How to Block an IP Address Within SheepShaver

About SheepShaver, a PPC Mac emulator for Windows, MacOS X, and Linux that can run System 7.5.3 to MacOS 9.0.4.

Moderators: Cat_7, Ronald P. Regensburg, ClockWise

User avatar
Old-School-BBSer
Apple Corer
Posts: 223
Joined: Sun Mar 01, 2015 8:58 am
Location: Guam

Re: How to Block an IP Address Within SheepShaver

Post by Old-School-BBSer »

I wanted to add an update to an earlier comment that I made in this thread.

I mentioned that Apple had removed "ipfw" from OS X in 2014 or earlier, and had replaced it with something called "pf".

After looking at some message threads regarding its use, I entered what seemed to be the right string in the "pf.conf" file. However, it did not prevent that Pitbull Pro guy from accessing my Hotline server and attempting to log on to it.

Well, just today I discovered over on the MacUpdate.com website that a certain developer has written a front end for "pf" called "Murus Lite". It currently stands at version 1.1.2 and requires Mac OS X 10.9.4 or greater. I haven't tried it out yet, but I am sure that it is probably a lot easier to use than typing commands in the Terminal, or directly editing some hidden config file somewhere.

This same developer has written two related apps -- also front ends -- for earlier versions of Mac OS X. They are called "WaterRoof" and "IceFloor". WaterRoof is a front end for "ipfw" and requires Mac OS X 10.6. IceFloor is a front end for "pf" and requires Mac OS X 10.7 or 10.8.
Bill Kochman
Armageddon BBS
Guam, Mariana Islands, USA
User avatar
Old-School-BBSer
Apple Corer
Posts: 223
Joined: Sun Mar 01, 2015 8:58 am
Location: Guam

Re: How to Block an IP Address Within SheepShaver

Post by Old-School-BBSer »

For those of you who may be following this thread, I just heard from Objective Development Software GmbH, who are the developers of Little Snitch. The news is disappointing, but I suppose there is not much that I can do about the situation, unless someone here knows how I can configure SheepShaver a little differently -- without breaking my current setup which is working great -- so that the Little Snitch folks can hopefully provide a fix.

Here is what they wrote to me:

Thank you for your request and your detailed description of the issue.

I have to admit that Little Snitch simply gets bypassed by the TunTap device.
Little Snitch itself works close to the application layer, but your tap device is set on layer 2, so in fact there is no chance for LS to gain the network traffic.

I'm afraid there is no easy solution for this unless you maybe find some way to use the 'slip' setting to route your default en0 interface to SheepShaver.

Best regards,
Simon
Bill Kochman
Armageddon BBS
Guam, Mariana Islands, USA
User avatar
adespoton
Forum All-Star
Posts: 4227
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: How to Block an IP Address Within SheepShaver

Post by adespoton »

Sad news, but not too unsurprising.... PF (or setting rules on your gateway/router) is probably the way to go; good job in finding an interface for it :) I used to use WaterRoof back in the day, but haven't had much reason to do OS-level filtering in a few years, so haven't migrated over to using pf on OS X.

Of course, your other option is to spend the $20 and get a copy of OS X Server from the app store. Then you get access to all the official configuration tools, including a solid pf front end and tunneling services :)
User avatar
Old-School-BBSer
Apple Corer
Posts: 223
Joined: Sun Mar 01, 2015 8:58 am
Location: Guam

Re: How to Block an IP Address Within SheepShaver

Post by Old-School-BBSer »

Actually, I did in fact purchase Lion Server three years ago. However, being as I operate multiple domains, at that time, Lion Server's functionality seemed very limited to me. Add to that the fact that I was unable to find any comprehensive documentation for it, and I soon gave up on it and switched to a different package to run my web server.

Maybe one of these days, if and when my current web server package is no longer updated, I will take another look at Apple's server software.

Maybe it is just me, but it seems to me that Apple purposely dumbs down a lot of their software, and removes important features that were previously there.
Last edited by Old-School-BBSer on Tue Mar 24, 2015 8:10 pm, edited 1 time in total.
Bill Kochman
Armageddon BBS
Guam, Mariana Islands, USA
User avatar
adespoton
Forum All-Star
Posts: 4227
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: How to Block an IP Address Within SheepShaver

Post by adespoton »

Old-School-BBSer wrote: Maybe it is just me, but it seems to me that Apple purposely dumbs down a lot of their software, and removes important features that were previously there.
Apple purposely dumbs down all their defaults, but leaves power-user options in their interfaces, and usually provides full access to the back-end systems that actually do the dirty work. As such, most of the tools you need are provided on stock OS X, but the management software that makes it easier is in the server upgrade.

I've also had good luck finding documentation for pretty much everything on their website -- although it's easier to search on Google and use site:apple.com than to use Apple's own search, which often doesn't find the material.

In this case, pf is the back-end system that you can learn about by typing man pf (either in spotlight or from Terminal) -- or by looking at the OpenBSD documentation on this firewall. But the firewall configuration tool they provide on Server is back-end agnostic, and gives you the same powerful options for pf that it did for ipfw, without having to adjust your front-end configuration after upgrading. You can always go in and hand-tweak the back-end after reading the man pages and config info on stack overflow.
User avatar
Old-School-BBSer
Apple Corer
Posts: 223
Joined: Sun Mar 01, 2015 8:58 am
Location: Guam

Re: How to Block an IP Address Within SheepShaver

Post by Old-School-BBSer »

Ha! I think you overlooked a previous comment that I made -- or at least I think I made it. :)

I did look at pf's man pages, but quite frankly, it was all over my head. So, I have settled for the simpler approach of looking at logs, and using Little Snitch and Norton Personal Firewall.

