Securing your Mac

[AppleMatt]

Well my foray into Mac OS X is complete. I've used it since 10.1.2, and thanks to countless long nights reading and tweaking, I regard myself as knowing quite a lot about how to use it etc.

However right from day one, security has bothered me.

How do you guys go about securing your Mac online? Just the OS X firewall? A 3rd party firewall? Manually disabling ports, proxies, anonymous proxies, etc etc.

It would be excellent if everyone could share a bit about how they secure their Macs, especially in the days of broadband and wireless networking. Don't hold anything back, manual editing of system files allowed :wink:.

AppleMatt

 

[Nermal]

On my system, I've got the OS X firewall disabled, but I'm plugged into a router which makes it difficult to access my system directly. OS X is very secure out of the box, so I don't bother with anything flash to get it secured. I just install the occasional security updates when they come out.

 

[rainman::|:|]

I use OS X's built-in firewall, with a cable connection... And i supplement it with Brickhouse when i need more customization/logging... Never had a problem.

pnw

 

[Daveman Deluxe]

I have OSX firewall enabled and the computer not set to auto-login on reboot. My wireless base station (this is an iBook) has the firewall turned on, WEP 128-bit turned on, DHCP turned off, a different-than-normal local IP range, and it no longer broadcasts the network name.

Trying to break into my system would be like trying to break into Scrooge McDuck's big vault.

 

[tjwett]

I just download the Security Updates from Apple when they arrive. I'm on cable modem with a router. Just a question since I never really paid much attention to this sort of thing before. What are the reasons for being so serious about security? OS X is very secure to begin with. What are some reasons for adding Firewalls, IP encryption, etc? Do you all work for the government or have a hard drive full of credit card numbers? A business is one thing but I don't understand the need for all this protection for an individual on their home computer. I can't imagine anyone trying to hack into my machine. All they'd find is a bunch of worthless crap, and maybe a little porn I'm getting ready for Apple Certification exams and I'd like to hear as much about this as I can. Thanks.

 

[MrMacMan]

Read some of the articles here

Brickhouse is good, I use it...

I am also behind a router so i'm good.

 

[Nermal]

Originally posted by Daveman Deluxe
Trying to break into my system would be like trying to break into Scrooge McDuck's big vault.

I remember when his kids had to go into the vault for some reason, the password was "cash"

I can't believe I remembered that! I probably haven't seen it in about 10 years, I've got a memory for stupid little things like that. I also remember Scrooge asking if he could have more than one cheese sample, then taking the whole tray and having them for dinner.

There goes my daily off-topic post

 

[irmongoose]

I use NetBarrier... it's an excellent firewall software with many options. I also run Little Snitch to prevent those pesky applications that try to "call home".




irmongoose

 

[tjwett]

Originally posted by MrMacman
Read some of the articles here

Brickhouse is good, I use it...

I am also behind a router so i'm good.

awesome link! i haven't seen this site before. this will be very useful. cheers.

 

[Schiffi]

Secure? bah, who has time for security. I'm on a modem so if I feel more laggish than normal I just yank the telephone line from my computer.

 

[Daveman Deluxe]

Originally posted by Nermal
I remember when his kids had to go into the vault for some reason, the password was "cash"

I can't believe I remembered that! I probably haven't seen it in about 10 years, I've got a memory for stupid little things like that. I also remember Scrooge asking if he could have more than one cheese sample, then taking the whole tray and having them for dinner.

There goes my daily off-topic post

"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

 

[bennetsaysargh]

i have the OS X firewall on and i am behind a router, so i guess i'm fine all people would find on my hard drive is a lot of no doubt songs. a lot of them.

 

[PB180]

SpaceBalls!

Originally posted by Daveman Deluxe
"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

Damn, now I've got to change my password!

 

[5300cs]

Originally posted by tjwett
Just a question since I never really paid much attention to this sort of thing before. What are the reasons for being so serious about security? OS X is very secure to begin with. What are some reasons for adding Firewalls, IP encryption, etc? Do you all work for the government or have a hard drive full of credit card numbers? A business is one thing but I don't understand the need for all this protection for an individual on their home computer....I'm getting ready for Apple Certification exams and I'd like to hear as much about this as I can. Thanks.

I won't speak for everyone, but once you start doing P2P, you expose yourself to a lot of bad people on the internet. Kazaa for example, is full of people ping flooding and port scanning, just looking for a weak machine to exploit. My friend's machine was scanned and people in Korea tried to trojan horse him twice in one day, he traced the IP and reported them to their ISP, and a week later the same IP tried to trojan him 5 more times

From past experience, "security through obscurity" doesn't work as your machine will be found eventually. Also a poorly maintained UNIX box can be vulerable as well (just not as much as a windows box.)

Also, besides looking at the data on your machine, attackers may use your machine as a drone in a DoS attack, using YOUR IP and YOUR machine.

If you knew this already, I appoligize for wasting your time, if not- time to start reading up

 

[Daveman Deluxe]

The main thing I'm worried about is the potential for wardrivers to pick up the odd credit card number when I'm ordering something online. That's why I use WEP encryption and all that. There's a report on arstechnica.com where the author was able to pick up several unencrypted and completely unprotected 802.11b networks from 3,000 feet up in an airplane. Scary business, especially since he was picking up signals over the commercial district of San Francisco.

 

[cb911]

well... firstly there's the adsl modem, then that connects to a router that i think has a built in firewall, then that goes to everywhere in the house. and the whole house it networked so there's about 15+ ports all over the place, so depending on which room your in the IP changes (or something like that).

i don't know much about that stuff, but it's supposed to be really hard to get through... unless someone opens a port that i'm using. actually, my little brother (PC guru) was going to open a port i was using and get someone he knows to try and hack me.

