A unix-like security question?

Something happened on my Mac the other day, that kind of scared me. First, a little bit about my home setup.
I have a small smtp mailserver running on my desktop Mac for family members - a big whoppin' five accounts. Three of the five of us live at home, two don't and remotely access email via SSL-enabled imap and SSL-enabled smtp. There is a laptop computer at home that accesses the imap and smtp servers on ports 143 and a non-standard smtp port. Traditionally, it has been used at home only, so I don't require SSL because it runs inside a WPA-protected wireless channel. Its mailserver info, set up in Mail.app, uses {computerName}.local as its mailservers. So, no access from outside my local WLAN. I also get my foreign mail, virus-scanned and spam-assassinated, from an MX agent that downloads that traffic to me on that same non-standard smtp port. For what it's worth, outbound smtp from the home mailserver is via port 25.
On the desktop Mac, I also have ssh running, but on a non-standard port, and in sshd_config, I specify protocol 2 only, root login disabled, no password/no PAM authentication, only DSA public key authentication. In NetInfo Manger, I keep the root account disabled.
On the Mac, in System Prefs' Sharing firewall, I have the non-standard smtp port, imap, imaps, non-standard port ssh, ard and vnc (so I can run CotVNC from the laptop at home), and afp (also for the laptop at home) open for uinvited traffic. Also ntp (probably don't need that since I'm not running a time server), and dns (for reasons discussed below). On my DSL router, I only have the non-standard smtp and ssh ports, and the imapS ports open. (When outside my home WLAN, on a foreign network, I port-forward VNC and afp over ssh if I want to do one of those things)
So anyways, for the benefit of the laptop, I enabled DNS on the desktop, so that I could change the laptop's Mail.app's accounts' preferences to point to the same imaps and smtp server using my external WAN host name, whether it was inside or outside my home LAN (inside the home LAN, the laptop couldn't resolve my external domain name, and outside the home LAN, {computerName}.local was not routable). But by enabling DNS, I could reference my external host name to my 192.168.x.x IP address, and the laptop would find the server inside the home LAN, as well as find it outside the home LAN (by virtue of services like DynDNS and NoIP DNSs resolving it to my ISP-assigned dynamic external WAN IP). For what its worth, yes, the laptop's mail preferences enabled SSL for both smtp and imaps, so SSL would be used even inside the WPA-protected channel, just as my users that don't live at home have SSL enabled as they network .
Now for the scary part: the other day, while at home and with the laptop affiliated to my home wireless (WPA-protected) LAN, I ssh'ed into my desktop computer. Either the ssh connection or the desktop computer was running dirt slow. For some reason, I decided to do a tcpdump, and I saw all kinds of traffic going out to hosts all over the world.
After the fact, I think it was just my DNS talking to the sixteen or so root servers, although none of the tcpdump entries used names like "a.root-servers.net" -- there was stuff with an army.mil, a nasa.gov, etc. I think I remember seeing something with a "umd.edu" in it, which there is a commented entry in /var/named/named.ca that has that has a "umd.edu" in it, so that's why I am thinking that my DNS was just gabbing with a bunch of root servers. Not sure why it was gabbing with them since I can't think of any reason why it would have been trying to do name resolutions or anything. At the time, seeing all these packets being initiated by my computer and being sent worldwide freaked me out.
But what really freaked me out is when I control-C'ed the tcpdump and did a "users" to see who or what might be generating them and saw my username and ... root! Repeating the "users" command a few times more, and it still showed "root" as one of the active users. I immediately ran to the computer and pulled the DSL plug out of the wall, and tried to figure out what was going on. I've got HenWen running, and didn't see anything outside of the usual unicast ARP warnings. After thinking that it might be DNS itself, I disabled DNS just to see what sort of traffic I would see in a tcpdump. Just local subnet broadcasts and arp requests. I have not re-enabled DNS yet.
And the story gets better: a day or two later, I glance at my System Preferences firewall settings, and the firewall was OFF! Fortunately, the DSL modem's firewall was still on, only allowing uninvited inbound imaps, smtp, and ssh traffic. I don't remember ever turning off the desktop's firewall, and no one else uses that computer -- they all hop on the laptop, plus they don't know the admin password anyways. So that was a little freaky, too, but, I'll assume for now that I must have inadvertently turned it off when I was doing something, and never turned it back on.
My immediate question is, if you have DNS turned on, would it ever do anything as root, and hence, show up as an active user in response to a "users" command? And not that there were any (/var/cron/tabs) cron jobs scheduled to be active at that particular time, but if there were a /var/cron/tabs/root job actively running, would root then show up as an active user in response to a "users" command?
Signed,
Scared!

Hi J.V.
