Open Directory & Firewall: How to prevent hack attacks

Similar Messages

• How to prevent following attack

  Dear Friends,
  One of the customer's ASA-5520 is getting disconect every 3-4 hours and found following outputs and errors.This ASA connetcs to MPLS(to acces remote branches) and ADLS(for internet)
  Resource              Current         Peak          Limit                  Denied Context  
  Syslogs [rate]           83             87470        N/A                       0 System
  Conns                   35859        98666          280000                  0 System
  Xlates                    266               919             N/A                       0 System
  Hosts                     353               670             N/A                            0 System
  Conns [rate]               29             409             N/A                       0 System
  Inspects [rate]            11           57                  N/A                       0 System
  Before disconnection happen ,I am getting following error
  "SA-5-321001: Resource 'conns' limit of 280000 reached for system"
  This is looks like a dos attack(pls correct me if I am wrong)I have done the follwoing steps to control the situation.
  policy-map limit
  class limit
    set connection conn-max 1 embryonic-conn-max 1 per-client-max 1
    set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 dcd 0:00:01
  Now my observation is
  When lookat Conns  "ciurrent" figurres keep increasing but "peak" figures doensn't increase  until "conns reach to 98666.
  I would appriciate if anyone can tell me how to resolve this issue.
  Is there any way to stop the increasing of "conns" figures??
  many thanks

  can you provide the a "show conn" and "show version"output?

• How to prevent NAT Attacks?

  We had a problem in our network
  client PC--------------(inside) Cisco 2911 router (outside)-------------internet
  one of the client was doing too many translation on router and eventually router ended up with memory allocation error
  we disconnected the client pc and everything working fine after that
  when we connect back, it is again bringing the router
  how to proactively secure the NAT translations on router?

  com.parallels.filesystems.prlufs          2010.12.28
  com.parallels.kext.vnic          8.0 18608.898384
  com.parallels.kext.netbridge          8.0 18608.898384
  com.parallels.kext.hidhook          8.0 18608.898384
  com.parallels.kext.hypervisor          8.0 18608.898384
  com.parallels.kext.usbconnect          8.0 18608.898384
  com.kaspersky.kext.kimul.44          44
  com.Cycling74.driver.Soundflower          1.6.6
  com.razerzone.razerapo          1.00.84
  com.kaspersky.nke          1.0.2d43
  com.kaspersky.kext.klif          3.0.0d23
  Third party kernel extensions are often a cause of kernel panics. As a first step, boot into to Safe mode and test whether the panic reoccurs.

• Convert Open Directory mobile accounts to Active Directory mobile accounts

  We have 200 or so Macs using OD mobile accounts.
  Implementing Active Directory, getting rid of Open Directory.
  How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
  I can convert accounts this way:
  a.    Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
  b.    Log into users’ account by choosing the other option, thus creating a mobile account.
  c.    Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
  Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
  Any other ideas?  Preferably a script I can deploy to all computers?

  I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
  Cheers,
  Rob

• Binding Exchange server to Open Directory

  So I am setting up an exchange 2010 sandbox machine to see how feasible the install and usage of the software is within the company. When running through the installation it wants the exchange server machine to be bound to an active directory. Well I dont have any active directory servers all I have is our open directory. How can I tie in the exchange binding to the open directory? I have heard about integrating between OD and AD but it seems like it requires yet another AD machine.
  Any thoughts? Success Stories?

  The answer is to remove the local KDC on the 10.5 clients. 10.5 uses the LKDC for personal file sharing - not needed for networked clients.
  Run the following commands to kill LKDC before binding the machine to Open Directory:
  sudo dscl /Local/Default delete /Config/KerberosKDC
  sudo rm -rf /var/db/dslocal/nodes/Default/config/KerberosKDC.plist
  See: http://forums.bombich.com/viewtopic.php?t=11834&highlight=lkdc

• May I ask how FMS against DDOS attacks

  Suppose a person stop connection to the FMS server, how do

  Suppose a person in one second of FMS issued 100,000 requests, such as call methods, and how to prevent DDOS attacks.I know there is no particularly good way, is it possible to restrict access by IP frequency？

• FTP dictionary attack - how to prevent ?