 

[tjwett]

Originally posted by 5300cs
I won't speak for everyone, but once you start doing P2P, you expose yourself to a lot of bad people on the internet. Kazaa for example, is full of people ping flooding and port scanning, just looking for a weak machine to exploit. My friend's machine was scanned and people in Korea tried to trojan horse him twice in one day, he traced the IP and reported them to their ISP, and a week later the same IP tried to trojan him 5 more times

From past experience, "security through obscurity" doesn't work as your machine will be found eventually. Also a poorly maintained UNIX box can be vulerable as well (just not as much as a windows box.)

Also, besides looking at the data on your machine, attackers may use your machine as a drone in a DoS attack, using YOUR IP and YOUR machine.

If you knew this already, I appoligize for wasting your time, if not- time to start reading up

thanks for all that info. i've been hearing about this sort of hijacking thing alot lately. i thought it was only possible to get hijacked if you had dial-up and were connected to the phone line. sounds crazy. can macs get hijacked and used when they are sleeping?

 

[cb911]

speaking of 'hijacking'... that reminds me of a funny story of people going around and taking over peoples Hotline servers.

basially they just sent people a "list" of files that they had to offfer, which was an applescript with a text file icon. then people open it and think it doesn't work, but then the script goes and collects all the users info, admin passwords etc. then the people log backin with an admin password and boot every one from the server and block them so that they have complete control of it.

there's a full text document of the whole thing, funny stuff.

 

[irmongoose]

Originally posted by Daveman Deluxe
"The password is... one!"
"One!"
"One!"
"Two!"
"Two!"
"Two!"
"Three."
"Three!"
"Three!"

...and so on. Bonus points to those that can place THAT quote.

Spaceballs. God, I love that movie




irmongoose

 

[AppleMatt]

tjwett;

I have no real need for securing my machine, there's nothing that important on it. I'm just interested, and it's an interest that's growing. Most other forums are full people who don't know much and say a lot, but generally the members of macrumors are pretty well versed in all things Mac! That's why I post more technical things here.

5300cs;
Good info, the hijacking is one thing I was going to post. I'm not too bothered about the security of my PC's anymore, I just don't use them enough to justify it, and I have drive images that are regularly restored.

MrMacMan;
Good link yes. I've been there before, I left it at first because it seemed to have stopped being updated. Reading through all the articles has given me some new info, but most seems to be "you must secure your computer" rather than "this is how you secure your computer"

All other contributers;
Thank's for the info, I'm in pretty much the same boat at the moment. Cable modem, Airport Extreme, Mac OS X firewall enabled.

Anyway, all info is appreciated, no matter how small!

AppleMatt

 

[daveL]

Nobody mentioned this, so I'll chime in. OS X has network services *off* by deafult. MS has everything under the sun *on* by default. You can't get into a port on the Mac unless you go into your preferences and turn it on, and you have to have admin privileges to do that. Then, of course, you have your built-in firewall, which only allows connections that originate from your machine, out of the box.

 

[tjwett]

Originally posted by AppleMatt


I have no real need for securing my machine, there's nothing that important on it. I'm just interested, and it's an interest that's growing.

it's becoming an interest of mine too lately, especially since i'm studying for my Apple Certs soon. i just picked up an excellent book entitled "Mac OS X Maximun Security". really good stuff.

 

[5300cs]

Sam's Teach Yourself UNIX System Administration is a good book too, but it covers OS X 10.1 (before bash was included, and so on.)

I don't think Macs can be gotten into when they are sleeping, but that question got me thinking about the option "Wake for Network maintenance" or something like that...anyone know what that does? ("Wake when modem detects a ring" could be used for remote administration back in the day.)

Old MacOS (like 7.x or 8.something) had some small port openings I remember reading about a long time ago.
I like the fact that OS X comes with everything OFF, and NO TELNET. Telnet & FTP have to be the top 2 security holes for any +NIX system. The above mentioned book has a good method for enabling anonymous FTP ( suicide in terms of security) where a fake etc/passwd file is made, and a /bin is also made for just the FTPers so they can't replace things like /bin/ls with their own version to grab passwords.

What worries me a little, is that in the Linux world (especially Debian) there are weekly & monthly security updates for a lot of the packages, but with OS X, security updates are rare. Are they ignoring things, or is everything OK security wise?

 

[BrandonRP0123]

I've got a Netscreen 5XP here at home protecting my Power Mac, my girlfriend's Dell Inspiron, and whatever else I choose to connect to it (including my base station). NAT on, DHCP on, using 172.16 for addressing. Permanent DHCP lease for the power mac and PowerBook (see below).

The OS X firewall is that of FreeBSD - ipfw with an implicit permit as the last rule. Turn ``On'' the OS X firewall and try a ``sudo ipfw list'' in your Terminal. Given the fact that ipfw is supported under OS X it should be very easy from those converting from FreeBSD, or any similar *nix to tweak to perfection.

I've got a /29 with my DSL so I one-to-one map my power mac (iTunes sharing for me at work, httpd for testing, etc), and my Powerbook (if anyone has found a better way to use battle.net I'm all ears - but doing a one-to-one NAT was the only way it seemed to work with custom games).

I'm a strong believer in an implicit deny firewall setup. That is to say; only allow incoming connections that you absolutely *have* to and deny all the rest.

 

[AppleMatt]

Originally posted by BrandonRP0123
I'm a strong believer in an implicit deny firewall setup. That is to say; only allow incoming connections that you absolutely *have* to and deny all the rest.

I was told that denying a connection is bad, as it proves your machine exists to scanners. Apparently 'ignoring' the request until it times out is the best, as it appears as if your machine doesn't exist/is switched off.

Anyone know any different?

AppleMatt