Since Mac OS X is derived from BSD UNIX it can be configured to provide any number of network services. Each of these services is bound to a particular port. "Crackers" will attempt to probe your computer to find "open" ports. One way to prevent this is by enabling tcpwrappers. This will block attempts to gain information and then entry to your computer. Wouldn't it be nice to know that your machine has been attacked?
Enter logcheck
logcheck is a set of routines that will automatically scan your log files and notify you of any unusual activity.
Step 1: Configure log files
The logs are located in the /var/log (really /private/var/log) directory. The Terminal (in the /Applications/Utilities folder) type: (the $ denotes the user prompt, clicking on a command will open a window with the man page)
$ cd /var/logYou are now in the log directory. We need to secure the log files. Only the superuser (root) should have access. Then type:
$ sudo chmod 600 *.log*The computer will prompt you for your password:
Password:Type in your regular password.
Step 2: Fix cron scripts
We now need to insure that the log permissions remain the same. The log files are rotated on a regular basis. We need to change to the /etc directory.
$ cd /etcWe now need to edit the daily, weekly and monthly files. TextEdit will not let us edit system files. Thus we need to use a command line editor pico is a good choice:
$ sudo pico dailyPassword:
Under the section "Rotating log files" there is a line
touch "${i}" && chmod 640 "${i}We need to change the 640 to 600. Do the same for weekly and monthly.
Step 3: Install logcheck
Download logcheck. cd to the download directory. Then unpack the gziped tarball:
$ tar zxf logcheck-1.2.3-osx.tar.gzNow change directory:
$ cd logcheck-1.2.3-osxand install
$ sudo ./install.sh Password:
Step 4: Configure /etc/crontab
We need to add the following line to the /etc/crontab file (cron runs programs on a regular schedule, in this case every hour, on the hour).
00 * * * * root sh /usr/local/etc/logcheck.shIt is a good idea first to back up the file:
$ sudo cp /etc/crontab /etc/crontab.buYou can use $ sudo pico /etc/crontab to do the editing. If you have not modified the original crontab file you can also copy ($ sudo cp crontab /etc/crontab) the crontab included with logcheck.
Step 5: Restart cron
We now have to restart the cron daemon. First we need to find the process id for cron:
$ ps aux | grep cronThis will produce two lines of output. One will end in grep cron, the other in cron. The number in the second column of the line ending in cron is the process id. We now can send a command to restart the cron daemon:
$ sudo kill -HUP id#Password:
Where id# is the number we got from the ps command.
Step 6: Enable a Mailserver
logcheck needs to notify you of its findings. This requires a mail delivery mechanism. Fortunately Mac OS X comes with Postfix preinstalled. You will need to to enable this feature. See How to Configure the Postfix Mailserver for details.
Step 7: Reading the results
Out of the box, Mac OS X, not unlike other UNIX systems, lacks a way to retrieve e-mail from the server. postfix does not provide this functionality. E-mail is retrieved via the pop3 or imap protocols. The University of Washington pine package provides all we need to read the output from logcheck. Follow the instructions in the README.MacOS_X after unpacking the package as above. pine provides a mail reader that can read local mail without pop3 or imap.
Version 1.3.0 - 20070302