  I'm already searched the board but haven't found a solution for our problem:
  During the last weeks the server was being hit by attacks looking like a dictionary attack. Someone tries to log in by ftp thousands of times. This made the server to reboot and finally destroying its mail database, which I rebuilt.
  My biggest problem however is how to prevent this in the future ? Unfortunately the server is used by a nonprofit organization, so we can't spend thousands for intrusion prevention firewall hardware.
  But isn't there a way to configure something like "Each IP is allowed to try logging in via ftp only X number of times per hour" for the ftp service ? I think this would help us.
  I already set to close connections after one wrong password try using Server Admin. By default it was set to "3". But guess that this doesn't really help.
  Any idea would be appreciated.

  No, the people here are used to access the server by ftp and I can't do much. Unfortunately.
  There are alternatives that are (usually) easier to use than ftp. (In my experience, most end-users aren't running a shell-level ftp command, they're running some sort of a front-end or GUI-based ftp client. Finder, perhaps. Which means most don't know they're even running ftp, in any real sense.)
  Also aren't most CMS more vulnerable to DoS attacks and intrusion attempts ? It's complex software with lots of security holes.
  Valid concerns, certainly.
  You do realize that ftp transmits the username and password credentials in cleartext, right?
  Anybody that peeves somebody else sufficiently can end up getting hit with a DoS or (worse) a DDoS or a dictionary attack. Sometimes, you don't even need to peeve somebody. I've dealt with a case of a user launching a DoS to get a tactical advantage over another user in an online game, too.
  Yes, CMS installations can be vulnerable; pick wisely, and stay current. An administrator need do the same thing with a CMS as with most anything else web-facing; evaluate security carefully, track updates and security notices and generally keep a lid on the riff-raff.
  But if you have a situation where you can use, for instance, certificate-based access, you can block most of the trouble and you can block typical open access.
  I find http://www.aczoom.com/cms/blockhosts being an interesting thing. However it's from 2005 - is it still actual or outdated ?
  I tend to either run fairly locked down with the web server and fairly defensive around, or (where applicable) use mod_security, or both.
  And a typical recommendation is to use an out-board firewall, and to house your address-based defenses and blacklists out there. Having users "loose" on the firewall (and I include myself in that) means that a mistake or a configuration change on the server can potentially open up an exposure. I much prefer to have the extra step of connecting to the firewall.
  A VPN server can also be housed out on a firewall (or host-based, if you're so inclined), which can allow you to run ftp and other protocols more securely.
  I do block some IP subnets. But the attacks I (still) see are from all over the IPv4 address space.

• There is a way to hack a mac pro even if you have a password. How do I prevent hacking?

  My friend can actually hack a mac pro just by restarting it even if you have a password to protect your mac. My mac is curently mavericks.
  Steps: 1.When you open a mac with a password in mavericks, click switch user.
              2. After the page loads, click restart.
              3. After the computer shuts down and is turning on again, press command s.
              4. My friend just typed some code and managed to change my password.
              He told me the password and i changed it back, but i wanted to know how to prevent this hack from happening again on my Mac pro.

  Don't let anyone use your computer including your friend. It's easy enough to change a password in single-user mode. Just put a master password - firmware password - on your computer to prevent that kind of access. Better yet change friends.
      Boot to the Recovery HD:
  Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
       When the menubar appears select Firmware Password from the Utilities menu.
       and follow instructions.

• EAP MD5 with ISE 1.2 - How to Prevent Active Directory Account locks?

  Hi,
  Is there any how to prevent accounts to be locked in AD if someone do a password brute force attack in a account? ISE has some feature/Configuration to prevent this type of attack ?
  Thanks.

  So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?
  Windows laptops actually work just fine, because many of them are using machine authentication.  The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.
  One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks.  We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely.

• How to prevent JFileChooser automatically changing to parent directory?

  When you show only directories, and click on the dir icons to navigate, and then dont select anything and click OK, it automatically 'cd's to the parent folder.
  My application is using the JFileChooser to let the user navigate through folders and certain details of 'foo' files in that folder are displayed in another panel.
  So we dont want the chooser automatically changing dir to parent when OK is clicked. How to prevent this behavior?
  I considered extending the chooser and looked at the Swing source code but it is hard to tell where the change dir is happening.
  thanks,
  Anil
  To demonstrate this, I took the standard JFileChooserDemo from the Sun tutorial and modified it adding these lines
            // NEW line 45 in constructor
            fc.addPropertyChangeListener((PropertyChangeListener) this);
            fc.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
        * NEW -
        * @see java.awt.event.ActionListener#actionPerformed(java.awt.event.ActionEvent)
       public void propertyChange(PropertyChangeEvent e) {
            String prop = e.getPropertyName();
            if (JFileChooser.DIRECTORY_CHANGED_PROPERTY.equals(prop)) {
                 System.out.println("DIRECTORY_CHANGED_PROPERTY");
                 File file = (File) e.getNewValue();
                 System.out.println("DIRECTORY:" + file.getPath());
       }

