Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 4, 2011, 01:14 PM   #1
mrbash
macrumors 6502
 
Join Date: Aug 2008
OS X Server hardening security

I recently connected my OSX Server (10.6) box directly to the Internet, and want to harden it against unauthorized use.

I was wondering if anyone could give me some suggestions for what to do. I'm happy to buy some software if necessary.

What I use the server for is, SSH, SFTP, and P2P traffic. It has a dynamic address that is mapped to a specific DNS host entry. The machine also has 2 IP addresses. One for the internal network, and a public IP address. I would also like to ensure that the two aren't bridged (I'm guessing they aren't by default).

Any suggestions, or checklists would be greatly appreciated. I am a total new comer to security so please be gentle.

I do have the Firewall service running as a start.

Thanks
mrbash is offline   0 Reply With Quote
Old Jan 4, 2011, 02:59 PM   #2
assembled
macrumors regular
 
Join Date: Jan 2009
Location: London
Quote:
Originally Posted by mrbash View Post
I recently connected my OSX Server (10.6) box directly to the Internet, and want to harden it against unauthorized use.

I was wondering if anyone could give me some suggestions for what to do. I'm happy to buy some software if necessary.

Any suggestions, or checklists would be greatly appreciated. I am a total new comer to security so please be gentle.
The better solution might be to use a hardware firewall/NAT router rather than connect your machine directly to the internet. you can then only forward the ports that you require to be open on the firewall/NAT router, rather than having to specifically close other ports on your mac.

depending on the device, you can also get firewalls with intrusion prevention, and rulesets that will automatically block traffic to ports that would be indicative of a "hacking attack". all of this can be done in software, but as a newbie, you might find it simpler to configure a device specifically designed to do this. I would certainly suggest that connecting first and learning second is foolhardy at best.
assembled is offline   0 Reply With Quote
Old Jan 5, 2011, 04:19 AM   #3
mrbash
Thread Starter
macrumors 6502
 
Join Date: Aug 2008
That is a good suggestion, but I am trying to avoid going the NAT route.

Pretty much any kind of mid-range router firewall feature should be configurable on the Mac.
mrbash is offline   0 Reply With Quote
Old Jan 5, 2011, 04:59 PM   #4
Consultant
macrumors G5
 
Consultant's Avatar
 
Join Date: Jun 2007
NSA has a guide for government-level security:
http://www.nsa.gov/ia/guidance/secur..._systems.shtml
Consultant is offline   0 Reply With Quote
Old Jan 6, 2011, 12:47 AM   #5
tgurske
macrumors newbie
 
Join Date: Sep 2008
A few rules that I work off of:
- Only use the services that you need. The fewer the better. Set in Server Admin -> Settings
- Use the built in firewall. It works fine. Remember that a hardware firewall is just another computer running similar or the same software. So not much advantage in my opinion.
- Strong passwords.
- Update regularly. Although it's best to check the apple "communities" forums to make sure the updates don't break anything.
- Check the server logs on a regular basis. You'll see people trying to break in.
- Block out countries at the firewall level if you can. I've blocked out entire continents in the past when I was able to. It really depends on what's being hosted on the server.
- Backup the server on a schedule so if you screw up something, the disk is corrupted, or the server gets compromised you'll have a disk image to restore from.

That's about it. I'm pretty sure that you don't need to lock down things due to manufacturer incompetence like you would on a Plesk or C Panel install.

Bottom line: If you restrict the access to your server (firewall) to only what's absolutely necessary and if you have good passwords then you should be good. SL server is pretty solid right off the install.
tgurske is offline   0 Reply With Quote
Old Jan 7, 2011, 01:22 PM   #6
mrbash
Thread Starter
macrumors 6502
 
Join Date: Aug 2008
Thanks guys. This was very helpful.
mrbash is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Tags
hardening, os x server, security

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Chinese Security Team Exploits Safari Security Flaw at PWN2OWN MacRumors Mac Blog Discussion 30 Mar 17, 2014 01:12 PM
Security Researchers Detail New Combination of Touch ID and iOS 7 Security Feature Bypasses MacRumors iOS Blog Discussion 66 Oct 7, 2013 07:49 PM
Using MBA as a server (10.8 Server - not a music server) percival504 MacBook Air 1 Aug 16, 2012 01:44 AM
MAMP Server Security Basic Question Reg88 OS X 0 Jun 23, 2012 09:10 PM
Mac os x Lion Server Web+Dns server setup Help Needed Newbie David Hurd Mac OS X Server, Xserve, and Networking 3 Jun 4, 2012 03:54 AM

Forum Jump

All times are GMT -5. The time now is 01:21 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC