Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Apr 11, 2009, 09:26 AM   #1
discosoap
macrumors regular
 
Join Date: Mar 2008
Location: The Netherlands
OSX Server Security Breach ?

Hi all,

I am using a Mac Mini (10.4.11, 2nd gen 1.66 CD, 2 GB Ram, 2 TB storage) as my file- and ftp server. My Mini is connected to a GB-switch (my Macbook is connected as a client to that switch) and then the switch is connected to a router downstairs which is used in my student home (with 4 other people using the LAN). I want to be the only one able to access it for filesharing from my Macbook (as I don't want to serve my 2TB in data to the internet or my room mates just yet )

Here is my problem; i regularly restart my server, and last time I did I got the message below. There were 3 file sharing clients connected to my Mini ( Aaaargh!!!!) How is this possible (I am sure it weren't my room mates, as they (and their laptops) were not on the network that time) ???? Where do these connected clients come from ?? The internet (which would be a nightmare/security breach, right)??

My question; how can I check and manage the number of clients connected to my Mini at any time. How can I ban people from using my Mini. What is a good way to lock down my Mini server (I use a firewalled router, OSX Firewall (stealth mode/udp blocking) and Norton Internet Security (including Firewall) simultaneously ).
I thought I was protected with 3 firewalls, but I am not. I felt exposed to the internet, and I don't know where to start securing this server. Am I overlooking something here ?? Please, any advice would be greatly appreciated.

Thanks from Holland
Attached Thumbnails
Click image for larger version

Name:	Picture 1.png
Views:	27
Size:	17.9 KB
ID:	166689  
__________________
Macbook Pro 2.4Ghz i5
Macbook 1.83Ghz CD
Mac Mini Server 1.66Ghz CD
iMac 700Mhz PPC G4

Last edited by discosoap; Apr 11, 2009 at 09:51 PM.
discosoap is offline   0 Reply With Quote
Old Apr 11, 2009, 02:52 PM   #2
discosoap
Thread Starter
macrumors regular
 
Join Date: Mar 2008
Location: The Netherlands
Maybe I was not clear ??

OK, maybe I was not clear ??My basic question is, how can I see who is connected to my server as a file sharing client ?? Obviously there were clients connected who shouldn't have been. (see image below). Anyone, anyone at all please ????
Attached Thumbnails
Click image for larger version

Name:	Picture 1.png
Views:	29
Size:	17.9 KB
ID:	166727  
__________________
Macbook Pro 2.4Ghz i5
Macbook 1.83Ghz CD
Mac Mini Server 1.66Ghz CD
iMac 700Mhz PPC G4

Last edited by discosoap; Apr 11, 2009 at 09:52 PM.
discosoap is offline   0 Reply With Quote
Old Apr 13, 2009, 10:24 AM   #3
discosoap
Thread Starter
macrumors regular
 
Join Date: Mar 2008
Location: The Netherlands
Please please Help!!!

Ok so 2 days, no response . I don't know if my question is not straightforward enough, or whether I am asking the wrong question. I searched the internet and found these apps to monitor connected Apple file share users http://www.hornware.com. This is maybe step 1 to a solution, as it enables me to at least monitor who's connected. However my problem remains; Where do these clients come from, and what is the security risk ?? Isn't there anyone who knows something about file sharing, fileservers etc ?? Please any response would be appreciated
__________________
Macbook Pro 2.4Ghz i5
Macbook 1.83Ghz CD
Mac Mini Server 1.66Ghz CD
iMac 700Mhz PPC G4
discosoap is offline   0 Reply With Quote
Old Apr 13, 2009, 10:55 AM   #4
Consultant
macrumors G5
 
Consultant's Avatar
 
Join Date: Jun 2007
Well you said 4 other people on your lan.
Other people can access your public folder.

Or if you have weak password people might have guessed it.

Perhaps iTunes music sharing is on?

