How to Block an IP Address Within SheepShaver

[Old-School-BBSer]

Okay, I don't know if this is possible, but here is the situation.

Within SheepShaver, I am running my old Hermes II BBS, as well as my old Hotline server.

Within Hotline in the Options pane, I can block users by IP address.

However, the caveat is this: They can repeatedly try to get in to the server -- and repeatedly fail -- but their log in attempts still appear in the Hotline server's on-screen server log.

I find this very annoying, particularly when someone uses a bot -- such as that stupid Pitbull Pro -- for hours on end, as someone has been doing today.

So, my question is this: Is there a way that I can block their IP address from within SheepShaver, so that they can't even get near my Hotline server?

With my web server, this would be easy to do. I just edit my httpd.conf file and add a "deny from xxx.xxx.xxx.xxx.

If that isn't possible, what about adding something to my iMac's "hosts" file? Is that possible? Would it stop them from even getting inside of SheepShaver? If this latter option is possible, what would I put in my hosts file?

Thanks guys. You have been of invaluable assistance to me already, and it has been smooth sailing since.

[Cat_7]

Don't know about a firewall inside OS 9, but why not block the ip address in the firewall in your router?

Best,
Cat_7

[Old-School-BBSer]

Actually, the wi-fi router is one of the options that I looked at, but I don't see anywhere or any way to block a specific IP address in there.

On my router's Network pane, there is a section called "Timed Access Control" were I can apparently add or remove Wireless Clients.

However, when I click on the + button, the only options are:

Description
MAC Address
Wireless Access Times

How in the world am I supposed to know the MAC address of the machine which that fellow is using? All I have is his IP address. I think the settings I am looking at are specifically for other machines on my own wireless network, and not external machines coming across the Internet.

I also looked at Yosemite's firewall options, and that is just as limited. You can add specific apps to the list, but then the only options are to either block all access, or to deny all access. No help there either.

As far as my web server is concerned, blocking that IP address in the server's "httpd.conf" file is useless, because Hotline is not on my web server. It is a totally separate entity.

I thought that maybe I could block that IP address in the "hosts" file, but according to what I was reading online, the hosts file can only block IP addresses that are associated with a specific domain name.

Next, I tried using Little Snitch by selecting the SheepShaver app. In the rule that I created, I chose "Deny Connections", I typed in the guy's IP address, and I told Little Snitch to deny any port and any protocol for that IP address.

At first I thought I was successful, but again, no dice. That guy's bot is even bypassing Little Snitch. I thought that maybe I needed to run a Mac Classic version of Little Snitch inside of my SheepShaver setup, but LS is only for Mac OS X.

In short, I don't know what to do to stop this guy's log in attempts from showing up on my Hotline server log. His bot has been trying every three minutes for a few hours now. I don't know for certain, but I bet it is a Pitbull Pro client.

[Ronald P. Regensburg]

On my router's Network pane, there is a section called "Timed Access Control" were I can apparently add or remove Wireless Clients.

However, when I click on the + button, the only options are:

Description
MAC Address
Wireless Access Times

That's about wireless clients, not about incoming traffic. Apple Airport router? It must be connected to a modem (cable, adsl, satellite or whatever). That is where the firewall should be where you can block IP addresses. Modems usually have a web interface for configuring settings.

[emendelson]

You seem to have an Airport router; if you have something else, please tell us. Apple's routers have never (I think) allowed you to block access from an IP address. Almost every other vendor includes this ability.

What's baffling is that you can't get Little Snitch to block the IP address. Have you tried asking on the support forum for Little Snitch, or sending in a support request? The author answers quickly.

Another thought is to delete your existing SheepShaver rules in Little Snitch Configuration, then start SheepShaver and your BBS software, and respond to the prompt from Little Snitch when SheepShaver tries to accept an incoming connection. Maybe you'll be able to specify something there.

Also, try creating a blocking rule in Little Snitch for port 5500 or whatever port your Hotline server is using, and then - if it works - edit the rule. Again, the Little Snitch author should be able to respond to this.

By design, Little Snitch won't let you block things that the author thinks you might be using for bad purposes (e.g., you can't block an application from communicating by Bonjour with a copy of the same application on another machine on your network). Maybe you've bumped into one of these restrictions, and you can persuade him to remove it.

[Old-School-BBSer]

You are not going to believe this. This is really for the birds!

After doing everything that I mentioned above, I learned about "ipfw" which can be accessed via the OS X Terminal app. Well, guess what? Used to be accessible from the Terminal. I conducted some online research, and it turns out that Apple removed ipfw from OS X in 2014, or earlier.

