp/hosts-block.txt && /usr/bin/printf '\n# hpHosts hphosts-partial.asp from http://hosts-file.net/hphosts-partial.asp:\n' >> /tmp/hosts-block.txt && /bin/cat /usr/local/etc/hphosts-partial.asp | tr -d '\015' | /usr/bin/perl -ane 'use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }' >> /tmp/hosts-block.txt && ( /bin/test -f /usr/local/etc/blacklist.txt && /bin/cat /usr/local/etc/blacklist.txt >> /tmp/hosts ) && /usr/bin/grep -v -E "`/usr/bin/perl -ane 'BEGIN{$s=qw#\\s+(#}; { if (!/^\w*#/&length($F[0])>0){$s = $s . $F[0] . qw(|);}} END{$s = substr($s,0,length($s)-1) . qw#)\\s*#; $s=~s/\\./\\\\./g; print $s;}' /usr/local/etc/whitelist.txt`" /tmp/hosts-block.txt >> /tmp/hosts && /usr/bin/install -m 644 -S /tmp/hosts /etc/hosts ; /bin/rm -fr /tmp/hosts /tmp/hphosts /tmp/hosts-block.txt ; killall -HUP mDNSResponder ; /opt/local/sbin/squid -k reconfigure</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>hpHosts.org hosts file update</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>

Reply

Answer 9

essandess Author

Level 1

41 points

Sep 16, 2014 3:29 AM in response to essandess

Large /etc/hosts files do break mDNSResponder on OS X (bug report #18277328).

I recommend not replacing /etc/hosts with the large hosts file created by net.hphosts.hosts.plist.

Rather, edit this plist to create the file /etc/hosts-hphosts, then use the squid proxy to filter out bad/tracker domains. This will provide nearly the same level of security as using /etc/hosts directly, but without the OS X issues.

The squid directive you want in squid.conf for a large /etc/hosts file are:

hosts_file /etc/hosts-hphosts

ipcache_size 16384

fqdncache_size 131072

See the link above for privacy-enhancing squid directives.

Here's the modified net.hphosts.hosts.plist.

net.hphosts.hosts.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.hphosts.hosts.plist</string>

<key>Program</key>

<key>ProgramArguments</key>

<array>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /etc/hosts.orig || /usr/bin/install -m 644 -S /etc/hosts /etc/hosts.orig ) && /bin/cp /etc/hosts.orig /tmp/hosts && /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/download/hosts.zip && /opt/local/bin/wget -N -P /usr/local/etchttp://hosts-file.net/hphosts-partial.asp && /usr/bin/unzip -o /usr/local/etc/hosts.zip -d /tmp/hphosts && /opt/local/bin/gpg --verify /tmp/hphosts/hosts.txt.sig /tmp/hphosts/hosts.txt && ( /bin/test -f /usr/local/etc/whitelist.txt || /usr/bin/printf '\n# whitelisted hosts (FQDN and DN) will be deleted from hphost'"'"'s host.zip\n#\n' > /usr/local/etc/whitelist.txt ) && /usr/bin/printf '\n# hpHosts hosts.txt from http://hosts-file.net/download/hosts.zip:\n' > /tmp/hosts-block.txt && /bin/cat /tmp/hphosts/hosts.txt | tr -d '\015' | /usr/bin/perl -ane 'use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }' >> /tmp/hosts-block.txt && /usr/bin/printf '\n# hpHosts hphosts-partial.asp from http://hosts-file.net/hphosts-partial.asp:\n' >> /tmp/hosts-block.txt && /bin/cat /usr/local/etc/hphosts-partial.asp | tr -d '\015' | /usr/bin/perl -ane 'use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }' >> /tmp/hosts-block.txt && ( /bin/test -f /usr/local/etc/blacklist.txt && /bin/cat /usr/local/etc/blacklist.txt >> /tmp/hosts ) && /usr/bin/grep -v -E "`/usr/bin/perl -ane 'BEGIN{$s=qw#\\s+(#}; { if (!/^\w*#/&length($F[0])>0){$s = $s . $F[0] . qw(|);}} END{$s = substr($s,0,length($s)-1) . qw#)\\s*#; $s=~s/\\./\\\\./g; print $s;}' /usr/local/etc/whitelist.txt`" /tmp/hosts-block.txt >> /tmp/hosts && /usr/bin/install -m 644 -S /tmp/hosts /etc/hosts-hphosts ; /bin/rm -fr /tmp/hosts /tmp/hphosts /tmp/hosts-block.txt ; /opt/local/sbin/squid -k reconfigure</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<key>ServiceDescription</key>

<string>hpHosts.org hosts file update</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>

Reply

Answer 10

essandess Author

Level 1

41 points

Oct 4, 2014 12:57 AM in response to essandess

For reference here are some pfctl commands that show statistics on (reasonably presumed) attacks on the network:

sudo pfctl -t bruteforce -Ts | wc -l

sudo pfctl -a blockips -t compromised_ips -Ts -v | egrep -e 'Packets: [^0]' | wc -l

sudo pfctl -a blockips -t dshield_block_ip -Ts -v | egrep -e 'Packets: [^0]' | wc -l

sudo pfctl -a blockips -t emerging_threats -Ts -v | egrep -e 'Packets: [^0]' | wc -l

My own counts on a server with an uptime of a couple weeks are 19, 78, 1, and 8—over a hundred attacks. This is consistent with greatly reduced alerts from snort running on OS X.

Reply

Answer 11

essandess Author

Level 1

41 points

Dec 19, 2014 5:05 PM in response to essandess

I've created a git repo of this osxfortress package, all updated. To grab these files and install everything:

git clone https://github.com/essandess/osxfortress.git

sh ./osxfortress/readme-and-install.sh

The README file says:

osxfortress

===========

OS X Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers

Kernel-level, OS-level, and client-level security for OS X. Built to

address a steady stream of attacks visible on snort and server logs,

as well as blocks ads, malicious scripts, and conceal information used

to track you around the web. After this package was installed, snort

and other detections have fallen to a fraction with a few simple

blocking actions. This setup is a lot more capable and effective than

using a simple adblocking browser Add-On. There's a world of

difference between ad-filled web pages with and without a filtering

proxy server. It's also saved me from inadvertantly clicking on

phishing links.

This package uses these features:

* OS X adaptive firewall

* Adaptive firewall to brute force attacks

* IP blocks updated about twice a day from emergingthreats.net

(IP blocks, compromised hosts, Malvertisers) and

dshield.org’s top-20

* Host blocks updated about twice a day from hphosts.net

* Special proxy.pac host blacklisting from hostsfile.org

Reply

Answer 12

essandess Author

Level 1

41 points

Dec 23, 2014 7:39 PM in response to essandess

See this post to use this proxy with VPN clients. I've created two github repos available at:

essandess/osx-openvpn-server

essandess/osxfortress

Reply