PDA

View Full Version : Securing your Mac


AppleMatt
Aug 3, 2003, 06:09 PM
Well my foray into Mac OS X is complete. I've used it since 10.1.2, and thanks to countless long nights reading and tweaking, I regard myself as knowing quite a lot about how to use it etc.

However right from day one, security has bothered me.

How do you guys go about securing your Mac online? Just the OS X firewall? A 3rd party firewall? Manually disabling ports, proxies, anonymous proxies, etc etc.

It would be excellent if everyone could share a bit about how they secure their Macs, especially in the days of broadband and wireless networking. Don't hold anything back, manual editing of system files allowed :wink:.

AppleMatt

Nermal
Aug 3, 2003, 06:19 PM
On my system, I've got the OS X firewall disabled, but I'm plugged into a router which makes it difficult to access my system directly. OS X is very secure out of the box, so I don't bother with anything flash to get it secured. I just install the occasional security updates when they come out.

rainman::|:|
Aug 3, 2003, 06:20 PM
I use OS X's built-in firewall, with a cable connection... And i supplement it with Brickhouse when i need more customization/logging... Never had a problem.

pnw

Daveman Deluxe
Aug 3, 2003, 06:32 PM
I have OSX firewall enabled and the computer not set to auto-login on reboot. My wireless base station (this is an iBook) has the firewall turned on, WEP 128-bit turned on, DHCP turned off, a different-than-normal local IP range, and it no longer broadcasts the network name.

Trying to break into my system would be like trying to break into Scrooge McDuck's big vault.

tjwett
Aug 3, 2003, 07:11 PM
I just download the Security Updates from Apple when they arrive. I'm on cable modem with a router. Just a question since I never really paid much attention to this sort of thing before. What are the reasons for being so serious about security? OS X is very secure to begin with. What are some reasons for adding Firewalls, IP encryption, etc? Do you all work for the government or have a hard drive full of credit card numbers? A business is one thing but I don't understand the need for all this protection for an individual on their home computer. I can't imagine anyone trying to hack into my machine. All they'd find is a bunch of worthless crap, and maybe a little porn;) I'm getting ready for Apple Certification exams and I'd like to hear as much about this as I can. Thanks.

MrMacMan
Aug 3, 2003, 07:15 PM
Read some of the articles here (http://www.securemac.com/)

Brickhouse is good, I use it...

I am also behind a router so i'm good.

Nermal
Aug 3, 2003, 07:20 PM
Originally posted by Daveman Deluxe
Trying to break into my system would be like trying to break into Scrooge McDuck's big vault.

I remember when his kids had to go into the vault for some reason, the password was "cash" :)

I can't believe I remembered that! I probably haven't seen it in about 10 years, I've got a memory for stupid little things like that. I also remember Scrooge asking if he could have more than one cheese sample, then taking the whole tray and having them for dinner.

There goes my daily off-topic post :D

irmongoose
Aug 3, 2003, 07:54 PM
I use NetBarrier (http://www.intego.com/netbarrier/)... it's an excellent firewall software with many options. I also run Little Snitch (http://www.obdev.at/products/littlesnitch/) to prevent those pesky applications that try to "call home".




irmongoose

tjwett
Aug 3, 2003, 08:21 PM
Originally posted by MrMacman
Read some of the articles here (http://www.securemac.com/)

Brickhouse is good, I use it...

I am also behind a router so i'm good.

awesome link! i haven't seen this site before. this will be very useful. cheers.

Schiffi
Aug 3, 2003, 08:35 PM
Secure? bah, who has time for security. I'm on a modem so if I feel more laggish than normal I just yank the telephone line from my computer.

Daveman Deluxe
Aug 3, 2003, 09:37 PM
Originally posted by Nermal
I remember when his kids had to go into the vault for some reason, the password was "cash" :)

I can't believe I remembered that! I probably haven't seen it in about 10 years, I've got a memory for stupid little things like that. I also remember Scrooge asking if he could have more than one cheese sample, then taking the whole tray and having them for dinner.