  Here is the demo:
  package filechooser;
  import java.awt.BorderLayout;
  import java.awt.Insets;
  import java.awt.event.ActionEvent;
  import java.awt.event.ActionListener;
  import java.beans.PropertyChangeEvent;
  import java.beans.PropertyChangeListener;
  import java.io.File;
  import javax.swing.ImageIcon;
  import javax.swing.JButton;
  import javax.swing.JFileChooser;
  import javax.swing.JFrame;
  import javax.swing.JPanel;
  import javax.swing.JScrollPane;
  import javax.swing.JTextArea;
  import javax.swing.SwingUtilities;
  import javax.swing.UIManager;
  * FileChooserDemo.java uses these files:
  *   images/Open16.gif
  *   images/Save16.gif
  public class FileChooserDemo extends JPanel implements ActionListener,
            PropertyChangeListener {
       static private final String newline = "\n";
       JButton openButton, saveButton;
       JTextArea log;
       JFileChooser fc;
       public FileChooserDemo() {
            super(new BorderLayout());
            // Create the log first, because the action listeners
            // need to refer to it.
            log = new JTextArea(5, 20);
            log.setMargin(new Insets(5, 5, 5, 5));
            log.setEditable(false);
            JScrollPane logScrollPane = new JScrollPane(log);
            // Create a file chooser
            fc = new JFileChooser();
            // NEW
            fc.addPropertyChangeListener((PropertyChangeListener) this);
            fc.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
            // Create the open button. We use the image from the JLF
            // Graphics Repository (but we extracted it from the jar).
            openButton = new JButton("Open a File...",
                      createImageIcon("images/Open16.gif"));
            openButton.addActionListener(this);
            // Create the save button. We use the image from the JLF
            // Graphics Repository (but we extracted it from the jar).
            saveButton = new JButton("Save a File...",
                      createImageIcon("images/Save16.gif"));
            saveButton.addActionListener(this);
            // For layout purposes, put the buttons in a separate panel
            JPanel buttonPanel = new JPanel(); // use FlowLayout
            buttonPanel.add(openButton);
            buttonPanel.add(saveButton);
            // Add the buttons and the log to this panel.
            add(buttonPanel, BorderLayout.PAGE_START);
            add(logScrollPane, BorderLayout.CENTER);
        * NEW -
        * @see java.awt.event.ActionListener#actionPerformed(java.awt.event.ActionEvent)
       public void propertyChange(PropertyChangeEvent e) {
            String prop = e.getPropertyName();
            // If the directory changed, don't show an image.
            if (JFileChooser.DIRECTORY_CHANGED_PROPERTY.equals(prop)) {
                 System.out.println("DIRECTORY_CHANGED_PROPERTY");
                 File file = (File) e.getNewValue();
                 System.out.println("DIRECTORY:" + file.getPath());
       public void actionPerformed(ActionEvent e) {
            // Handle open button action.
            if (e.getSource() == openButton) {
                 int returnVal = fc.showOpenDialog(FileChooserDemo.this);
                 if (returnVal == JFileChooser.APPROVE_OPTION) {
                      File file = fc.getSelectedFile();
                      // This is where a real application would open the file.
                      log.append("Opening: " + file.getName() + "." + newline);
                 } else {
                      log.append("Open command cancelled by user." + newline);
                 log.setCaretPosition(log.getDocument().getLength());
                 // Handle save button action.
            } else if (e.getSource() == saveButton) {
                 int returnVal = fc.showSaveDialog(FileChooserDemo.this);
                 if (returnVal == JFileChooser.APPROVE_OPTION) {
                      File file = fc.getSelectedFile();
                      // This is where a real application would save the file.
                      log.append("Saving: " + file.getName() + "." + newline);
                 } else {
                      log.append("Save command cancelled by user." + newline);
                 log.setCaretPosition(log.getDocument().getLength());
       /** Returns an ImageIcon, or null if the path was invalid. */
       protected static ImageIcon createImageIcon(String path) {
            java.net.URL imgURL = FileChooserDemo.class.getResource(path);
            if (imgURL != null) {
                 return new ImageIcon(imgURL);
            } else {
                 System.err.println("Couldn't find file: " + path);
                 return null;
        * Create the GUI and show it. For thread safety, this method should be
        * invoked from the event dispatch thread.
       private static void createAndShowGUI() {
            // Create and set up the window.
            JFrame frame = new JFrame("FileChooserDemo");
            frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
            // Add content to the window.
            frame.add(new FileChooserDemo());
            // Display the window.
            frame.pack();
            frame.setVisible(true);
       public static void main(String[] args) {
            // Schedule a job for the event dispatch thread:
            // creating and showing this application's GUI.
            SwingUtilities.invokeLater(new Runnable() {
                 public void run() {
                      // Turn off metal's use of bold fonts
                      UIManager.put("swing.boldMetal", Boolean.FALSE);
                      createAndShowGUI();
  }

