Understanding Services

In Chapter 11, we discuss various services that could be enabled on your Mac OS X computer. Simply turning on the services will enable various daemons on your computer. In this section, we take a look at what’s really going on with your computer when these services are enabled.

Port usage

The Internet is comprised of clients and servers. You the client want some information from the Internet, and it is located on a server. A client uses an application to browse the Internet. All computers that are connected to the Internet have an IP address. The IP address serves as the main address for the machine. Each service on the system has a unique identifier called a port. A port is a unique number between 0 and 65535. A list of ports is available on each Mac OS X system, in the file /etc/services. The ports between 0 and 1023 are referred to as “well-known ports.” A small program that runs on the computer called a daemon handles each service that is available on a computer. The daemon launches and binds to a specific port, then waits and listens for connections to come in to that port. When a connection is opened to that port, the daemon wakes up and sends a reply to the client. Arguably, port 80 is the most well-known port. It is the port that is most often used for http, which is Web traffic. When you type the address www.apple.com into your Web browser, the browser first performs a DNS lookup, and then sends a request to the servers IP address, at port 80. However, sometimes your Web browser is redirected to another port. Most common is https on port 443(secure http), which is used for online purchases, banking, and so on. Other popular ports are 25 used for SMTP, Simple Mail Transfer Protocol which handles the sending of email, 110 POP, Post Office Protocol used for checking email, 143 IMAP Interactive Mail Access Protocol an alternative to POP for checking email, 21 used for FTP, and 22 used for ssh (secure shell).

TCP/IP does not dictate what ports are used for which applications. You can operate a Web server on any port you desire. Port 8080 is popular as a default port for the Apache Web server. The well-known ports system is offered as a convenience. Much as DNS is useful to assist in translating hard-to-remember numeric addresses to easily remembered text-based hostnames, the well-known ports serve as a basis for standardization. Rather then having to ask which port to connect to for each individual Web site, we can simply agree to use port 80 for Web servers and get about the business of browsing, rather than searching.

Principle of least privilege

A long-standing guideline in computer security is the principle of least privilege. This states that any given user be given only the privileges that they need to perform their jobs or tasks. Rather than leave everything unlocked, and providing all users all privileges available, which makes administrative tasks simple in the short term because you never have to unlock anything simply to allow administrative access, you take a longer term approach and provide each user with exactly the level of access they require for day-to-day work. In a special situation, you can elevate specific user access rights to provide granular rights to privileges without leaving everything unlocked. A practical example is this: You’d like to share your printer with other users in your office. There is no reason to allow those users to login to your computer and change file-sharing preferences.

Using the principle of least privilege in networking

The same guiding principle applies when it comes to offering network services from your computer. The ideal situation regarding services is to first ensure that your machine is offering no services whatsoever. If you do not intend to share any resources with neighboring users, then there should be nothing enabled on your computer. Often there are services enabled by default, or the installation of third-party software may open ports or add services to your computer’s configuration. If you plan to share any resources from your computer, best practices are to start with a clean slate. Turn off all services, and ensure all ports are closed. Then determine which services you wish to offer, turning the services on one by one. As you enable services, check your system and see which ports have been opened, and ensure that only those you require are active. Doing this will add very little additional time to your configuration process, and will ensure that you are not exposing more than you expect to the Internet. In the next section, we will describe how to check which ports are open on your computer.

Monitoring open ports

Run a check on your system each time you install or upgrade any kind of services to ensure that you are only opening ports that you want to have open. The way to do this is to run port scanning software. Port scanners are a major tool in the hacker’s arsenal. By running a port scan, they are able to see what your computer is offering, and can then use those openings to penetrate your system. By running a port scan against your own computer, you’ll know what the hackers know, and can close off any unintended openings.

To check which ports are open on your system, you’ll want to run third-party software, as the Apple-supplied Network Utility is not entirely thorough. Like most things regarding interacting with Unix in Mac OS X, you’ll have the choice between using a graphical interface or a command line interface.

If you are curious, Apple provides an application in the Utilities folder, inside the Applications folder, called Network Utility which does provide a rudimentary port scan. To access the port scan, launch the application and choose the port scan tab in the bar on top. Figure 26-6 shows Apples Network Utility.

Figure 26-6: The Apple Network Utility Port Scan.

For a quick fix, you can utilize an online service, which port scans, your computer from the outside. The following URL links to a port-scanning service provided by Gibson Research Corporation, a maker of security software for Windows systems: The service can be reached by following the ShieldsUP! link from www.grc.com. The SheildsUP! Page is shown in Figure 26-7. Run the two tests called Test My Shields and Probe My Ports. As always, your results may vary. It’s best to install your own software to do this task, but if you’re in a hurry, the Web-based check is quite through.

Figure 26-7: Gibson Research Corporation Online Port Scan.

Using a graphical interface to check open ports

Several third-party programs are available that can show you what daemons are running and what ports they are listening on. A description of several popular tools follows.

AysMon (Are You Serving Monitor) is written in Java and is available at http://www.pepsan.com/aysmon/index.html. It is distributed as a disk image file. To mount the image, simply double-click the .dmg file, and then drag the AysMon folder to your Applications folder. AysMon comes with a list of services, and checks your computer for each one and shows you the results. AysMon is shareware and costs $5.

whatPorts v 1.1 is a freeware port scanner available at www.davtri.com/freeware.html

Using the command line to check open ports

Nmap is a full-featured port scanner for Unix systems that runs beautifully on Mac OS X. A full description of the software is available at www.insecure.org/nmap/index.html. Nmap is designed to scan open ports on either a full network (multiple hosts) or a single host. Nmap has many advanced features that are just not available in any of the GUI-based port scanners. Many of the features are aimed at providing stealth, which is frankly of more use to the hacker trying to either evade detection or work around your firewall. However, many of the advanced features are quite helpful to the personal systems administrator (that’s you) as well. A sample nmap window is shown in Figure 26-8.Nmap uses an advanced software technique called TCP/IP fingerprinting to guess at the operating system in use. Additionally the latest versions of the software now will query each detected service for version information.

