OS X Server hardening security

[mrbash]

I recently connected my OSX Server (10.6) box directly to the Internet, and want to harden it against unauthorized use.

I was wondering if anyone could give me some suggestions for what to do. I'm happy to buy some software if necessary.

What I use the server for is, SSH, SFTP, and P2P traffic. It has a dynamic address that is mapped to a specific DNS host entry. The machine also has 2 IP addresses. One for the internal network, and a public IP address. I would also like to ensure that the two aren't bridged (I'm guessing they aren't by default).

Any suggestions, or checklists would be greatly appreciated. I am a total new comer to security so please be gentle.

I do have the Firewall service running as a start.

Thanks

 

[assembled]

I recently connected my OSX Server (10.6) box directly to the Internet, and want to harden it against unauthorized use.

I was wondering if anyone could give me some suggestions for what to do. I'm happy to buy some software if necessary.

Any suggestions, or checklists would be greatly appreciated. I am a total new comer to security so please be gentle.

The better solution might be to use a hardware firewall/NAT router rather than connect your machine directly to the internet. you can then only forward the ports that you require to be open on the firewall/NAT router, rather than having to specifically close other ports on your mac.

depending on the device, you can also get firewalls with intrusion prevention, and rulesets that will automatically block traffic to ports that would be indicative of a "hacking attack". all of this can be done in software, but as a newbie, you might find it simpler to configure a device specifically designed to do this. I would certainly suggest that connecting first and learning second is foolhardy at best.

 

[mrbash]

That is a good suggestion, but I am trying to avoid going the NAT route.

Pretty much any kind of mid-range router firewall feature should be configurable on the Mac.

 

[Consultant]

NSA has a guide for government-level security:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml

 

[tgurske]

A few rules that I work off of:
- Only use the services that you need. The fewer the better. Set in Server Admin -> Settings
- Use the built in firewall. It works fine. Remember that a hardware firewall is just another computer running similar or the same software. So not much advantage in my opinion.
- Strong passwords.
- Update regularly. Although it's best to check the apple "communities" forums to make sure the updates don't break anything.
- Check the server logs on a regular basis. You'll see people trying to break in.
- Block out countries at the firewall level if you can. I've blocked out entire continents in the past when I was able to. It really depends on what's being hosted on the server.
- Backup the server on a schedule so if you screw up something, the disk is corrupted, or the server gets compromised you'll have a disk image to restore from.

That's about it. I'm pretty sure that you don't need to lock down things due to manufacturer incompetence like you would on a Plesk or C Panel install.

Bottom line: If you restrict the access to your server (firewall) to only what's absolutely necessary and if you have good passwords then you should be good. SL server is pretty solid right off the install.

 

[mrbash]

Thanks guys. This was very helpful.