• How to configure Open Directory base DN

  Hi,
  I have been using OpenLDAP on a Synology NAS drive, but this has some serious shortcomings with Mac clients (eg. roaming profiles simply doesn't work).
  So I have bought a MacMini which among other things will replace my existing LDAP server with Open Directory.
  As a dry run, I enabled the Open Directory and went through the simple set up and I had a basic system up in no time.  However I have come up against an annoying issue with the base DN used by Open Directory and I hope someone will be able to help me.
  My existing LDAP has a base DN that looks like this: dc=myorg, dc=local
  So when users log in, they can use a username which conforms to the following format: [email protected]
  The problem is that Open Directory likes to set the base DN to: dc=macservername, dc=myorg, dc=local
  meaning that a fully qualified user account name now becomes: [email protected]
  This seems bonkers to me.  For example, what would happen if I introduce a second Mac server into the mix and failover to it - the servername element of the DN becomes redundant or if it changes, I need to communicate with all users.
  I must be missing something obvious - but there doesn't seem to be much in the way of configuration that I can see through the Server application.
  So, my question is, how can I configure my base dn without the servername so that my existing username context remains the same?
  Many thanks - I look forward to any responses.

  I agree with Dal78 Apple using a base DN of servername.example.com rather than just example.com is illogical. In fact originally they did seem to use just example.com as the format but in recent years now use server.example.com as the format. When I first encountered this change it was still possible to overridge the use of servername.example.com and force it to use just example.com as the format. In more recent times I have decided to leave things the way Apple do it.
  I don't know if there is an official answer as to why, but a possible guess is that you can now have multiple Open Directory servers for a single domain. This is the 'Locales' option in Server.app. It maybe that including the servername makes it possible/easier to implement this.
  I also agree Strontium90 do not use a .local root domain for Open Directory. In theory there are hacks to (sort of) get this to work, but Apple engineers will typically run screaming for the woods when they encounter this.
  PS. Briefly Apple also did the same illogical thing with DNS zones, whereby the zone name for a domain was servername.example.com instead of example.com this at least they have stopped doing.

• How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?

  How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?
  I see the line in the ssl.conf file:
  SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_RC4_40_MD5:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  but I'm not sure which ciphers are SSLV3.
  Thanks,
  Andy

  Hi Andy,
  For this, we highly recommend you to open a SR with Oracle support and Security team would be assisting you on how to get this fixed.
  Thanks,
  Sharmela

• How to set permissions IN Open Directory USING Open Directory groups?

  Hi all,
  Apologies if I've missed this but have been searching for two days trying to figure out how to delegate permissions within the OD to a number of different OD groups and i can't seem to find any way to do this either at the command line or with WGM.
  Examples: an OD group containing those who will manage the full directory need to have permissions on all containers, child objects, and their attributes in the directory. For this one in particular I seem to be able to nest a group in the default Admin group, but this isn't really what i'm after. I need to create OD groups with the ability only to manipulate objects of class apple-computer and similarly, apple-user (really all inetOrgPerson objects). In a nutshell: how do i set permissions on specific attributes or object classes using OD groups?
  thanks for any pointers...
  -andrew

  I think i just answered my own question: Open Directory is OpenLDAP. slapd is all i need.

