Severe Therapy: The Fade Cure for MacOS

Published on August 25, 2018

Severe Therapy: The Fade Cure for MacOS

You will say that here and out of the box everything is fine and everything seems to be brilliant, right up to the autogeneration of such a password for web sites, which is not even visually perceived from the fifth attempt, however, let us imagine that it is important for us to protect ourselves not only from everyday hackers, but also from the system developers themselves.

My research into these moments began as soon as OS X Lion 10.7 was released, and I initially used third-party software to protect it, which was paid and very effective, until I figured out what was happening and by which this software covered this result.

Actually, here is a simple script that silences the firewall management through the internal services of the MacOS system based on anchors and gives control directly to the packet filter, which blocks all incoming connections in general:

#
# Ninja PF configuration file( original located on /etc/pf.conf.backup ).
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically 
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
# ICMP configure
icmp_types = "{echoreq, echorep, unreach}"
icmp6_types = "{echoreq, unreach, echorep, 133, 134, 135, 136, 137}"
netbios_types = "{137,138,139}"
interfaces = "{en0, en1, en2, en3, en4}"
# Base policy
set fingerprints "/etc/pf.os"
set block-policy drop
set state-policy if-bound
set require-order yes
set optimization aggressive
set ruleset-optimization none
set skip on lo0
scrub in all fragment reassemble no-df min-ttl 64  max-mss 1440
scrub out all random-id
block in log all
pass out quick flags S/SA modulate state
# Antispoofing
antispoof quick for $interfaces inet
antispoof quick for $interfaces inet6
# More secure settings
block in from urpf-failed to any
block in quick on $interfaces from any to 255.255.255.255
block in quick on $interfaces from any to 255.255.255.0
# ICMP policy
block in inet proto icmp all icmp-type $icmp_types keep state
block in inet6 proto icmp6 all icmp6-type $icmp6_types keep state
block in on $interfaces proto {tcp,udp} from any to any port $netbios_types

Do not forget to tick the firewall in the preferences. To verify that PF is running, simply run in a terminal.

sudo pfctl -sa

Here, briefly collected patterns of rules for managing connections and interfaces, and the setting itself blocks incoming traffic as much as possible. If you are completely paranoid - just comment out the line set skip on lo0 and you will save the system from a working web server and block most applications from accessing the loop back interface (terminal loop).

Lo0 is usually useful to block if you like to play pirated games with torrents, which are often patched by an explorer or some other rubbish.

The second thing the script does is, by agreement with the user, to set advanced kernel security settings.

Here is a brief listing:

# 10.13.4 system ctl configuration
# Kernel IPC overrides
kern.ipc.somaxconn=100
# kernel security level(0, 1 - soft security level or 2 - can't install any software)
kern.securelevel=1
# Speed up TM backups
debug.lowpri_throttle_enabled=0
kern.coredump=0
# Networking settings
net.link.ether.inet.max_age=600
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.linklocal.in.allowbadttl=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.icmplim=50
net.inet.icmp.maskrepl=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.tcp.delayed_ack=2
net.inet.tcp.always_keepalive=0
net.inet.tcp.rfc3390=1
net.inet.tcp.rfc1644=1
net.inet.tcp.tso=0
# Incoming and outgoing port ranges
net.inet.tcp.sack_globalmaxholes=2000
net.inet.ip.portrange.first=1024
net.inet.ip.portrange.last=65535
net.inet.ip.portrange.hifirst=1024
net.inet.ip.portrange.hilast=2500
net.inet.ip.check_interface=1
net.inet.tcp.keepidle=50000
net.inet.ip.rtmaxcache=1024
net.inet.tcp.path_mtu_discovery=0
net.inet6.icmp6.rediraccept=0
net.inet.tcp.msl=4500
net.inet6.icmp6.nodeinfo=0
net.inet6.ip6.accept_rtadv=0
net.inet6.ip6.auto_linklocal=1
net.inet6.ip6.only_allow_rfc4193_prefixes=1
net.inet6.icmp6.nd6_onlink_ns_rfc4861=1

These kernel parameters tighten the network connection policy including all possible RFCs and blocking all possible noises (echoes, redirects, and so on), and the kern.securelevel = 1 parameter, which can be extremely useful for a pen tester, is worth special attention.

kern.securelevel = 2 completely blocks the installation of any packages in the system. Generally tight. But the system does not lose performance.

I also turned over the ports of applications requiring high values ​​and landed them lower so that the traffic was not more comfortable to “listen”.

Next, the script added customization options for some of the Finder display options and small settings for Safari. For example, it is necessary to disable the AV Foundation and other media functions in the same way as with a single picture from a web site you can hack the system through audio and video streams.

And in general, it is strange, but even iTunes on MacOS follows, so I prefer a full tank.

The patch is posted on github . To run, use

sudo ./fix.sh

If you have any suggestions and amendments, I suggest sharing your thoughts in the comments.