   First, I have to say that yours is an impressive setup. If you're not a sysadmin, you certainly could be. Also, you have a knowledge of much of this that surpasses mine so I may be of no help. However, I do use the "who" command to see if anyone has broken in and I've never seen the root user listed.
   There are doubtless more processes running as root on a typical system than those running as the user logged into the GUI. However, none of those root processes are the result of a login. I believe that the "users" and "who" commands only report users that are logged in. I don't see the root user with the "who" command even if I create a root shell with sudo. Although I don't know this for a fact, I don't believe that it should be possible to see the root user with the "who" command if the root account is disabled in NetInfo. By the way, I recommend the "who -u" command to the "users" command as it provides quite a bit more information. When I login to my machine via SSH, the domain name of the remote host is included in the output of the "who" command.
   There was a situation on Panther where the root user could be listed in NetInfo Manager as disabled when it was actually enabled. I don't believe that is possible in Tiger but you can check with the command,
nicl . -read /users/root
If the password is only a single asterisk or ideally the authentication_authority string contains ";DisabledUser;", the root user should really be disabled.
   I can see that you're quite knowledgeable about networking and comfortable with tools that examine packets. However, there are methods of intrusion detections that aren't directly network related. They may be of use in your situation.
   The simplest is the /var/log/secure.log. Acquisition of root privileges via sudo does show up in this log but there may be enough information about the circumstances to determine which uses of root privileges are normal.
   A more complex method is process accounting. This records every command executed on the system. It provides information similar to the "who" command but doesn't provide the arguments that were used in executing the command nor any process IDs. If you actually do discover unusual activity real time, a full dump of process information with the "ps" command can provide a useful complement to the information recorded by process accounting. You can turn on process account simply by creating a /var/account/acct file and executing:
sudo accton /private/var/account/acct
You can read the result with the command:
sudo lastcomm
I should warn you that process accounting shouldn't be left on without developing a log rotation mechanism for the above file as it can grow large rather quickly.
   The mechanism for doing for system what Snort does for the network is Security Auditing. This system was developed by Sun and distributed by Apple for OS X in their Common Criteria Tools. To understand the the output of auditing and to customize the configuration requires at least as much study as mastering snort. It can also output a lot of information. However, like Snort, it is the ultimate at what it does.
   There is a minor rootkit for Mac OS X named Opener. Unlike a "real" rootkit it is easy to detect if you know what you're looking for. In reported versions, there is a StartupItem in /Library/StartupItems named "opener". I would check that directory for any unusual StartupItem.
Gary
~~~~
   Adam was but human--this explains it all. He did not want
   the apple for the apple's sake, he wanted it only because
   it was forbidden. The mistake was in not forbidding the
   serpent; then he would have eaten the serpent.
         -- Mark Twain, "Pudd'nhead Wilson's Calendar"

Similar Messages

  • Change security question problem in SPS12

    hello experts,
    we are on EP7 SPS12, there is new security parameter like "security question" in it.  we are not going to give "personalize" option to users, still is there anyway out where in user can change his/her security question( i mean some standalone change security question iview or something).
    Regards dhaivat

    i need help with that as well

  • After answering the three security questions on itunes connect the submit button is still grayed out. It looks like it could be an error on the website. Has anyone encountered this issue?

    After answering the three security questions to update an app on itunes connect the submit button is grayed out. It looks like an error on the website. Has anyone ran into this problem before? Any help would be greatly appreciated.

    Hi evanVIT, 
    Welcome to the Apple Support Communities!
    I understand that issues like the one you are experiencing can be very frustrating. For this situation however, for update errors in the range of 3000-3020, I would recommend the troubleshooting steps located in the attached article. Please use the steps and information as a reference. 
    Error 3194, Error 17, or "This device isn't eligible for the requested build"
    Cheers, 
    Joe

  • I seem to not enter the correct answers to my security questions for itunes to buy an in-app purchase and also cannot answer the questions exactly like i answered them when creating the account for my ipod, how do i find out what answers i put

    I seem to not enter the correct answers to my security questions for itunes to buy an in-app purchase and also cannot answer the questions exactly like i answered them when creating the account for my ipod, how do i find out what answers i put for my ipod touch and itunes?

    Try these previous discusssions:
    recover answers to security questions: Apple Support Communities
    how do i change apple ID security...: Apple Support Communities

  • I would like to send an e-mail to apple saying that i cannot remember my security questions's answers

    I would like to send an e-mail to apple saying that i cannot remember my security questions's answers. i just wanted to buy James Arthur's album to put on my sisters ipod and i could not remember the security questions's answers

    Unless you plan to have multiple email accounts open in different tabs at the same time, there is no need for Multifox. If each user has their own [[profiles|profile]], then the Multifox extension will not be required. If you want to open multiple email accounts at the same time in one instance of Firefox then you will need Multifox.

