I’ve written about OS X Server in the past and somehow I keep getting roped into dealing with these machines. The concept of OS X Server is great; a small business server that anyone can setup. The implementation, however, is quite lacking. Apple took open source software, like Apache, BIND, Open Directory and Jabberd and slapped a GUI on it for configuring. In doing so, they either glossed over or forgot to implement many of the settings available in these products. My latest run ins with OS X Server have to do with Jabberd, Open Directory and Apache.
Let’s start with Apache. First off, I needed Server Side Includes to be turned on. I didn’t see a switch to do this, so I hacked on the actual config files. Second, I had to allow .htaccess files to override some of the default settings. Some may see this as a security risk, but this server is dedicated to one task, so again I had to hack on the config files. If the GUI is touched, my changes go away.
Next, Jabberd. The issue here seems to be that Jabberd is buggy and the version of Jabberd included with Leopard server isn’t up-to-date. There is no easy way to replace it with a newer version short of waiting for Apple. If I wanted to install everything by hand, I would have used Linux in the first place and not OS X Server. Apple either needs to respond faster with updates or provide ways to more easily replace major components. In this case, an OS X Server consultant came to me with an issue where he was trying to use a wildcard certificate for the iChat server (Jabberd) and couldn’t get it to work. Server Admin said everything was fine, but when I dove into the logs, I saw that there was an issue where Jabberd didn’t like the chained SSL Certificate (which is pretty standard, in my opinion).
Lastly, Open Directory. This one is actually a huge security issue. While setting up an iCal server, I needed to secure it before it went into production. I managed to use LDAP Browser/Editor to anonymously bind to the server despite checking all the boxes to prevent anonymous binding. After talking with a friend at Apple who get an answer from someone in the know, this is a known issue. If you secure Open Directory properly, it breaks other things. In my case, it doesn’t matter because our use of Open Directory will be limited. So, I have to hack on Open Directory to change a string somewhere. Furthermore, the root password’s SHA1 hash can be browsed by anyone! Why is this bad? Well, if you use a bad root password, someone doesn’t have to keep running a script trying to get into your server (which you could block); a hacker just needs to copy the SHA1 hash and then run a tool that generates SHA1 hashes from common words and presto! (I found a few tools doing a quick search.) You might argue that this isn’t bad because you could run an attack and try lots of passwords, however, smarter servers/firewalls will block users after a certain number of tries and then possibly increase the time allowed between tries thereby making a brute force attempt much more time consuming than doing it “offline”.
People could argue that the Open Directory issue is there for anyone using OpenLDAP (which Open Directory is), but Apple conceals so much from the user, that it is Apple’s responsibility to secure these machines as a large majority of people using them don’t have a clue about security. I work with one good IT person and he wasn’t aware of the open services on his server; he just turned stuff on to get it to work. I had to help him lock everything down with the firewall.
One thing I really like about OS X Server is that you can use SuperDuper! to back it up and restore it. Other than that, OS X Server should be treated like Linux and ignore the GUI admin tools.
One Reply to “OS X Server is still a piece of crap”