So I learned about its replacement called "pf". Well, I looked at some message threads about it. Then I entered what seemed to be the right string in the "pf.conf" file, but that bot guy can still access my Hotline server, and keeps trying to log in every three minutes. GGGRRRrrr . . .

I had never even thought about configuring in the cable modem itself until you suggested it. But again, guess what?

I learned how to log into the online configuration page, and there is absolutely nothing there which allows port forwarding, IP blocking, or any other important services. It all has to be done further down the line; either in my Airport Extreme wi-fi router, or via OS X's built-in firewall software, or via Little Snitch.

I also looked at my cable modem's user guide, which I downloaded in PDF format. Not only is the darn thing just geared towards Windows users, but again, zero mention of IP blocking, port forwarding, etc.

I don't care about the port forwarding, because I do that in my wi-fi router anyway. But the IP blocking? Well, more online research revealed that the cable modem that my ISP provided me with has no built-in router; and that is why I couldn't find anything on the online configuration page.

It is beyond me how I am supposed to block that Pitbull Pro user, when there is apparently no IP blocking in the Airport Extreme.

I am not a happy camper!

[Old-School-BBSer]

Ha! It seems that we posted at the same time!

As I said previously, in Little Snitch, I did in fact create a new rule for SheepShaver. It has the following settings:

Server: IP Addresses (and then the IP address that I want to block is in the field below it)

To Process: SheepShaver

Process Owner: Me

Port: Any

Protocol: Any

So with those settings, on the right side of Little Snitch's window, it says for SheepShaver "Deny incoming connections from xxx.xxx.xxx.xxx. Of course, it shows the actual blocked IP address there.

I have a suspicion that I know what the problem may be.

SheepShaver is a machine within a machine, and an OS inside an OS. Furthermore, my Hermes II BBS app and Hotline server app are nested inside of SheepShaver.

Because Little Snitch is an OS X app, when I go to select the app that I want to block the IP address from, neither Hermes nor Hotline appear in the list, because they are obviously nested away inside of SheepShaver's hard disk, or image file.

So, my theory is that Hermes and Hotline are more or less protected, and there is no way for me to block that bot using Little Snitch, because Little Snitch can't even see those two apps.

I just made a new rule in Little Snitch in which instead of using SheepShaver as the app to deny the incoming connection to, I set it to "Any Process". Everything else remains the same regarding "any port" and "any protocol".

The thing is, it looks like that guy finally gave up about an hour ago, so now I can't even see if it is working.

However, there is an easy way that you -- or anyone here -- can help me to test my theory regarding those two apps being invisible to Little Snitch, because they are nested inside of SS's hard disk.

Little Snitch has an on-screen Network Monitor. If someone here can connect to either my BBS or to my Hotline server and mess around on it for a few minutes, I can watch to see if either Hermes or Hotline appear in the Network Monitor window.

If all of this fails, then I will go over to the Little Snitch support forum and see what they have to say about it.

Thanks.

[24bit]

Probably a bit off, but I recall Norton Personal Firewall did a nice job on my iMac Bondi blue.
I upped my German version years ago at Macintoshgarden, there is an English one too (NPF-3).

[Old-School-BBSer]

Actually, Cat_7 and I have been testing different things for the past hour or so on my Hotline server, and so far, nothing has worked. I am about to install NPF 2.0 right now, because 3.0 is nowhere to be found.

[Old-School-BBSer]

Well, I just installed Norton Personal Firewall 2.0, and the minute I did, it shut down all access, so that even I couldn't log on to my Hotline server. That freaked me out for a bit. ::

Now I need to wait and see if that pesky bot user comes back, and if he can still try to log in to the server.

[adespoton]

For OS 9, you can use IPNetRouter (I used this for that purpose back in the day) or Little Snitch (a REALLY old version for OS 9). Or you can install Little Snitch on your host, and block that IP from accessing SheepShaver (or conversely, block SheepShaver from accessing that IP -- same result, different direction).

I've always used Little Snitch because then I can let *them* fix things when Apple changes the firewall instead of me suddenly losing my settings when they make a change I wasn't following.

[Old-School-BBSer]

For OS 9, you can use IPNetRouter (I used this for that purpose back in the day) or Little Snitch (a REALLY old version for OS 9). Or you can install Little Snitch on your host, and block that IP from accessing SheepShaver (or conversely, block SheepShaver from accessing that IP -- same result, different direction).

I've always used Little Snitch because then I can let *them* fix things when Apple changes the firewall instead of me suddenly losing my settings when they make a change I wasn't following.