  • Would like to change my security questions and answers on my Apple ID account??

    I would like to Change my Security questions and Answers on my Apple ID account??
    I have tried and have successfully reset my PW but I have forgot my answers to questions!!
    HELP Please!

    Alternatives for Help Resetting Security Questions and/or Rescue Mail
         1. If you have a valid rescue email address, then use this procedure:
             Rescue email address and how to reset Apple ID security questions.
         2. Fill out and submit this form. Select the topic, Account Security. You must
             have a Rescue Email to use this option.
         3. This is the only option if you do not already have a valid Rescue Email.
             These are telephone numbers for contacting Apple Support in your country.
             Apple ID- Contacting Apple for help with Apple ID account security. Select
             the appropriate country and call. Ask to speak to the Account Security Team.
         4. Account security issues almost always require you to speak directly to an
             Apple representative to securely establish your identity as the account holder.
             You can set it up so that Apple calls you, either immediately or at a time
             convenient to you.
                1. Go to www.apple.com/support.
                2. Choose Contact Support and click Contact Us.
                3. Choose Other Apple ID Topics and choose the appropriate topic for
                    your issue.
                4. Follow the onscreen instructions.
             Note: If you have already forgotten your security questions, then you cannot
             set up a rescue email address in order to reset them. You must set up
             the rescue email address beforehand.
    Your Apple ID: Manage My Apple ID.
                            Apple ID- All about Apple ID security questions.

  • Hi I would like to figure out the answers to my security questions, is this possible?

    Hi I would like to figure out the answers to my security questions, is this possible.

    Forgotten Security Questions / Answers...
    See Here > Apple ID: Contacting Apple for help with Apple ID account security
              Ask to speak with the Account Security Team...
    Or Email Here  >  Apple  Support  iTunes Store  Contact
    More Info >  Apple ID: All about Apple ID security questions
    Note:
    You can only set up and/or change a Rescue Email Before you forget the questions/answers.

  • HT5312 how to change or reset the security questions its really irritating that i cant freakin reset them but can resetmy password in like 5 secs

    im so irritated that i cant change my security questions as easily as my dang password like uggggg how do you change it i need help

    The Best Alternatives for Security Questions and Rescue Mail
         1.  Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
         2.  Call Apple Support in your country: Customer Service: Contact Apple support.
         3.  Rescue email address and how to reset Apple ID security questions.
    An alternative to using the security questions is to use 2-step verification:
    Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID.

  • I canot remember my security questions answers , whene ever i want to dowload any applications i am required to answer them and because i have forgot them i am not able to download any application , i would like to cancel this option

    i canot remember my security questions answers , whene ever i want to dowload any applications i am required to answer them and because i have forgot them i am not able to download any application , i would like to cancel this option and only have the option to answer my password

    It isn't an option it is a permanent part of the security protocol, so you need to write the answers down in a secure location or remember them, you will always need them in the future.
    Call Apple Care for your country and ask for the Account Security Team, then request help resetting the questions.

  • HT1222 I can't remember the answers to my security questions because I made the account like 10 years ago. Because of this I can't purchase anything on my new MacBook Pro. Is there a way that I can get the answers emailed to me or reset them?

    I can't remember the answers to my security questions because I made the account like 10 years ago. Because of this I can't purchase anything on my new MacBook Pro. Is there a way that I can get the answers emailed to me or reset them?

    Reset Security Questions
    Frequently asked questions about Apple ID
    Manage My Apple ID
    If all else fails:
    Go to: Apple Express Lane;
    Under Product Categories choose iTunes;
    Then choose iTunes Store;
    Then choose Account Management;
    Press Continue;
    Now choose iTunes Store Security and answer the bullet questions, then click Continue;
    Sign in with your Apple ID and press Continue;
    Under Contact Options fill out the information and advise iTunes that you would like your security/challenge questions reset;
    Click Send.
    You should get a response within 24 hours by email.

  • I have forgotten my security questions and would like to reset them... My reset email is an old email and I no longer have it. How do I change this reset email? Someone plz help! 

    I have forgotten my security question answers and would like to reset them. My reset email I no longer have because I have gotten a new email. How do I change my reset email to my new email? Some one plz help! 

    You need to ask Apple to reset your security questions; this can be done by phoning AppleCare and asking for the Account Security team, or clicking here and picking a method, or if your country isn't listed in either article, filling out and submitting this form.
    Changing the rescue email address requires supplying two of the answers. They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
    (105770)

  • HT204088 i'd like my security questions/answers reset.

    i'd like my security questions/answers reset.

    If you have a rescue email address set up on your account then you can try going to https://appleid.apple.com/ and click 'Manage your Apple ID' on the right-hand side of that page and log into your account. Then click on 'Password and Security' on the left-hand side of that page and on the right-hand side you might see an option to send security question reset info to your rescue email address.
    If you don't have a rescue email address set up then go to Express Lane  and select 'iTunes' from the list of 'products' in the middle of the screen.
    Then select 'iTunes Store', and on the next screen select 'Account Management'
    Next choose 'iTunes Store Account Questions' and fill in that you'd like your security questions/answers reset.
    You should get an email reply within about 24 hours (and check your Spam folder as well as your Inbox)

  • HT201303 I'd like my security questions/answers reset.

    I'd like my security questions/answers reset.

    Method 1 (preferred)
    On a computer, go to https://appleid.apple.com/ and select "Manage your Apple ID". Log in with your Apple ID and password, then select Password and Security from the left column.
    Supply the answers to your security questions and click Continue. You need to know the answers to your existing security questions before you can change them or create new questions.
    If you do not remember your answers, there may be a link on that page where you can have a reset email send to your "Rescue email address", as long as you provided one in the past. This option will not appear if you have not already provided a Rescue email address.
    About the Rescue email address: http://support.apple.com/kb/HT5312
    Check all your known email addresses for their response, which will contain further instructions to follow. The email is automated and should arrive immediately. Check your spam / junk folder if you believe you did not receive it.
    Method 2 (you cannot perform the above and you're stuck)
    If there does not seem to be any way to reset your security questions, you need to contact Apple.
    Start here:
    https://expresslane.apple.com/
    Navigate the columns as follows: All Products and Services > iTunes > iTunes Store > Account Management > iTunes Store account security
    Answer the questions and if required sign in with your Apple ID and password - same one you used to log in on this support forum. 
    You will find an option to send an email to Apple on that page. Compose a thoughtfully worded email explaining your dilemma, and politely ask to have your security questions reset. There are over 400 million iTunes account holders and Apple receives a great many of these questions every day, so make sure yours is easily understood.
    You should receive a confirmation email immediately. Check your email spam / junk folder for it because a humanoid should respond in a business day or two, who will probably request you provide some more security-related information before your questions can be reset. You will have to wait for another reply which will provide instructions for resetting your password and your answers to the security questions. 
    Normal business hours apply, so if it is Friday you may have to wait until Monday. 
    These back-and-forth emails may result in a week of correspondence before it is fixed.

  • HT1911 i would like to change my security questions.

    i would like to change my security question. i forget the answers

    1. See my User Tip for some help: Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities.
    2. Here are two different but direct methods:
        a. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
        b. Call Apple Support in your country: Customer Service: Contacting Apple for support
            and service.
    3. For other queries about Apple ID see Frequently asked questions about Apple ID.
    4. Rescue email address and how to reset Apple ID security questions
    5. For online assistance use Apple - Support - Express Lane

  • I would like to change my Security Questions??

    I would like to change my Security Questions??

    If you've forgotten your answers then if you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then the steps half-way down this page give you a reset link on your account : http://support.apple.com/kb/HT5312
    If you don't have a rescue email address (you won't be able to add one until you can answer your questions) then you will need to contact iTunes Support / Apple in your country to get the questions reset.
    Contacting Apple about account security : http://support.apple.com/kb/HT5699
    When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 link above to add a rescue email address for potential future use

Maybe you are looking for

  • How to get Difference of a Result set in reports

    Hello, I am trying to get difference (variance) of sales in past year and current year. Below is the report which accumulates the sales for 2013 and 2014 and also accumulates the Sales for both year , but how can we get the difference of sales in Yea

  • How can I pass a variable to an applet in JSP?

    I want to invoke an Applet in JSP and pass a variable( ie. port) to the Applet. I do as follows: <applet code="best.Applet1.class" width=400 height=300 > <param name=port1 value=port> </applet> in Applet1.java , I use getParameter("port1"),yet I got

  • Idiot needs help!  Setup Home Oracle Linux Server

    I'm trying to setup a Linux server using an old PC. I can download Oracle Linux in a zipped file from Oracle. Then, I'm suppose to unzip using an Oracle supplied utility and burn the extracted files to a DVD. My client PC is running Vista Home. I'm a

  • Import NSF Files to Exchange Mailbox without a Domino Server?

    I am trying to migrate NSF Files into an Exchange Mailbox for eDiscovery. Is there a way to import the NSF files into Exchange using the Microsoft Transporter ? any help appreciated!

  • VI does not open anymore

    I have been working on a VI for a few Months not and it does not open anymore. The last change I did was on a Mixed signal graph and now when I try to open the VI LabVIEW freezes at the welcome screen. Any ideas on how to recover this VI will save to