There goes my daily off-topic post :D

"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

bennetsaysargh
Aug 3, 2003, 10:08 PM
i have the OS X firewall on and i am behind a router, so i guess i'm fine all people would find on my hard drive is a lot of no doubt songs. a lot of them.

PB180
Aug 3, 2003, 11:03 PM
Originally posted by Daveman Deluxe
"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

Damn, now I've got to change my password!

5300cs
Aug 3, 2003, 11:19 PM
Originally posted by tjwett
Just a question since I never really paid much attention to this sort of thing before. What are the reasons for being so serious about security? OS X is very secure to begin with. What are some reasons for adding Firewalls, IP encryption, etc? Do you all work for the government or have a hard drive full of credit card numbers? A business is one thing but I don't understand the need for all this protection for an individual on their home computer....I'm getting ready for Apple Certification exams and I'd like to hear as much about this as I can. Thanks.

I won't speak for everyone, but once you start doing P2P, you expose yourself to a lot of bad people on the internet. Kazaa for example, is full of people ping flooding and port scanning, just looking for a weak machine to exploit. My friend's machine was scanned and people in Korea tried to trojan horse him twice in one day, he traced the IP and reported them to their ISP, and a week later the same IP tried to trojan him 5 more times :mad:

From past experience, "security through obscurity" doesn't work as your machine will be found eventually. Also a poorly maintained UNIX box can be vulerable as well (just not as much as a windows box.)

Also, besides looking at the data on your machine, attackers may use your machine as a drone in a DoS attack, using YOUR IP and YOUR machine.

If you knew this already, I appoligize for wasting your time, if not- time to start reading up ;)

Daveman Deluxe
Aug 4, 2003, 12:17 AM
The main thing I'm worried about is the potential for wardrivers to pick up the odd credit card number when I'm ordering something online. That's why I use WEP encryption and all that. There's a report on arstechnica.com where the author was able to pick up several unencrypted and completely unprotected 802.11b networks from 3,000 feet up in an airplane. Scary business, especially since he was picking up signals over the commercial district of San Francisco.

cb911
Aug 4, 2003, 01:24 AM
well... firstly there's the adsl modem, then that connects to a router that i think has a built in firewall, then that goes to everywhere in the house. and the whole house it networked so there's about 15+ ports all over the place, so depending on which room your in the IP changes (or something like that).

i don't know much about that stuff, but it's supposed to be really hard to get through... unless someone opens a port that i'm using. actually, my little brother (PC guru) was going to open a port i was using and get someone he knows to try and hack me.:p :cool:

tjwett
Aug 4, 2003, 01:30 AM
Originally posted by 5300cs
I won't speak for everyone, but once you start doing P2P, you expose yourself to a lot of bad people on the internet. Kazaa for example, is full of people ping flooding and port scanning, just looking for a weak machine to exploit. My friend's machine was scanned and people in Korea tried to trojan horse him twice in one day, he traced the IP and reported them to their ISP, and a week later the same IP tried to trojan him 5 more times :mad:

From past experience, "security through obscurity" doesn't work as your machine will be found eventually. Also a poorly maintained UNIX box can be vulerable as well (just not as much as a windows box.)

Also, besides looking at the data on your machine, attackers may use your machine as a drone in a DoS attack, using YOUR IP and YOUR machine.

