Posted by Doug
Thu, 19 Jan 2006 20:06:15 GMT
I’m working from home a lot requiring a VPN connection to my work. The default VPN setup for the Mac is a little less than ideal; it routes all traffic through the VPN. As our VPN is a little sluggish, I’d like for only work related traffic to route through the VPN. Here’s what I had to do.
I started with this Mac OSX Hint to Set no default route for VPN Client via PPTP/L2TP. The hint says to set nodefaltrouter in /etc/ppp/vpn-name and then do my routing in /etc/ppp/ip-up. The good news is that in Mac OS 10.4 Tiger, there’s a configuration option for Internet Connect to toggle setting of the default route. Progress: all my traffic is no longer going over VPN.
Problem: my local DNS can’t do lookups for the company’s LAN. So, I go into Network Preferences for the VPN and statically assign the DNS Servers.
Hmmm, that should work but host name lookup still doesn’t work. Ah, I still don’t have a route defined for the corporate LAN to use the VPN. So, I create /etc/ppp/ip-up to include this simple command:
#!/bin/sh
route add 10.1.0.0/16 -interface ppp0
Unfortunately, this doesn’t automatically set the route when I establish the VPN connection. So, that’s where I stand. I’ve got /etc/ppp/ip-up chmod +x and manually run it when I initiate my VPN connection. Also, I think this whole setup will affect my other VPN configuration for which I do want all traffic to use. Ah, well… nothing’s perfect.
Posted in Security, Internet | Tags Apple, Tiger, VPN | no comments
Posted by Doug
Thu, 17 Nov 2005 12:22:40 GMT
Here’s an article written by Bruce Scheier talking about the story behind the story. For those of you who don’t know, Sony BMG has distributed software on their music CDs that automatically installs on Windows computers that is hidden, spys on you and reports back to Sony, and can be exploited by others to take control of your computer. There’s a fairly sordid tale of how this has played out.
As usual Bruce thinks about things a little differently. Being part of the security industry, he looks at how his industry has responded to this incident:
That all the big security companies, with over a year’s lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.
That’s a fairly damning statement, but well grounded. Why didn’t the various virus protection companies notice the Sony rootkit for the year it had been in the wild?
Posted in Security, Internet | Tags rootkit, Sony, virus | 1 comment
Posted by Doug
Tue, 08 Nov 2005 11:27:07 GMT
I don’t know why I didn’t think of this myself, but I just changed /tmp to mount noexec. Lately I’ve been having problems on my server with clients uploading stuff to their /cgi-bin/ or PHP code to their docroot that has security vulnerabilities. I don’t have anything in place (yet!) to monitor what they upload, so I’m caught by surprise when something happens.
Changing /tmp to noexec is an obvious improvement. My web server doesn’t run as root, so /tmp is a common place for exploits to download, compile and run stuff. The noexec option cuts that last step off. Assuming I’m not the last sys admin to figure this out, I encourage you to do the same.
By the way, it turned out to be very simple to affect the change after editing the /etc/fstab:
sudo mount -o remount /tmp
Now on to write some report that will let me know what stuff my clients have installed…
Posted in System Administration, Security | Tags noexec | 1 comment
