Securing your Mac

I use OS X's built-in firewall, with a cable connection... And i supplement it with Brickhouse when i need more customization/logging... Never had a problem.

pnw

 

I have OSX firewall enabled and the computer not set to auto-login on reboot. My wireless base station (this is an iBook) has the firewall turned on, WEP 128-bit turned on, DHCP turned off, a different-than-normal local IP range, and it no longer broadcasts the network name.

Trying to break into my system would be like trying to break into Scrooge McDuck's big vault.

 

I just download the Security Updates from Apple when they arrive. I'm on cable modem with a router. Just a question since I never really paid much attention to this sort of thing before. What are the reasons for being so serious about security? OS X is very secure to begin with. What are some reasons for adding Firewalls, IP encryption, etc? Do you all work for the government or have a hard drive full of credit card numbers? A business is one thing but I don't understand the need for all this protection for an individual on their home computer. I can't imagine anyone trying to hack into my machine. All they'd find is a bunch of worthless crap, and maybe a little porn I'm getting ready for Apple Certification exams and I'd like to hear as much about this as I can. Thanks.

 

Read some of the articles here

Brickhouse is good, I use it...

I am also behind a router so i'm good.

 

I use NetBarrier... it's an excellent firewall software with many options. I also run Little Snitch to prevent those pesky applications that try to "call home".




irmongoose

 

awesome link! i haven't seen this site before. this will be very useful. cheers.

 

Secure? bah, who has time for security. I'm on a modem so if I feel more laggish than normal I just yank the telephone line from my computer.

 

"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

 

i have the OS X firewall on and i am behind a router, so i guess i'm fine all people would find on my hard drive is a lot of no doubt songs. a lot of them.

 

SpaceBalls!

Damn, now I've got to change my password!

 

I won't speak for everyone, but once you start doing P2P, you expose yourself to a lot of bad people on the internet. Kazaa for example, is full of people ping flooding and port scanning, just looking for a weak machine to exploit. My friend's machine was scanned and people in Korea tried to trojan horse him twice in one day, he traced the IP and reported them to their ISP, and a week later the same IP tried to trojan him 5 more times

From past experience, "security through obscurity" doesn't work as your machine will be found eventually. Also a poorly maintained UNIX box can be vulerable as well (just not as much as a windows box.)

Also, besides looking at the data on your machine, attackers may use your machine as a drone in a DoS attack, using YOUR IP and YOUR machine.

If you knew this already, I appoligize for wasting your time, if not- time to start reading up

 

The main thing I'm worried about is the potential for wardrivers to pick up the odd credit card number when I'm ordering something online. That's why I use WEP encryption and all that. There's a report on arstechnica.com where the author was able to pick up several unencrypted and completely unprotected 802.11b networks from 3,000 feet up in an airplane. Scary business, especially since he was picking up signals over the commercial district of San Francisco.

 

well... firstly there's the adsl modem, then that connects to a router that i think has a built in firewall, then that goes to everywhere in the house. and the whole house it networked so there's about 15+ ports all over the place, so depending on which room your in the IP changes (or something like that).

i don't know much about that stuff, but it's supposed to be really hard to get through... unless someone opens a port that i'm using. actually, my little brother (PC guru) was going to open a port i was using and get someone he knows to try and hack me.

 

thanks for all that info. i've been hearing about this sort of hijacking thing alot lately. i thought it was only possible to get hijacked if you had dial-up and were connected to the phone line. sounds crazy. can macs get hijacked and used when they are sleeping?

 

speaking of 'hijacking'... that reminds me of a funny story of people going around and taking over peoples Hotline servers.

basially they just sent people a "list" of files that they had to offfer, which was an applescript with a text file icon. then people open it and think it doesn't work, but then the script goes and collects all the users info, admin passwords etc. then the people log backin with an admin password and boot every one from the server and block them so that they have complete control of it.

there's a full text document of the whole thing, funny stuff.

 

Spaceballs. God, I love that movie




irmongoose

 

Nobody mentioned this, so I'll chime in. OS X has network services *off* by deafult. MS has everything under the sun *on* by default. You can't get into a port on the Mac unless you go into your preferences and turn it on, and you have to have admin privileges to do that. Then, of course, you have your built-in firewall, which only allows connections that originate from your machine, out of the box.

 

it's becoming an interest of mine too lately, especially since i'm studying for my Apple Certs soon. i just picked up an excellent book entitled "Mac OS X Maximun Security". really good stuff.

 

Sam's Teach Yourself UNIX System Administration is a good book too, but it covers OS X 10.1 (before bash was included, and so on.)

I don't think Macs can be gotten into when they are sleeping, but that question got me thinking about the option "Wake for Network maintenance" or something like that...anyone know what that does? ("Wake when modem detects a ring" could be used for remote administration back in the day.)

Old MacOS (like 7.x or 8.something) had some small port openings I remember reading about a long time ago.
I like the fact that OS X comes with everything OFF, and NO TELNET. Telnet & FTP have to be the top 2 security holes for any +NIX system. The above mentioned book has a good method for enabling anonymous FTP ( suicide in terms of security) where a fake etc/passwd file is made, and a /bin is also made for just the FTPers so they can't replace things like /bin/ls with their own version to grab passwords.

What worries me a little, is that in the Linux world (especially Debian) there are weekly & monthly security updates for a lot of the packages, but with OS X, security updates are rare. Are they ignoring things, or is everything OK security wise?

 

I've got a Netscreen 5XP here at home protecting my Power Mac, my girlfriend's Dell Inspiron, and whatever else I choose to connect to it (including my base station). NAT on, DHCP on, using 172.16 for addressing. Permanent DHCP lease for the power mac and PowerBook (see below).

The OS X firewall is that of FreeBSD - ipfw with an implicit permit as the last rule. Turn ``On'' the OS X firewall and try a ``sudo ipfw list'' in your Terminal. Given the fact that ipfw is supported under OS X it should be very easy from those converting from FreeBSD, or any similar *nix to tweak to perfection.

I've got a /29 with my DSL so I one-to-one map my power mac (iTunes sharing for me at work, httpd for testing, etc), and my Powerbook (if anyone has found a better way to use battle.net I'm all ears - but doing a one-to-one NAT was the only way it seemed to work with custom games).

I'm a strong believer in an implicit deny firewall setup. That is to say; only allow incoming connections that you absolutely *have* to and deny all the rest.