If you knew this already, I appoligize for wasting your time, if not- time to start reading up ;)

thanks for all that info. i've been hearing about this sort of hijacking thing alot lately. i thought it was only possible to get hijacked if you had dial-up and were connected to the phone line. sounds crazy. can macs get hijacked and used when they are sleeping?

cb911
Aug 4, 2003, 01:42 AM
speaking of 'hijacking'... that reminds me of a funny story of people going around and taking over peoples Hotline servers.

basially they just sent people a "list" of files that they had to offfer, which was an applescript with a text file icon. then people open it and think it doesn't work, but then the script goes and collects all the users info, admin passwords etc. then the people log backin with an admin password and boot every one from the server and block them so that they have complete control of it.

there's a full text document of the whole thing, funny stuff.

irmongoose
Aug 4, 2003, 01:44 AM
Originally posted by Daveman Deluxe
"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

Spaceballs. God, I love that movie :D




irmongoose

AppleMatt
Aug 5, 2003, 07:37 PM
tjwett;

I have no real need for securing my machine, there's nothing that important on it. I'm just interested, and it's an interest that's growing. Most other forums are full people who don't know much and say a lot, but generally the members of macrumors are pretty well versed in all things Mac! That's why I post more technical things here.

5300cs;
Good info, the hijacking is one thing I was going to post. I'm not too bothered about the security of my PC's anymore, I just don't use them enough to justify it, and I have drive images that are regularly restored.

MrMacMan;
Good link yes. I've been there before, I left it at first because it seemed to have stopped being updated. Reading through all the articles has given me some new info, but most seems to be "you must secure your computer" rather than "this is how you secure your computer"

All other contributers;
Thank's for the info, I'm in pretty much the same boat at the moment. Cable modem, Airport Extreme, Mac OS X firewall enabled.

Anyway, all info is appreciated, no matter how small!

AppleMatt

daveL
Aug 5, 2003, 09:42 PM
Nobody mentioned this, so I'll chime in. OS X has network services *off* by deafult. MS has everything under the sun *on* by default. You can't get into a port on the Mac unless you go into your preferences and turn it on, and you have to have admin privileges to do that. Then, of course, you have your built-in firewall, which only allows connections that originate from your machine, out of the box.

tjwett
Aug 5, 2003, 09:57 PM
Originally posted by AppleMatt
[B]

I have no real need for securing my machine, there's nothing that important on it. I'm just interested, and it's an interest that's growing.

it's becoming an interest of mine too lately, especially since i'm studying for my Apple Certs soon. i just picked up an excellent book entitled "Mac OS X Maximun Security". really good stuff.

5300cs
Aug 5, 2003, 11:56 PM
Sam's Teach Yourself UNIX System Administration is a good book too, but it covers OS X 10.1 (before bash was included, and so on.)

I don't think Macs can be gotten into when they are sleeping, but that question got me thinking about the option "Wake for Network maintenance" or something like that...anyone know what that does? ("Wake when modem detects a ring" could be used for remote administration back in the day.)

Old MacOS (like 7.x or 8.something) had some small port openings I remember reading about a long time ago.
I like the fact that OS X comes with everything OFF, and NO TELNET. Telnet & FTP have to be the top 2 security holes for any +NIX system. The above mentioned book has a good method for enabling anonymous FTP ( suicide in terms of security) where a fake etc/passwd file is made, and a /bin is also made for just the FTPers so they can't replace things like /bin/ls with their own version to grab passwords.

What worries me a little, is that in the Linux world (especially Debian) there are weekly & monthly security updates for a lot of the packages, but with OS X, security updates are rare. Are they ignoring things, or is everything OK security wise?

BrandonRP0123
Aug 6, 2003, 01:05 AM
I've got a Netscreen 5XP here at home protecting my Power Mac, my girlfriend's Dell Inspiron, and whatever else I choose to connect to it (including my base station). NAT on, DHCP on, using 172.16 for addressing. Permanent DHCP lease for the power mac and PowerBook (see below).

The OS X firewall is that of FreeBSD - ipfw with an implicit permit as the last rule. Turn ``On'' the OS X firewall and try a ``sudo ipfw list'' in your Terminal. Given the fact that ipfw is supported under OS X it should be very easy from those converting from FreeBSD, or any similar *nix to tweak to perfection.

I've got a /29 with my DSL so I one-to-one map my power mac (iTunes sharing for me at work, httpd for testing, etc), and my Powerbook (if anyone has found a better way to use battle.net I'm all ears - but doing a one-to-one NAT was the only way it seemed to work with custom games).

I'm a strong believer in an implicit deny firewall setup. That is to say; only allow incoming connections that you absolutely *have* to and deny all the rest.

AppleMatt
Aug 6, 2003, 11:24 AM
Originally posted by BrandonRP0123
I'm a strong believer in an implicit deny firewall setup. That is to say; only allow incoming connections that you absolutely *have* to and deny all the rest.

I was told that denying a connection is bad, as it proves your machine exists to scanners. Apparently 'ignoring' the request until it times out is the best, as it appears as if your machine doesn't exist/is switched off.

Anyone know any different?

AppleMatt

davy the bunny
Aug 6, 2003, 11:44 AM
I'm going to have to agree with you, AppleMatt, for exactly the reason that you stated. And there's the bonus of catching the "attacking" computer in a small (very small) bit of quicksand while it waits for your ports to respond.

MacBoyX
Aug 6, 2003, 12:13 PM
I have a Linksys Router/WAP/DHCP/Firewall setup and I do the following:

1. the Router gives out only 5 IP adresses (I have 5 Macs/PCs).
2. The router and wap only give out IP addresses to MAC addresses I have allowed.
3. My SSID has Numbers and Letters and is not something easy to figure out.
4. My SSID is not broadcast.

The NAT'd firewall of the Router does a pretty good job of keeping out the trojans.

I haven't gotten WEP to work perfectly between the AirPort Cards and the Linksys so I bypass it by only using my CC number pluged into my router (i just have an extra cable set up for when i want to do stuff and a location in my iBook's Network Setup).

This does mean that whenever friends/family come over to visit I have some maintenance to get their laptops into my network but its worth it.

Althought I just moved and now I live in a neighborhood where there are exactly 10 people living (people not familes) and seven farms... so lots of cows and if they're war chalking I have bigger problems then I thought...

Seriously tho... MAC Filtering and Disabling that SSID Broadcast (on an AirPort Base Station that's called a closed network) really helps to keep things safe.

On my PC tho I run Norton Personal Firewall and AntiVirus. I only get notifications of trojan's when my PC is in the DMZ (out of firewall).

MacBoyX

pgwalsh
Aug 6, 2003, 12:42 PM
I have OS X firewall turned on and I have a zonealarm on my PC. I'm behind a router with some security built in. However, if you're concerned and you want an easy but somewhat inexpensive solution you could try ipcop.org. You'll need a spare machine with other security and it acts as a router. You'll need a hub or swith if you're going to go this route. Oh and the spare PC you use needs to have another nic card.

To be honest, I feel much safer with my mac than pc for obvious reasons, but I have no idea how secure the mac is??????????

pgwalsh
Aug 6, 2003, 01:13 PM
Originally posted by BrandonRP0123
I've got a Netscreen 5XP here at home protecting my Power Mac, my girlfriend's Dell Inspiron, and whatever else I choose to connect to it (including my base station). NAT on, DHCP on, using 172.16 for addressing. Permanent DHCP lease for the power mac and PowerBook (see below).

The OS X firewall is that of FreeBSD - ipfw with an implicit permit as the last rule. Turn ``On'' the OS X firewall and try a ``sudo ipfw list'' in your Terminal. Given the fact that ipfw is supported under OS X it should be very easy from those converting from FreeBSD, or any similar *nix to tweak to perfection.

I've got a /29 with my DSL so I one-to-one map my power mac (iTunes sharing for me at work, httpd for testing, etc), and my Powerbook (if anyone has found a better way to use battle.net I'm all ears - but doing a one-to-one NAT was the only way it seemed to work with custom games).

I'm a strong believer in an implicit deny firewall setup. That is to say; only allow incoming connections that you absolutely *have* to and deny all the rest. You may laugh at me for saying this, but it would be nice for us Non *nix folks to have a GUI to admin or set the state of ipfw.... Anyone?