Thanks for the advice, my friend, but I am happy to report that that Pitbull Pro bot has not been back since I installed just the "Norton Personal Firewall" part of "Norton Internet Security". I didn't install the "Norton Antivirus" part or the "Live Update" part either. Then I removed the crap that Norton did stick in my System folder, other than the Firewall part.

I bought IPNetRouter many years ago, but long ago trashed it, and no longer have need for it.

If you read my previous messages, you will see that I did in fact try adding SheepShaver to Little Snitch. But insofar as that pesky bot was concerned, blocking his IP in Little Snitch's settings for SheepShaver had zero effect.

Ask Cat_7. We worked on it together for about an hour yesterday, and nothing we tried worked until I actually installed Norton Personal Firewall inside of SheepShaver, and then rebooted SheepShaver.

But I am happy that I now have a strong defense for my Hotline server, or for any malicious intrudes on my BBS as well.

BTW, I just decided to go the full mile with my BBS, so I just purchased a new domain for it so that it now get top exposure:

http://www.armageddonbbs.com

I'll see how the page does for the next three years, and if not, I can always let it expire and go back to running the BBS website under my other domain, as before.

[Old-School-BBSer]

Man, some idiot has been trying for days to hack into my BBS. He is doing it right now again. He's been trying to log in with "root" and "admin".

The thing is, I can't ban him, because I don't know what his IP address is.

Hermes II keeps log files, but until the guy actually logs in, there is no record of his IP address.

And I am not about to install a packet sniffer just to find out his IP.

Not only that, but Little Snitch does not appear to capture any data from TCP/IP applications in its Network Activity window. As I told Cat_7, it is as if Hotline and Hermes don't even exist for Little Snitch.

[adespoton]

That's really odd -- that stuff should be showing up in Little Snitch.

One other thing you could do is monitor on the host via lsof -- it allows you to monitor specific network ports for connections, but may need a bit of scripting to do what you want. Sloth is a front end to lsof, but it only does on-demand scanning of open ports, which isn't so useful.

One other idea: you're using an Airport base station for your networking, but your cable/DSL modem likely has a firewall on it too -- you could block at that layer.

As for people attempting to log in to telnet/ssh as root/admin/etc., these days there are botnets that spend a portion of their time doing full scans of the internet of this type -- I'm continually getting ssh and telnet connection attempts from China and Korea -- but I keep a tarpit running, so I can watch them futilely attempt to crack into my system while I run ssh and other services on alternate ports that nobody scans

[Cat_7]

You might take a look with tcpdump at the traffic coming to your tap device.

Sudo tcpdump –i tap0

Best,
Cat_7

[Old-School-BBSer]

Well, as I told Cat_7 -- and mentioned in an earlier comment here -- my theory is that just as OS X no longer recognizes classic apps, my suspicion is that Little Snitch doesn't recognize streams coming from classic apps that are nested inside of SheepShaver, because it is like a machine hidden inside a machine, and an OS within an OS. I don't think that Little Snitch can even see it.

In fact, as I also said earlier, even when I set up a rule for SheepShaver to block that IP, it was useless, as if the rule did not even exist.

Actually, I learned just yesterday that my cable modem is VERY basic. It is just a modem. It has no built-in router, no firewall, no port forward. Nothing, zilch. All port forwarding has to be done via my Airport Extreme. Even worse, as I also mentioned before, the Airport Extreme has no IP blocking capabilities. The ONLY thing it can do is restrict access to other machines on this same wi-fi network.

In short, as discussed previously, that is how and why I ended up installed Norton Personal Firewall on the SheepShaver side. I had to install a firewall at the same level of the OS in order to stop that Pitbull Pro user. Nothing else had any effect whatsoever, and I tried maybe half a dozen different ways to stop him.

Regarding bots, oh, I know. I have been dealing with bots crap since the 90's. They never give up, and they just become more and more aggressive.

[Cat_7]

I wonder whether little snitch recognises traffic on tap devices.
Your way of setting up the tap device does not assign an IP address to the tap device, and that might also play a role in not being able to block traffic from within OSX.

Best,
Cat_7

[Old-School-BBSer]

Well, I am not exactly sure what I am supposed to type in the terminal after I enter that command, but here is what I get:

tcpdump version 4.3.0 -- Apple version 59
libpcap version 1.5.3 - Apple version 47
Usage: tcpdump [-aAbdDefhHgIJkKlLnNOpPqQ:RStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ]
[ -Q metadata-filter-expression ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]

Right when I was doing that, the bot tried to log onto my BBS using "admin" again, and nothing showed up in my terminal.

I was given the impression that when I typed that command, it would show me the contents of the data packets, like a few sniffers I have tried in the past. There is one called wireshark, but I haven't really used it. I just took a quick look at it a while back.

[Old-School-BBSer]

I had a related question I have been thinking about for the past few days.

Being as SheepShaver is just a virtual environment, and the OS within it is also a virtual environment which is totally set apart from my real OS and machine, can a hacker really cause damage to my machine, even if he does find a way to exploit Hermes or Hotline? I mean, wouldn't he more or less be trapped in there, with no way out? Even the "Unix" hard drive on SheepShaver's desktop is virtual, so I would think that there is no way for a hacker to use it to exploit the other side of my machine; that is, the OS X side. Or am I wrong?

[Cat_7]

The command should simply be:
sudo tcpdump -i tap0 (or tap1) if you are using tap1 in the SheepShaver appletalk script.

it is currently running on my tap1 device.

this is sample output:
20:48:11.609587 IP 192.168.0.40.49153 > 202.128.4.177.guam.net.fcp-addr-srvr1: Flags [P.], seq 154:186, ack 155, win 32768, length 32
20:48:11.947792 IP 202.128.4.177.guam.net.fcp-addr-srvr1 > 192.168.0.40.49153: Flags [P.], seq 155:204, ack 186, win 32768, length 49

As you see I'm currently connected to your hotline server.


Best,
cat_7

[adespoton]

Ah right -- I know exactly why Little Snitch isn't seeing anything: Little Snitch isn't set up to watch your tap0 interface. Thank you Cat_7 for that helpful reminder

By default, Little Snitch only watches enX interfaces. I believe there's a configuration to get it to watch additional interfaces, but I'm not around my Mac with LS installed right now to verify how to do it.

[adespoton]

I had a related question I have been thinking about for the past few days.

Being as SheepShaver is just a virtual environment, and the OS within it is also a virtual environment which is totally set apart from my real OS and machine, can a hacker really cause damage to my machine, even if he does find a way to exploit Hermes or Hotline? I mean, wouldn't he more or less be trapped in there, with no way out? Even the "Unix" hard drive on SheepShaver's desktop is virtual, so I would think that there is no way for a hacker to use it to exploit the other side of my machine; that is, the OS X side. Or am I wrong?

In order to cause any real damage, someone who broke into your SheepShaver-based server would have to a) realize they were running inside SheepShaver, b) do something to cause a heap overflow or similar, c) know what parent OS you were running so that they could finangle that overflow into an exploit, d) drop executable code into the overflow memory and run it.

This has been done in the past in VirtualBox and VMWare, but the holes were patched in pretty short order. I think the number of people with the knowledge and talent to do that from within SS probably consists of only a couple of very highly paid government operatives outside of those who are "friendly" users on this forum.

As long as your "unix" folder is somewhere safe (not your ~/ folder, nor your root folder), this won't really give them anything other than a hint that they're running in SheepShaver or BII, not on bare iron.

[adespoton]

Odd; I just fired up my copy of SheepShaver running 9.0.4, and Little Snitch is prompting me for every single connection request. But then when I went to open up the TCP/IP control panel to see what my settings were, it crashed. That's all using the SLIRP interface. I don't currently have tun/tap set up, so I haven't tried that interface.

[Old-School-BBSer]

Odd; I just fired up my copy of SheepShaver running 9.0.4, and Little Snitch is prompting me for every single connection request. But then when I went to open up the TCP/IP control panel to see what my settings were, it crashed. That's all using the SLIRP interface. I don't currently have tun/tap set up, so I haven't tried that interface.

Well, as you know, I don't use SLIRP. But if you figure out how to get Little Snitch to recognize my bridge/tap configuration, I'd love to hear it.

BTW, I did write to Christian and Johannes regarding the issues that I have been having with Little Snitch. I am still waiting for a response from them.

Also, so I guess it is not a good idea to be broadcasting to the world that I run my BBS and Hotline server inside of SheepShaver, eh?

[Old-School-BBSer]

Well, I just looked all over Little Snitch's preferences, as well as in the Help section, but I found nothing to suggest that there is currently a way to get LS to recognize my ethernet bridge/tap setup. There is an automatic profile switching feature in LS, but that really won't help, because I only have one network that I use. Maybe there is some deep level way to accomplish what I need, but I don't know what it is, and my hunch is that Christian needs to add some new functionality to LS, before I can get this to work. But that is just a guess on my part.