• How to turn off Open Directory in OS X Server 10.8.2

  I am configuring a MacPro with ML Server 10.8.2 for internal-only use.  I have DNS working on it (with the annoyance that it goes out of its way to break wildcard host names, and it doesn't know how to properly create the zone files to allow a secondary DNS server to do reverse-name-lookups properly).  I have only 2 users (admin and Time Machine), Time Machine is working for client Macs using the Time Machine user account, and File Sharing is working (using either account), sharing a RAID of internal drives an a pair of USB-attached external drives.
  I briefly turned on Open Directory, just to see if I wanted or needed to go that route.  I entered an Open Directory admin (diradmin) with a password.  Looked around the options and decided I did NOT need to use Open Directory just to get the Time Machine stuff working, and I was right.
  However, now the Server App shows Open Directory is "On."  When I go to that tab, I get a message stating that there was an error reading the settings file for Open Directory services.  I click it "Off" but it refuses to turn off.  When I come back to the tab, I get a pop-up window with a message about an error reading the settings and the Off/On switch moves back to "On" and the green light never goes off next to Open Directory in the list of services.
  I've rebooted the machine and after the reboot, sometimes, it appears as if I can add/delete/modify Users and Groups.  Other times, after the reboot, the +/- buttons are greyed out and I cannot add/edit/modify Users and Groups.  I have not yet tried to add/delete/modify users yet because I'm leery of trusting the server with this error message.
  Can anyone help me to remove anything and everything related to Open Directory so that it is "off" as if I never ever turned it on?  Or any suggestions on how to fix this short of a reinstall?
  Can I download and install the Server app on a differnt machine and then just copy the Server app over to this machine?  Will that zero out the Open Directory stuf that I'm trying to get rid of?
  Thanks in advance.

  I think I solved my problem by running the following command:
  sudo slapconfig -destroyldapserver diradmin
  diradmin is the name of the Open Directory admin account I created.
  The Open Directory Service now appears "off" and no longer had the green dot next to it in the list of services.
  Obviously, NOT a good solution to someone who was actively using Open Directory as this appears to have deleted all the data associated with Open Directory.
  Users and Groups now allow me to add/delete/modify.
  Sad to see an Apple product have such issues.

• How to repair Open Directory Master after Changing Hostname

  Summary:
  How to repair Open Directory after Changing your Server's Hostname (see separate post)
  Problem:
  I had to change our server's hostname from a private hostname (server.name.private) to a public hostname (name.dyndns.org).
  Procedure:
  1. Precautions:
  Since I was anticipating major dramas I tested the change of hostname on a clone ( I used Super Duper, and I very strongly advise everybody to heed this warning because a change of hostname will corrupt your server services, in particular Open Directory)
  Second, I exported the network users from Server Admin and copied the archive to the Drop Folder of the server's local account (because the network accounts will be unavailable after demoting the OD Master.)
  2. Change hostname and demote OD Master
  a) I re-booted the server from the clone
  b) I changed the hostname in Server App and I noticed that the Open Directory Password and the Kerberos database were still stuck with the old hostname.
  c)  I then demoted to a standalone directory (Server Admin) and I tried to promote the server to an OD Master using the Server App (Manage Network Accounts). Server App always returned an error saying I should check my network settings.
  3. List of 'fixes'
  I tried the following fixes to no avail (which does not mean that you can skip them)
  a) I checked the DNS entries, forward and reverse were working fine (sudo checkip -changehostname)
  b) Checked with Lookup in Network Utility, all was fine
  c) I deleted all system certificates (Keychain) which showed the name of the previous hostname
  ( N.B. you need not delete email certificate and private/public keys)
  d) I tried to assign a new static IP in Networking Preferences (had no visible result)
  e) I re-booted from the working drive and I re-paired permissions on the clone; I ran disk repairs.
  Despite all this I could not re-create an OD Master.
  I then looked for this dubious folder /var/root/Library/Application Support/Certificate Authority.
  I could not find this folder when using the Finder's Go To Folder, nor did "Easy Find" see this folder.
  I was about to give up when I read the posts on this page and I entered the Terminal commands
  sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
  I had not much hope when I set about to re-create the OD Master from the Server App.
  But lo and behold !!! I did not trust my eyes when Server App claimed that the OD Master had been successfully created. And indeed, Server admin showed a running OD Master, LDAP, Kerberos and Password Server all running again !
  Final touch: re-import the user accounts.
  Epilogue:
  I woud not have been able to fix this issue had not so many others shared their experience and the working solution.
  (Refer : https://discussions.apple.com/thread/3219325?start=0&tstart=0 )
  Thank you all !
  Let's hope that Apple will fix this annoying issue in the next server update.
  Regards,
  Twistan

  Hi Rhyan,
  Please try clearing the security cache
  http://www.sharepointanalysthq.com/2014/05/active-directory-groups-and-sharepoint-security/
  https://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
  http://webactivedirectory.com/active-directory/windows-active-directory-cached-user-credentials/
  Please remember to click 'Mark as Answer' on the answer if it helps you