您会说,开箱即用的一切都很好,并且一切似乎都是巧妙的,直到为第五次尝试甚至在视觉上都无法自动感知到这种密码的网站自动生成为止,但是,想象一下,对于我们来说,保护自己不仅受到日常黑客的侵害是很重要的,而且还来自系统开发人员本身。
我对这些问题的研究始于OS X Lion 10.7发行的那一刻,我最初使用付费的第三方软件,而且该软件非常有效地进行保护,直到我弄清楚发生了什么以及该软件为何涵盖了这样的结果。
实际上,这是一个简单的脚本,该脚本通过基于锚的MacOS系统的内部服务抑制防火墙控制,并将控制权直接提供给数据包筛选器,该筛选器通常会阻止所有传入连接:
# # Ninja PF configuration file( original located on /etc/pf.conf.backup ). # # This file contains the main ruleset, which gets automatically loaded # at startup. PF will not be automatically enabled, however. Instead, # each component which utilizes PF is responsible for enabling and disabling # PF via -E and -X as documented in pfctl(8). That will ensure that PF # is disabled only when the last enable reference is released. # # Care must be taken to ensure that the main ruleset does not get flushed, # as the nested anchors rely on the anchor point defined here. In addition, # to the anchors loaded by this file, some system services would dynamically # insert anchors into the main ruleset. These anchors will be added only when # the system service is used and would removed on termination of the service. # # See pf.conf(5) for syntax. # # ICMP configure icmp_types = "{echoreq, echorep, unreach}" icmp6_types = "{echoreq, unreach, echorep, 133, 134, 135, 136, 137}" netbios_types = "{137,138,139}" interfaces = "{en0, en1, en2, en3, en4}" # Base policy set fingerprints "/etc/pf.os" set block-policy drop set state-policy if-bound set require-order yes set optimization aggressive set ruleset-optimization none set skip on lo0 scrub in all fragment reassemble no-df min-ttl 64 max-mss 1440 scrub out all random-id block in log all pass out quick flags S/SA modulate state # Antispoofing antispoof quick for $interfaces inet antispoof quick for $interfaces inet6 # More secure settings block in from urpf-failed to any block in quick on $interfaces from any to 255.255.255.255 block in quick on $interfaces from any to 255.255.255.0 # ICMP policy block in inet proto icmp all icmp-type $icmp_types keep state block in inet6 proto icmp6 all icmp6-type $icmp6_types keep state block in on $interfaces proto {tcp,udp} from any to any port $netbios_types
不要忘记选中该复选框以启用首选项中的防火墙。 要验证PF是否正在运行,只需在终端中运行
sudo pfctl -sa
这是简要收集的用于管理连接和接口的规则模式,该设置本身会尽可能阻止传入的流量。 如果您完全偏执,只需注释掉lo0上跳过的行集,即可从运行正常的Web服务器中保存系统,并阻止大多数应用程序访问回送接口(终端循环)。
如果您想玩洪流中的盗版游戏,则Lo0通常非常有用,可以用来阻止洪流,这些洪流通常被漏洞利用或其他垃圾修补。
该脚本要做的第二件事是,在用户的同意下,设置高级内核安全性设置。
以下是简短清单:
# 10.13.4 system ctl configuration # Kernel IPC overrides kern.ipc.somaxconn=100 # kernel security level(0, 1 - soft security level or 2 - can't install any software) kern.securelevel=1 # Speed up TM backups debug.lowpri_throttle_enabled=0 kern.coredump=0 # Networking settings net.link.ether.inet.max_age=600 net.inet.ip.redirect=0 net.inet6.ip6.redirect=0 net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 net.inet.ip.linklocal.in.allowbadttl=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.icmplim=50 net.inet.icmp.maskrepl=0 net.inet.udp.blackhole=1 net.inet.tcp.blackhole=2 net.inet.tcp.delayed_ack=2 net.inet.tcp.always_keepalive=0 net.inet.tcp.rfc3390=1 net.inet.tcp.rfc1644=1 net.inet.tcp.tso=0 # Incoming and outgoing port ranges net.inet.tcp.sack_globalmaxholes=2000 net.inet.ip.portrange.first=1024 net.inet.ip.portrange.last=65535 net.inet.ip.portrange.hifirst=1024 net.inet.ip.portrange.hilast=2500 net.inet.ip.check_interface=1 net.inet.tcp.keepidle=50000 net.inet.ip.rtmaxcache=1024 net.inet.tcp.path_mtu_discovery=0 net.inet6.icmp6.rediraccept=0 net.inet.tcp.msl=4500 net.inet6.icmp6.nodeinfo=0 net.inet6.ip6.accept_rtadv=0 net.inet6.ip6.auto_linklocal=1 net.inet6.ip6.only_allow_rfc4193_prefixes=1 net.inet6.icmp6.nd6_onlink_ns_rfc4861=1
这些内核参数收紧了包括所有可能的RFC在内的网络连接策略,并阻止了所有可能的噪音(回声,重定向等),而kern.securelevel = 1参数(对于笔测试仪而言非常有用)值得特别注意。
kern.securelevel = 2将完全阻止在系统上安装任何软件包的能力。 一般紧。 但是系统不会失去性能。
我还翻转了要求高价值的应用程序的端口,并将其降落到较低的位置,以使访问量“听”起来不那么舒服。
接下来,脚本为一些Finder显示选项添加了自定义选项,并为Safari添加了小设置。 例如,禁用AV Foundation和其他媒体功能是值得的,因为只要使用网站上的单个拆分器图片,就可以通过音频和视频流来入侵该系统。
总的来说,这很奇怪,但是即使是MacOS上的iTunes也可以使用,因此我更喜欢装满的坦克。
该修补程序
可在GitHub上获得 。 开始使用
sudo ./fix.sh
如果您有任何建议或修正,建议在评论中分享您的想法。