olivierdb wrote:My iMac has recently been hacked into and I'd like to make it more secure by preventing incoming connections from hackers.
I'm not sure how I should setup the rules for this purpose.
By default, LS allows all system and non-system incoming connections via UDP, ICMP and local network. Is that safe?
I have disabled WiFi and am connected via an Ethernet cable to my router. There is no other computer in my local network. I'm also running the Mac firewall.
How do you know you've been hacked into, and what was involved?
rsblanchard wrote:A primer for customizing a firewall:
The purpose of a firewall, and anti-spyware, is to limit illicit traffic from traversing to, and from, the internet from your computer, while allowing legitimate traffic -- the more restrictive the firewall, the better (of course, it must allow proper communication, nevertheless).
The anti-spyware component of the anti-malware-suite controls only the outbound (from a computer to the internet) traffic as generated by various applications/executables on the Mac.
Unless your anti-malware automatically blocks, or does not allow, unusual protocols&data that are incoming to your computer, a computer may be vulnerable to a "back door" exploit that may have been pre-designed into your Operating System.
The following applies to the Mac, and would not be that much different for a PC, as all computers use the underlying TCP/IP protocols for their communication to, and from, the internet.
From a given computer-software-device-source, outgoing (from your computer to the Internet), message-traffic needs (either an IPv4, or (less-often) an IPv6) IP-address (to-be-described next) (to identify the computer to be sent-to), a TCP/IP-protocol-number-corresponding-to-a-TCP/IP-protocol-name (I will be using TCP/IP-protocol-names below -- by simply referring to them as "TCP/IP Internet Protocols"), and a software-Port-or-Type-number (discussed below), along with the actual data-content to-be-sent.
An IP-address is an identifier of a specific computer-or-router, and is either a standard IPv4 IP-address (which is represented by a quadruple-of-(zero-through-255 (decimal)), separated by dots/periods ".",
for a total of 32-bits, for a total of over 4-billion unique possible computer-addresses),
or a newer (less-often-used) IPv6 IP-address (which is an octet-of-(0000-through-ffff (hexadecimal)), separated by colon-characters ":",
for a total of 128-bits, for a total of a gazillion unique possible computer-addresses).
There are 256 different TCP/IP Internet Protocols which facilitates traffic to both IPv4-IP-addresses, and IPv6-IP-addresses.
When sending to an IPv4-address, on each separate "device" (software device; to be discussed later), your Mac uses 5 different TCP/IP IPv4 Internet Protocols. (4 protocols,
if you ignore IGMP-multicast (for multi-person games), which uses IPv4s in the range of 224.*.*.* through 239.*.*.* [???] ):
(In addition to the message below, I have also found possibly a 6th TCP/IP protocol possibly present on my Mac called "DIVERT".
My anti-malware-suite (a suite is a combination of multiple software modules) has only a limited way of controlling either the "RAW" or "DIVERT" protocols,
but do I know much further about these specific protocols). The remaining TCP/IP IPv4 Internet Protocols are:
TCP, UDP, ICMP, (and RAW ([=IPSec ???] used by the rarely-used "traceroute" utility, so now we are down to 3 protocols)).
A TCP/IP IPv4 ICMP message is sent back for "server not responding", "IP-address doesn't exist", "echo (ping) reply", etc., types of control-messages.
Software Port-numbers in a TCP/IP IPv4 ICMP message are called "types", instead, and range from 0 to 255 (so, if we don't consider ICMP, we are now left with 2 protocols to explain).
Most TCP/IP IPv4 internet traffic is either TCP, or UDP:
TCP is like a bi-directional telephone connection (with multiple TCP messages sent and received (and re-assembled in sequence)).
UDP is like a letter dropped in a mailbox (with a 98% chance that it will get to its destination, and only a single message).
Port-numbers for TCP, are identical-in-format-to UDP port numbers, in the purpose (application) they serve, and range from 0 (which is reserved) to 65535 (this happens to be the upper-limit of a so-called 16-bit-integer), with 49152 through 65535 reserved for the sending-side (source) (since these are "dynamic" port-numbers, whose particular number cannot be predicted for a given message).
(three-quarters times (the total of) 65536 (unique port-numbers) equals 49152).
1 through 49151 is for the receiving-side (destination), with 1-1023 requiring super-user privileges to serve-up. (Port-number zero, is reserved).
Peer-to-peer connections are rare, but both source, and destination, have similar port-numbers.
For example, you browser may connect to TCP/IP IPv4 TCP ports 80 (http) & 443 (https) on the destination-side, but would never serve-up (open-up) port 80, nor port 443 on the source side (your computer's side) (that is, unless you were hosting a web-site on your local computer (unlikely) ).