Maybe the wireless network is not secured.
Consultant is offline   0 Reply With Quote
Old Apr 14, 2009, 07:39 AM   #5
discosoap
Thread Starter
macrumors regular
 
Join Date: Mar 2008
Location: The Netherlands
Quote:
Originally Posted by Consultant View Post
Well you said 4 other people on your lan.
Other people can access your public folder.

Or if you have weak password people might have guessed it.

Perhaps iTunes music sharing is on?

Maybe the wireless network is not secured.
Dear consultant,

thanks so much for your response!! However, I am sure my room mates were not on the LAN, in fact I should have been the only one connected at that time. My password is 16 characters long, and is very hard to guess, so I don't see a problem there.
Itunes music sharing is off (only file sharing and remote desktop are turned on and protected by the OSX firewall). The wireless network is safe enough (WPA), I am sure there were no unauthorised clients connected to the wireless network at the time.

I understand these are all factors to check, but I am reasonably sure these are not the problem.

Again, I really don't understand where these clients came from. Are there other ways to check this ?? And what are the security risks when unauthorised file sharing clients are connected. Do they have acces to the full 2 TB, the current user files or only to the Guest folder ???

Any further help would be greatly appreciated!!
__________________
Macbook Pro 2.4Ghz i5
Macbook 1.83Ghz CD
Mac Mini Server 1.66Ghz CD
iMac 700Mhz PPC G4
discosoap is offline   0 Reply With Quote
Old Apr 14, 2009, 09:54 AM   #6
Consultant
macrumors G5
 
Consultant's Avatar
 
Join Date: Jun 2007
Hey discosoap,

Unless they have your user password or if you install suspicious software, anyone connected can only see your public folder Which is empty by default.

Few things to check out:

Log into the router and see what computers are connected

Open Terminal and enter last

Open Console for logs
Consultant is offline   0 Reply With Quote
Old Apr 25, 2010, 06:11 AM   #7
Jimmi1321
macrumors newbie
 
Join Date: Jan 2010
Location: ITALY FVG
i resume this thread.

Same "problem" here.
Sometime when i close the Imac i got the more useres connected message.

Quote:
Open Terminal and enter last

Open Console for logs
Seems all ok so far,

but checking the router i got this...


Click for full size - Uploaded with plasq's Skitch


Note My IP is using a wireless antenna:
So I have a router connected to an alvarion antenna

Can that user be just another one connected to the same antenna?

are there security issues??
Jimmi1321 is offline   0 Reply With Quote
Old Apr 25, 2010, 10:43 AM   #8
myjay610
macrumors regular
 
Join Date: Jan 2008
Do you have public folders enabled? By default most OS X installs will allow people to connect via AFP and see the public folders, if that's the case it could be someone on that. You could try a 'netstat -a | grep tcp' command from the terminal and see what connections you have established over the afpd port (548) at the time you see the message you originally saw.

Since you ARE running OS X server you could also enable the firewall service and create an explicit allow rule for only the IPs you want to connect over the AFP then everyone else will be implicitly denied.
myjay610 is offline   0 Reply With Quote
Old Apr 25, 2010, 10:45 AM   #9
myjay610
macrumors regular
 
Join Date: Jan 2008
Quote:
Originally Posted by Consultant View Post
Well you said 4 other people on your lan.
Other people can access your public folder.

Or if you have weak password people might have guessed it.

Perhaps iTunes music sharing is on?

Maybe the wireless network is not secured.
iTunes music sharing would not show that message since iTunes sharing does not use AFP. That message is only for people who have a connection established on port 548 with the server.
myjay610 is offline   0 Reply With Quote
Old Apr 25, 2010, 12:59 PM   #10
Supa_Fly
macrumors 68030
 
Supa_Fly's Avatar
 
Join Date: May 2002
Location: Toronto, Ontario, Canada
Send a message via MSN to Supa_Fly
This may not be related ... however, Jimmi, I think you should consider MAC Filtering on your router.
__________________
2008 Al_MB 2.4Ghz C2D 4GB/256GB HDD/256MB Nvidia 9400M| Panther Dog Tags | Z10 | 2010 Mac Switcher
Supa_Fly is offline   0 Reply With Quote
Old Apr 25, 2010, 04:19 PM   #11
shadyMedia
macrumors newbie
 
Join Date: Apr 2009
Send a message via AIM to shadyMedia
I'm guessing that this is just the Regular 10.4 OS and not the Mac OS X Server edition? Correct me if I'm wrong.