BrandonRP0123
Aug 6, 2003, 02:22 PM
Originally posted by pgwalsh
You may laugh at me for saying this, but it would be nice for us Non *nix folks to have a GUI to admin or set the state of ipfw.... Anyone?

No laughing required - really. I completely agree with you. For that very reason I haven't modified the ipfw setup on any of my macs as of yet (and Jaguar has been out a year).

There might be something in the FreeBSD ports that is graphical that'll work with X11. I'll check it out. E-mail me offline if you're interested in my findings.

pgwalsh
Aug 6, 2003, 02:24 PM
Originally posted by BrandonRP0123
No laughing required - really. I completely agree with you. For that very reason I haven't modified the ipfw setup on any of my macs as of yet (and Jaguar has been out a year).

There might be something in the FreeBSD ports that is graphical that'll work with X11. I'll check it out. E-mail me offline if you're interested in my findings. I didn't realize that Brickhouse was the graphical editor. Here everyone is mentioning it, but with little description. Anyway, I just downloaded it and it seems to work well. I wish I could add it to my system preferences pane... Anyone?

5300cs
Aug 6, 2003, 05:39 PM
Ignoring ping requests- isn't that new-school? ;)

SLJ
Aug 6, 2003, 10:04 PM
I am new to Mac, and I certainly does not know anything about UNIX... with all these talks about secuirty, I don't even know what I should be doing. Now, where should I start? Someone advise that Apple doesn't have any virus and i don't need to bother with Anti-Virus program.. now you guys talking about firewall... so am I back to square one and I need to get something to protect myself?

MacBoyX
Aug 7, 2003, 08:43 AM
Originally posted by SLJ
I am new to Mac, and I certainly does not know anything about UNIX... with all these talks about secuirty, I don't even know what I should be doing. Now, where should I start? Someone advise that Apple doesn't have any virus and i don't need to bother with Anti-Virus program.. now you guys talking about firewall... so am I back to square one and I need to get something to protect myself?

SLJ,

You have to worry less about Viruses...MOST viruses are written to affect the Wintel world.

Firewalls prevent the world from hacking your machine. OS X has one built in, XP does not. This has become more of an issue because of always on Cable and other broadband internet connections. My advice to people Mac or PC is to buy a Router no matter if you have a need for it or not. It enables you take advantage of a NAT'd firewall. NAT is Network Address Translation which basically takes the internal non public IP address that is assigned to you by the router and translates it to the PUBLIC known IP address of your broadband. This pretty much is the safest way to live on a broadband connnection.

Security is something you need to be aware of as a Computer User in the High-Speed Internet age.

I wouldn't sweat it but just be aware, it might be time for a Google search on firewalls and security :)

Hope that helped...

MacBoyX

Raid
Aug 7, 2003, 11:08 AM
Originally posted by Daveman Deluxe
"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

That's a quote from the movie Space Balls. To which Dark-helmet replys "That's the stupidest combination I've ever heard in my life. That's the kinda thing an idiot would have on his luggage." A little later President Skroob (Mel) hears the password and says "That's amazing, I have the same combination on my luggage!"

Good movie... I'm still waiting for the sequel "Spaceballs 2: The quest for more money"

:D
Raid
-----and that's why I'm the Jedi master of pop culture :cool:

Chealion
Aug 7, 2003, 11:20 AM
Actually Windows XP does have a built-in firewall (they touted it too when XP was first launched). Its has to be turned on though through Network Connections and is not very easy to get to, and is not customizable @ all, so you can't even add ports, and in order to do anything but do email and Internet (and MSN) you have to turn it off.

There's also HenWen, which is uses Snort, and well its makes your computer REAL secure...

billyboy
Aug 7, 2003, 03:46 PM
Originally posted by MacBoyX
SLJ,

My advice to people Mac or PC is to buy a Router no matter if you have a need for it or not. It enables you take advantage of a NAT'd firewall. NAT is Network Address Translation which basically takes the internal non public IP address that is assigned to you by the router and translates it to the PUBLIC known IP address of your broadband. This pretty much is the safest way to live on a broadband connnection.

Security is something you need to be aware of as a Computer User in the High-Speed Internet age.

I wouldn't sweat it but just be aware, it might be time for a Google search on firewalls and security :)

Hope that helped...

MacBoyX

Can you share with us the make of router you use? What do we look for when looking through specs for routers that take us the next stage beyond Jaguarīs Firewall on with nothing ticked in "sharing" preferences - but not into FBI paranoia land.

Iīve got nothing I dont want nicking but if its a matter of a few spondooleys and a plug and play gadget to add that extra unbreakable lock on the door, it is probably worth considering.

My brother is a PC head, poor lad, and says it is going to be quite tricky for him setting up a firewall and not completely dogging the speed of his connection. Is that a Windows thing or does it apply to external devices used on Macs too?

Thanks

daveL
Aug 7, 2003, 04:00 PM
Originally posted by billyboy
Can you share with us the make of router you use? What do we look for when looking through specs for routers that take us the next stage beyond Jaguarīs Firewall on with nothing ticked in "sharing" preferences - but not into FBI paranoia land.

Iīve got nothing I dont want nicking but if its a matter of a few spondooleys and a plug and play gadget to add that extra unbreakable lock on the door, it is probably worth considering.

My brother is a PC head, poor lad, and says it is going to be quite tricky for him setting up a firewall and not completely dogging the speed of his connection. Is that a Windows thing or does it apply to external devices used on Macs too?

Thanks
I have my OSX firewall on and recently downloaded the 7B28 Panther beta at the full speed of my DSL connection, so I wouldn't worry about performance.

Linksys is a pretty good home router. Cisco owns them, although they don't advertise the fact.

e-coli
Aug 7, 2003, 04:16 PM
Originally posted by daveL
Linksys is a pretty good home router. Cisco owns them, although they don't advertise the fact.

But be careful!!! Linksys routers are extremely easy to crack. Make sure you reset everything, especiall the "admin" password.

jbomber
Aug 7, 2003, 04:29 PM
Originally posted by Schiffi
Secure? bah, who has time for security. I'm on a modem so if I feel more laggish than normal I just yank the telephone line from my computer.

nice. i remember watching some crappy tv show during the infancy of the internet and this big-time computer guy starts freaking out cuz someone's hacking files on his machine. the not-so-computer-savvy main character walks over to the outlet and pulls out the plug, thereby solving the problem.

pgwalsh
Aug 7, 2003, 06:25 PM
Originally posted by daveL
Linksys is a pretty good home router. Cisco owns them, although they don't advertise the fact. Partly because it's a relatively new aquisition.

Daveman Deluxe
Aug 7, 2003, 07:01 PM
I've always liked Belkin networking products. They work well and they have a lifetime warranty (which is coming in handy since mine got hit by lightning the other day).

bobindashadows
Aug 7, 2003, 11:03 PM
My linksys DMZs to my computer because I'm too lazy to configure all the ports. I then use the built in firewall to stop anything but HTTP, KDX, eDonkey, and anything else I run. According to nmap, this is my "interesting port" situation:
80/tcp open http
113/tcp open auth
427/tcp open svrloc
548/tcp open afpovertcp
3306/tcp open mysql

Also funny:

Remote OS guesses: Mac OS X 10.1.4 (Darwin Kernel 5.4) on iMac, Mac OS X 10.1.5

Tsk tsk... apparently the TCP fingerprint hasn't changed since then. Pretty good though!

I should probably turn auth, svrloc, and afpovertcp off. Chances are my version of Apache has security holes too. Thankfully, I don't have anything of value. My last web page was bought out by a porn site, so now I have zero traffic besides KDX and eDonkey.