Figure 26-8: Nmap portscan of localhost.

This single feature is of immense use, as typically patches and upgrades are made to various software in order to rectify security issues, however it can be overwhelming to keep up with such information. By running periodic nmap scans against your host, you can ensure that the versions of the software you are running (apache, sshd, FTPd,) are up to date.

Installing nmap

You can install Nmap on your Mac OS X computer two ways — the easy way using Fink, or the manual way. If you’ve installed Fink as described in Chapter 25, then you can proceed to the next section. If you’ve not installed Fink, or if you wish to install a later version of the software than Fink is distributing, then you’ll have to follow the manual instructions listed later. Not to worry, either way results in an extremely powerful port scanner at your fingertips!

Installing nmap using Fink

If you’ve installed Fink, then you can use any method of interacting with Fink to complete the install (FinkCommander, dselect, etc). X11 refers to X-Windows, Apple includes an optional install of X11 with Panther. Installing X11 is covered in Chapter 25. If you have X11 installed on your machine, you will want to install the package called nmap. If you don’t have X11 installed then you will install the package nmap-nox.

The X11 version includes the nmap program, which you’ll run as a command in Terminal, as well as an additional GUI front end to the software called nmapfe (nmap front end), which provides a graphical interface to the tool. To install this version, open Terminal and type fink install nmap at the command prompt.

To install the vanilla version without X Windows support simply open Terminal and type fink install nmap-nox at the command prompt.

Either installation will result in an executable program nmap installed in /sw/bin. If you installed the X11 front end it will be installed in /sw/bin as well, and is called nmapfe.

Manually installing nmap

Download the latest version of the source code to a temporary directory. Open the following page in your Web browser: www.insecure.org/nmap/nmap_download.html and download the latest source package available. The current version at the time of this writing is nmap-3.48.tgz.

When your download finishes, open the Terminal application and change to the directory where you downloaded the software, using the change directory (cd) command

To install nmap, you must be logged into an account with administrative privileges.

tar zxvf nmap-3.48.tgz cd nmap-3.48  ./configure (this command will generate a lot of output)  make sudo  make install (type your password at the prompt) 

The configure script checks for GTK+. If it finds that software installed, then the X11 front end to nmap nmapfe will be installed in addition to nmap. If GTK+ is unavailable, then only the nmap binary will be installed. If you desire the graphical front end and are manually installing, but don’t have GTK+ installed, you must first install GTK+. Information on this procedure is available on the Web at www.gtk.org/. However, you may find it much simpler to install fink and allow fink to manage this procedure for you.

Manually installing nmap places the software in /usr/local/bin. If nmapfe is installed, it also will be in /usr/local/bin.

Basic nmap usage

Using nmap for a basic scan is very simple. However, nmap is a very powerful program that can provide a lot of information if you are willing to invest some time learning and playing with the software. For more detailed instruction on using the software, please check www.insecure.org/nmap/nmap_documentation.html for links to several articles.

To use nmap, you need to open the Terminal application. Because nmap accesses raw network resources, some of its options require root privileges to run. A basic TCP Connect scan does not require root privileges, and is the default scan type if you do not launch the command with sudo. At a shell prompt type either one of two commands.

Nmap runs one of two default scan types if run without argument. If you enter the command nmap localhost at a shell prompt, nmap will run a TCP Connect Scan. This is the most basic kind of scan possible. It will open connections to all possible ports, and will record those that respond, assuming the rest are closed. This kind of scan requires no special privileges to run. The more powerful SYN scan is frequently referred to as a half-open scan. This type of scan does not open a complete connection to the port as it connects, and is preferred by hackers, as it avoids being logged on, in most cases. It is also valuable to us as it will show ports that are filtered where a Connect Scan would miss those ports. This command requires root privileges to run, so it must be launched with sudo. Enter the command sudo nmap localhost at a command prompt to launch this scan.

Nmap can detect both OS version, and software name and version used on a given port. This means that rather than simply reporting an http server on port 80, nmap will report Apache httpd 1.3.27 ((Darwin)). A scan with version detection can be run without root privileges by entering the following command at a shell prompt nmap -sV localhost. Scanning for both version detection and OS detection provides the most interesting report, but will require root privileges to run. To run a scan with both OS and Version Detection, enter the following command at a shell prompt sudo nmap -sV -O localhost.

Bonus X Windows port scanner

Nmap ships with an X11 based front end called nmapfe. If X11 is installed on your system, and you have the GTK+ software installed as described in the preceding sections, then xmapfe is available. Nmapfe provides a GUI interface to nmap. The scan types remain the same, however it is easer to select the options from the GUI then typing the various arguments to nmap. To launch nmapfe, you’ll first have to open X11 from the Applications folder. When X11 launches it will provide a window labeled xterm. Xterm is extremely similar to the Terminal Application, in that it provides a shell prompt where you can enter commands and interact with Mac OS X from the command line interface. Nmapfe has the same restrictions as nmap with regard to requiring root privileges to execute certain scan types and OS Detection. Figure 26-9 shows the Nmap Front End. To launch nmapfe with root privileges type the following command at the xterm shell prompt sudo nmapfe. To launch as a regular user with limited privileges, simply type nmapfe at the xterm shell prompt.

Figure 26-9: nmapfe — the nmap front end.