That hacker dude who keeps using "admin", "support" and "root" must be getting pretty upset by now, because I have been blocking the entire IP range for each ISP subnet that he uses. Yeah, it blocks a lot of innocents, but it's not like any of my domains are getting majorly flooded with visitors. :)

About an hour ago, I did the same thing regarding SSL. I was wondering if I should implement SSL on my server, perhaps just to instill more confidence in the visitors to my various domains.

However, after conducting some online research regarding the issue, looking at the price ranges, and considering self-signed certificates, I figured, "Nah, I don't really need this. I've done without since 1997, so why rock the boat now? I don't run any commercial sites, and there are very few places on my server which require a login -- and which are in fact for the most part dead anyway -- so why bother?"
Bill Kochman
Armageddon BBS
Guam, Mariana Islands, USA
User avatar
adespoton
Forum All-Star
Posts: 4227
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: How to Block an IP Address Within SheepShaver

Post by adespoton »

Old-School-BBSer wrote:That hacker dude who keeps using "admin", "support" and "root" must be getting pretty upset by now, because I have been blocking the entire IP range for each ISP subnet that he uses. Yeah, it blocks a lot of innocents, but it's not like any of my domains are getting majorly flooded with visitors. :)
Yeah; you mentioned you'd looked at the pf instructions (which are indeed a bit arcane).

But "that hacker dude" is actually a well-known botnet script. It's all automated, no people involved. Every system I use that has ssh public-facing gets hit by that probe. So don't go too crazy blocking all the subnets, as you're just blocking subnets belonging to infected Windows computers. Then again, that's not likely to hurt you anyway :)

You might want to make things even safer by blocking large class subnets for countries you never expect to see people connect from.
User avatar
Old-School-BBSer
Apple Corer
Posts: 223
Joined: Sun Mar 01, 2015 8:58 am
Location: Guam

Re: How to Block an IP Address Within SheepShaver

Post by Old-School-BBSer »

Yeah, I know that it is a bot. Like you, I have dealt with this kind of crap for years, since my early days with BBSing and FidoNet, and then Hotline.

But there are people behind it all somewhere who loose these things on the Internet in order to find vulnerabilities which they can later exploit.

Just watching how this bot operates is interesting.

Ban IP's by country? Nah.

I am not even sure why I am blocking this bot. I know that it is never going to get into my system. :)
Bill Kochman
Armageddon BBS
Guam, Mariana Islands, USA
User avatar
adespoton
Forum All-Star
Posts: 4227
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: How to Block an IP Address Within SheepShaver

Post by adespoton »

Old-School-BBSer wrote:I am not even sure why I am blocking this bot. I know that it is never going to get into my system. :)
It's because you get that sense of smug satisfaction with each block, telling yourself silently "Yeah -- I know what you are, and you're not coming in here!"

I know, I do it too, even though it really serves no useful purpose (other than transferring the data buildup from the connection attempt log to the block log, which makes parsing the connection log for other issues a bit easier).
User avatar
Old-School-BBSer
Apple Corer
Posts: 223
Joined: Sun Mar 01, 2015 8:58 am
Location: Guam

Re: How to Block an IP Address Within SheepShaver

Post by Old-School-BBSer »

Yes, we are just so powerful, aren't we? :mrgreen:

Well, now I am scratching my head a bit again.

I don't know if I mentioned it before or not, but I get these same kind of brute force attacks on my WordPress blog every single day. However, I've got a number of powerful plug-ins installed which auto-ban their IP's for 24 hours after x number of failed login attempts.

I receive emails whenever an IP address is blocked, and then I add the IP's to Little Snitch, just so my blog doesn't have to deal with the constant onslaught.

Well, as it turns out, about an hour ago, another brute force attempt was made, the IP was blocked, and I got the email. However, upon checking my table of already-banned IP ranges, I discovered that I had already blocked the range that was used today, in Little Snitch.

So now i am wondering if Little Snitch is deaf to these attempts -- as it is with the whole SheepShaver setup, and if I need to add the IP ranges to my web server's httpd.conf file.

I am not even sure how to add an IP range to the httpd.conf file. Yeah, I know. I can research it. But would this suffice?:

123.456.789.0-123.456.789.255

Or does Apache use some other format, other than a dash?
Bill Kochman
Armageddon BBS
Guam, Mariana Islands, USA
User avatar
adespoton
Forum All-Star
Posts: 4227
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: How to Block an IP Address Within SheepShaver

Post by adespoton »

Little Snitch isn't really for blocking inbound connections (as we've discussed); it's much better at outbound. The inbound stuff is still pretty new. Using pf or blocking at your router is a better way to go.... (I know, we've already had those discussions).

As for apache, I have to admit that I haven't fiddled directly with apache in almost a decade. I do all my WordPress stuff via wordpress.com, as they keep themselves patched and configured, and I can just concentrate on producing content :)

Anyone else using a recent apache and know what the current syntax for httpd.conf blocks is?
User avatar
Old-School-BBSer
Apple Corer
Posts: 223
Joined: Sun Mar 01, 2015 8:58 am
Location: Guam

Re: How to Block an IP Address Within SheepShaver

Post by Old-School-BBSer »

Well, as an update to our conversation here, I ultimately decided to just remove all banned IP's associated with my SheepShaver setup from Little Snitch.

The way I figure, considering the number of IP addresses which are available to these hackers, I would end up blocking half the world, even if Little Snitch did block incoming IP's properly.

Besides, as we have discussed before, given the nature of our SheepShaver setups on Mac OS X machines, and the plugins that I use with my blog, those guys can't get past the front door anyway; so why even bother with blocking?
Bill Kochman
Armageddon BBS
Guam, Mariana Islands, USA
Post Reply