OS X Adaptive Firewall Automation - Part III

Related Documents

Introduction

This series was created because we had a problem with a hacker that infiltrated our system and sent out emails in early 2015. After discussing the information with a couple colleagues and their experiences dealing with similar issues I was encouraged to share what I had created and why.

In this episode I’ll describe some of the details of the OS X Firewall and what was needed to make it work correctly on my system. Note that, for whatever reason, configuring the Firewall on my OS X Server is slightly different than what I believe the Apple documentation describes. I don’t want to get into the details about it, mainly because I’m not an expert on this, just an experienced geek taking care of a problem the best way I can. I’ll mention whatever is different along the way without pontificating about it.

OS X Adaptive Firewall Documentation

The majority of what I learned came from three locations, two of which were Apple sites (the discussion forums and the advanced server administration pages) and the other was krypted.com.

Note that I was never able to get the command line tool, /Applications/Server.app/Contents/ServerRoot/System/ Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary, to work correctly. Despite clearly blocking IP addresses, hb_summary still indicates the following results:

In the past 23 hours 59 minutes the following hosts were blocked by the Adaptive Firewall
from 2016-03-09 02:52:48 +0000
to 2016-03-10 02:52:47 +0000

Address     Count(Total)    Last Block Time

0 unique hosts   0 total blocks  0 overall
Count indicates the number of times a host was blocked during this
reporting period. Total indicates the total number of times this host
was blocked in the last week
See the "Security:Firewall Service" section of http://help.apple.com/advancedserveradmin/
for more information about the Adaptive Firewall.

The current Mac OS X Firewall is based on afctl, with the full path to the command being /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl. There are three options to the program that I make use of: -a [IP address], -w [IP address], -t [time in minutes] and -f. The -a option followed by an IP address adds an offending IP address to be blocked. The -t option is used to specify how long the IP address should be blocked. The -w option is used to whitelist an IP address to prevent it from ever being blocked. The -f option forces afctl to enter a running state.

I’ve added our home IP address and a couple IP addresses that I occasionally access the server from to the whitelist to prevent locking myself out. It’s always a little embarrassing when you manage to lock yourself out of your own server when testing. Thankfully, I’m in good company of many geeks who have accidentally done this. Tip - if you lock your home address out, you can use an iPad with a program like Panic’s Prompt to access your server with a command line and edit the whitelist or blacklist file as needed. Just turn off your Wi-Fi access from the iPad and use a cellular connection, fire up Prompt, connect to your server and make the necessary changes.

In the next episode, I’ll provide the SQL code for both selecting records prior to processing the log files, and the code to insert new records from the files into the database. I’ll also show the steps for specifying the length of time to ban each IP based on the number of attempted break-ins, and the code used to update the IP blacklist, both of which are performed by the afctl commands mentioned earlier.