Away from Your Home Network (Even More Secure) -- Added 3/3/2008
I didn't post this info earlier, because I wasn't sure it would work... but this weekend I was able to confirm that it does. There are two differences between this method and the Secure method shown above:
1. On your router, configure a port number that you choose (for example, 5678 -- I recommend using a high port number to prevent conflicts) to forward to port 548 of the internal IP address of your Mac server (a Mac Pro, iMac, Mac mini, or some other Mac that's always home and on) for both TCP and UDP. For example, your Mac server might have an IP address like 192.168.1.1.
5. In the Server Address box, type your home system's external IP address, plus a colon and the port number you specified in step 1. For example, "123.123.12.123:5678". Or, if you have a domain name that points to your home system, you can type that, plus a colon and the port number you specified in step 1: "www.myhomedomain.com:5678", for example.
Setting your router to perform port forwarding in this manner, rather than just relying on the home server's login security, provides an additional layer of security that will prevent unauthorized users from accessing your home server: Not only would they have to know your user name and password from your home server, but they would also have to know what port number to use, not just the default 548 port number. If they can't even guess the right port number, they don't even get a chance to try your user name and password.
This would only add perceived security and not any real security. One could call it
security through obscurity. The main problem in this application would be that it will not provide any extra layer of security. Why you may ask. You may say, the attacker will attempt to connect to my IP address using an AFP client which will not work.
Well, think about it. If someone wishes to gain access to your specific AFP share how would they do it? First of all, the attacker somehow know you have a AFP share available on a specific address. They might have spotted it at your work/campus or know this in some other way. Yes I'm aware that no one would "ever" want to access your stuff. Why would they, you don't have any top secrete planet destroying weapon blueprints on your share.
But why did you then change the port number at all?
Well first the attacker would probably try to just connect to you.
Code:
afp-client connect afp.example.com
This would fail if you use a different port number than the default 548. Say that you use the port number of 5480 and you have opened this in your router. Will the attacker give up here and say, "hey that guy got some mad security, best I give up now before he starts hunting me!"
I doubt that, I think all he will do is to fire up his good old trustworthy
port scanner and find out that you only have one open port. Then he'll try to connect to you with:
Code:
afp-client connect afp.example.com:5480
And voila, he will get the same fancy login window you get.
What I want to point out is that changing the port will not add any real security to your setup.
And if someone doesn't explicitly know that you host a AFP share and just want to see if they can attack your system in some way. They could just do a port scan first and then connect to you on any of your open ports and find out what's running on it.
Edit:
Furthermore, doing special port setup will actually give you more headache than using the default port. Unless you change the port number the AFP service is running on. Since that wouldn't increase security either but only increase the complexity of using the system it's a bad idea. What you should is run the service on the default port, use the default port in your router and have less headaches.
Why would you get more headaches from using one port number on the outside of your network and one on the inside? Well you would have to have two different string with which you connect. And if you one day would want to automate the connection to your server, it is much easier if you can do that with the same address and port number.