Still, your Mac's standard firewall allows for these unlikely connections, but a customized Intego ISB X6 firewall (a 3rd-party firewall for Macs that run anything at, or newer, than the Leopard Operating System) will block them. You can also try to use Little Snitch with Intego's ISB X6 (VBX6).
In an ideal world, all active "services" (your local machine's UDP & TCP ports), as listed in Intego Internet Security Barrier X6's "Services" window, would be 49152, or above (you should not be "hosting" anything) (sadly, even with my customized files, this is not the case) ! Often, services that perform Domain Name Service (DNS) will have your computer receiving messages on UDP & TCP Ports 53 & 5353, with a dynamic-port for the Internet-sending-side.
(DNS is the way in which any domain-name (a portion of a URL (a Universal Resource Locator)) is translated into an IP-address).
Also, a Mac's boot-up will require a send-to-local-router UDP Port 67, with a subsequent message to receiving (local) UDP Port 68.
Now for Mac software/hardware devices:
"en0" should be your software designation for your Ethernet Cable.
"en1" should be your software designation for your Airport wireless (i have blocked this in my files, as everything is hard-wired here, but
wireless can use the IP addresses in the 10.*.*.* range).
"en2" can be for tethering, and, usually, there is no forthright way Apple allows you to control this device.
"lo0" should be your local loopback IP address, usually meaning 127.0.0.1 , in IPv4-terms.
"stf0" is a software tunnel between IPv6 and IPv4 (for the moment, best left totally blocked).
-or-, in Intego ISB X6 for Snow Leopard, you can specify "All", for all devices (the current version of Little Snitch (for Mac) anti-spyware for outgoing communication does not currently accept "devices", so everything is "All").
You should go into the Mac's "Network" System Preferences panel, and re-direct IPv6 for each separate device using the "Advanced" button.
Avoid so-called peer-to-peer music-sharing-sites, and sites that utilize the Limewire, and BitTorrent file-sharing technologies.
If you install Intego ISB X6 on the Mac, you may want to custom-install it, and leave-out ContentBarrier (parental controls). The ISB X6 Anti-Spam program in ISB X6 modifies Apple Mail if you set-up its preferences correctly. Always authorize VirusBarrier in Intego ISB X6 first, before authorizing any other program !
Modem/routers are the first line of defense -- set them not to respond to TCP/IP ICMP "PIng" messages by configuring them with your browser.
Hackers initially find machines by "ping"ing them, and if the machine responds, they hone-in.
Also, most Modem/Routers ship with a default password or two -- CHANGE IT (using your browser), so it is NOT the default "1234", or blank, or "123456" !
Also, disable in the modem/router TCP/IP IPv4 TCP & UDP incoming port 161 (also known as SNTP) -- this is how an Internet Service Provider "takes control" of your machine (and displays your machine's screen on their's) when you need help, but is also an "in" for hackers.
Two further clarifications:
1) The "dynamic"-ports from 49152-through-65535 may have nothing to do with the "C"-language-programming-term called "INADDR_ANY" .
"INADDR_ANY" refers to the software-device (such as "en0" (Ethernet), or "<el><oh><zero>" ("lo0" loopback)) that is allowed to send-or-receive the data-packet: "INADDR_ANY" refers to the allowance of any software-device to send-or-receive the data-packet.
2) The "RAW" protocol is needed on the Mac for the "traceroute" program (this was the only program on my Mac that requested use of the "RAW" protocol).
"traceroute", in actuality on the Mac, also wants to use the "ICMP" protocol.
So, the only mystery protocol left un-discussed is the "DIVERT" protocol.
Under the underlying TCP/IP protocols, did you know that there are actually (at least ) TWO different ways of doing a "ping" ? -- one involves the standard ICMP-type-8 message (receiving back an ICMP-type-zero message), and the other involves sending to IPv4 TCP Port 4 (or is it Port 7 ??? ) .
This means, that if a device (router, or computer) is "stealthed", all methods of "being-pinged" must not be replied-to.
I have tried to turn off all communication to IPv6-IP-addresses (you know, the 128-bit IP-addresses, (like ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ) ).
You can also try to block the software-device on the Mac, called "stf0:" , which is the "six-to-four-tunneling" (which, I believe, provides a translation of a subset of 128-bit-IPv6-IP-addresses to 32-bit-IPv4-IP-addresses).
Theoretically, when you do this, you miss-out on some websites that have non-IPv4-IP-addresses, but i have not found this to be a problem, yet.
The reason that the web is expanding to IPv6, is that there are only 4-billion-or-so uniquely-identifiable IPv4-IP-addresses, and there are slightly more computers than that !
Users browsing this forum: No registered users and 3 guests