host deny creation in osx. doesnt work without a host allow file
sudo pico /etc/hosts.deny
Why? because if your fans are blasting and tcp dump is showing thousands of the same ip connections over the course of an hour, youre probably being attacked. what to write?
#
# hosts.deny This file describes the names of the hosts which are
# denied the use of local INET services, as decided
# by the '/usr/libexec/tcpd' server.
#
ALL: ALL:deny
185.87.
(sudo nano brings the file up to be edited)
(first 2 segments of the offending ip will block the entire range in that network)
Note: I purposefully used unix server code on some of these to force people to research
https://www.tenable.com/blog/hardening-os-x-using-the-nsa-guidelines second, is learning some terminal commands and installing powerful security programs
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO
disallows hidden accounts
dscl . list /Users | grep -v "_\|nobody\|root\|daemon"
finds any hidden accounts
they can be deleted as well
https://applehelpwriter.com/2017/05/21/how-to-reveal-hidden-users/
https://www.cnet.com/news/stubborn-user-accounts-returning-when-deleted-in-os-x/
last, last login
who / whos logged on
w/ like who in verbose mode shows users and the files they are using. when doing scans in terminal each window will be a seperate login.
defaults read /Library/Preferences/com.apple.loginwindow
Login window data
tail -F /var/log/system.log
follows everything the system is doing, This is how i found the recent google zero day exploit before google did. And it was a brash assumption based on resources and google update timing.
kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -ef
shows running kernel extensions
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
shows launch demons
- sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
- turns remote access off at boot
sudo ifconfig en0 ether openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' swpied from linux server pages
sudo ifconfig -a for a rudimentary cut and paste
essentially an ipconfig type command that reveals local information
Here are your port informations
Well Known Ports: 0 through 1023.
Registered Ports: 1024 through 49151.
Dynamic/Private : 49152 through 65535.
chkrootkit scans a mac for rootkits and turns up timed as infected due to apples reprogramming
sudo nmap -sV -Pn --script=http-malware-host 192.168.0.x (your IP address)
sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
DNS flush
launchctl list |grep mdworker
reveals mdns data
. You need to do insane amounts of research on these. but in the end sudo tcpdump -n -p -s is most all of what you need to know youre being hacked..
I havent added a wireshark part to my regimen yet but you should.
tcpdump (-n(resolves ip addresses/ -p takes it out of promiscuous mode/ -s forces absolute not relative ip resolution) sudo is running as root.
Then you need a mac os firewall front end, any decent one isnt a fire wall you dont need a literal fire wall you need control over the power of the unix framework behind osx.
murus, icefloor and little snitch.
icefloor is said to be good but murus is said to be better, I tried little snitch and was impressed. But the general consensus is murus is better. Little snitch does geo location, but with hackers thats useless.
Nmap is too powerful you can get in serious trouble using it the wrong way as hackers use it for brute force attacks and ddos. But Nmap can reveal massive amounts on your local network.
http://macappstore.org/?s=nmap
By far the simplest and easiest thing to do is the NSA guidelines and use Murus. Murus will cost you a few weeks reading but the stuff ive posted was an effort made in a couple years. Especially with nmap.
reset your pass words after all that
cut and paste commands for osx. Again some commands are taken from unix source to push a person to read up on it. This isnt even one one hundredth of what ive read and done in terminal. At the end of the day knowing whatt a ddos /dos/ flood attack looks like is crucial. There are good server articles on the web about that. Once you find the culprit ip in tcp dump , pretty much anything in the control sector is potentially in your hands.