Do I Need to Secure Remote Screen Share?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by bob616, Aug 2, 2015.

  1. bob616 macrumors 6502

    Joined:
    Jul 12, 2008
    #1
  2. NazgulRR macrumors 6502

    Joined:
    Oct 4, 2010
    #2
  3. Cybaru macrumors newbie

    Cybaru

    Joined:
    Aug 12, 2015
    Location:
    Iowa
    #3
    I agree with NazgulRR. I never do VNC/screen sharing directly over the internet. I use the SSH tunnel option, preferably using SSH key-based authentication instead of a password. In addition to many desktop VNC applications, there are a number of iOS apps that support VNC over SSH with key-based authentication, including Jump Remote Desktop.

    Here's documentation from Apple about how to set up an SSH key pair:
    https://help.apple.com/advancedserveradmin/mac/4.0/#/apd3D410789-F9BD-4D8B-919F-3A1977007068

    That article is from Apple's Advanced Server Administration guide, but it should work the same on any recent version of OS X (including non-server versions).

    If your remote machine is running OS X Server, you should also seriously consider enabling the Application Firewall. This adds dynamic blacklisting capabilities to the built-in firewall, and it can be configured to block malicious hosts for [X] number of minutes after [Y] number of failed login attempts. The default configuration will block hosts for 15 minutes after 10 failed attempts.

    Documentation for enabling the Application Firewall on 10.7 through 10.10 can be found here:
    https://support.apple.com/en-us/HT200259

    And here:
    https://help.apple.com/advancedserveradmin/mac/4.0/#/apd4288B31F-0C3D-4004-9480-4B7E0AFBB818

    And an overview of the command-line options can be found here:
    http://krypted.com/mac-security/using-afctl-to-manage-the-adaptive-firewall-in-os-x-yosemite-server/

    Pro-tip! Run the afctl command with the -T option to set the failure threshold for blocking a host that's trying to connect. The -H option is used to set how long the host is blocked (in minutes).

    For example, running...
    afctl -T 5
    ...will block the IP address of a host after 5 failed login attempts.

    Running...
    afctl -H 120
    ...will block the IP address of a host for 120 minutes.

    That's probably way more than you wanted to know... but it's important to be cognizant of security these days.
     
  4. NazgulRR macrumors 6502

    Joined:
    Oct 4, 2010
    #4
    Thanks for the links on SSH key-based authentication.

    One question: I often use SFTP for file access on OSX (Forklift) and iOS (Documents, Infuse, etc.). I authenticate the SFTP connection with the password. Would key-based authentication work for this as well?
     
  5. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #5
    Leaving an open port on any network is a security risk.
     
  6. Cybaru macrumors newbie

    Cybaru

    Joined:
    Aug 12, 2015
    Location:
    Iowa
    #6
    I would assume so. SFTP is FTP over SSH. I don't normally use FTP, so I've never attempted doing SFTP with SSH keys.
     
  7. Cybaru macrumors newbie

    Cybaru

    Joined:
    Aug 12, 2015
    Location:
    Iowa
    #7
    You are correct. I avoid leaving ports completely open whenever possible. I use a pfSense-based firewall to set up access rules for ports that I need to use remotely (e.g. Allow access to port 22 from these 4 IP addresses only. Deny all others.)

    For ports that must be left open (like port 25 for SMTP), I suggest using an in-line network Intrusion Detection/Prevention System (IDPS) to detect and mitigate malicious activity, as well as country-blocks and other blacklists. Network DMZs, ACLs, and defense-in-depth network topologies are important, too. And don't forget to use strong, routinely-changed administrator passwords, and to install security patches in a timely manner.

    None of these methods are guaranteed to be absolutely 100% secure. But a well-trained and properly equipped Security Incident Response Team can continuously monitor alerts, investigate alarms, and make changes/contain threats quickly.

    No one should leave open ports on a network that contains critical or particularly sensitive data.

    Do not, I repeat, DO NOT leave port 5900 open on your AirPort Extreme and forward it to an iMac (or any computer, for that matter) which contains your financial information, customer data, confidential work data, or sensitive/private health records.

    I apologize, Altemose. This information is primarily for the benefit of the other thread participants.
     
  8. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #8
    Why are you apologizing? We both agree on the point and you gave an in depth awesome answer describing the risk and methods of mitigating it!
     

Share This Page