But I would take a look in the secure logs if the "Users" are connecting to a share or the computer in general there should be something on your logs there.

Did you open Terminal and type last? What did you see there
__________________
MacBook Pro 15" 2.66ghz 6gigs of ram 120 Corsair SSD with a 500gig 7200 RPM drive in the optical bay Mid 2010,iPhone 4S gig, AppleTV 2ndGen,
shadyMedia is offline   0 Reply With Quote
Old Apr 25, 2010, 04:26 PM   #12
calderone
macrumors 68040
 
calderone's Avatar
 
Join Date: Aug 2009
Location: Seattle
Quote:
Originally Posted by myjay610 View Post
Since you ARE running OS X server you could also enable the firewall service and create an explicit allow rule for only the IPs you want to connect over the AFP then everyone else will be implicitly denied.
I don't think the OP is running OS X Server. Jimmi could be though.
__________________
ACSA, ACMT
calderone is offline   0 Reply With Quote
Old Apr 25, 2010, 06:11 PM   #13
Jimmi1321
macrumors newbie
 
Join Date: Jan 2010
Location: ITALY FVG
Thank you for your help!

I'm using a regular snow leopard.

may be it's time to take more care of my imac security
I had a lot of shared folder wich i used to connect from my powerbook.
Now i closed some. And i set up only one user to access them.

As for the mac address. Which ones should i set up?
imac + powerbook + iphone + (new mbp coming)
+ Alvarion antenna??

other than terminal last and console should i check something else???
Jimmi1321 is offline   0 Reply With Quote
Old Apr 25, 2010, 06:42 PM   #14
myjay610
macrumors regular
 
Join Date: Jan 2008
Quote:
Originally Posted by Jimmi1321 View Post
Thank you for your help!

I'm using a regular snow leopard.

may be it's time to take more care of my imac security
I had a lot of shared folder wich i used to connect from my powerbook.
Now i closed some. And i set up only one user to access them.

As for the mac address. Which ones should i set up?
imac + powerbook + iphone + (new mbp coming)
+ Alvarion antenna??

other than terminal last and console should i check something else???
All I do is disable guest access and use a strong password for my account, besides that MAC filtering for me is just extra paranoia...
myjay610 is offline   0 Reply With Quote
Old May 20, 2012, 12:27 AM   #15
dinamo9
macrumors member
 
Join Date: Mar 2008
Opening this thread, as I have the same concern today.
Got the same message that someone was connected.
I forgot to remove a folder from my file sharing with some private stuff. Luckily nothing too bad, but I was definitely upset with the files that were in there, if someone got them.

I only use my computer from home, so today when I was travelling I completely forgot to consider security. I didn't even have a password set on my account, and no firewall.

Since I got the message that someone was connected when I tried to restart I'm afraid that they may have got access to more then just my shared folder?
Couple questions.

1) If I close the lid on my macbook, and therefore connection to internet, does that mean the person connected loses connection to my computer?
2) How can I find out who actually connected? I did the netstat -a | grep tcp and got a list, but there are no dates or times (would it help to post the list?)

This is obviously a huge learning lesson, and I immediately beefed up my security, enabled firewall, added a password, and removed shared folders.

I'm still worried, so any input on what I should be concerned about or how to figure out who may have connected is greatly appreciated.
dinamo9 is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Ubisoft security breach skippymac Console Games 3 Jul 4, 2013 06:58 PM
Evernote Issues Password Reset After Security Breach MacRumors iOS Blog Discussion 37 Mar 17, 2013 10:08 PM

Forum Jump

All times are GMT -5. The time now is 04:24 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC