Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I agree with NazgulRR. I never do VNC/screen sharing directly over the internet. I use the SSH tunnel option, preferably using SSH key-based authentication instead of a password. In addition to many desktop VNC applications, there are a number of iOS apps that support VNC over SSH with key-based authentication, including Jump Remote Desktop.

Here's documentation from Apple about how to set up an SSH key pair:
https://help.apple.com/advancedserveradmin/mac/4.0/#/apd3D410789-F9BD-4D8B-919F-3A1977007068

That article is from Apple's Advanced Server Administration guide, but it should work the same on any recent version of OS X (including non-server versions).

If your remote machine is running OS X Server, you should also seriously consider enabling the Application Firewall. This adds dynamic blacklisting capabilities to the built-in firewall, and it can be configured to block malicious hosts for [X] number of minutes after [Y] number of failed login attempts. The default configuration will block hosts for 15 minutes after 10 failed attempts.

Documentation for enabling the Application Firewall on 10.7 through 10.10 can be found here:
https://support.apple.com/en-us/HT200259

And here:
https://help.apple.com/advancedserveradmin/mac/4.0/#/apd4288B31F-0C3D-4004-9480-4B7E0AFBB818

And an overview of the command-line options can be found here:
http://krypted.com/mac-security/using-afctl-to-manage-the-adaptive-firewall-in-os-x-yosemite-server/

Pro-tip! Run the afctl command with the -T option to set the failure threshold for blocking a host that's trying to connect. The -H option is used to set how long the host is blocked (in minutes).

For example, running...
afctl -T 5
...will block the IP address of a host after 5 failed login attempts.

Running...
afctl -H 120
...will block the IP address of a host for 120 minutes.

That's probably way more than you wanted to know... but it's important to be cognizant of security these days.
 
I agree with NazgulRR. I never do VNC/screen sharing directly over the internet. I use the SSH tunnel option, preferably using SSH key-based authentication instead of a password. In addition to many desktop VNC applications, there are a number of iOS apps that support VNC over SSH with key-based authentication, including Jump Remote Desktop.

Thanks for the links on SSH key-based authentication.

One question: I often use SFTP for file access on OSX (Forklift) and iOS (Documents, Infuse, etc.). I authenticate the SFTP connection with the password. Would key-based authentication work for this as well?
 
Thanks for the links on SSH key-based authentication.

One question: I often use SFTP for file access on OSX (Forklift) and iOS (Documents, Infuse, etc.). I authenticate the SFTP connection with the password. Would key-based authentication work for this as well?

I would assume so. SFTP is FTP over SSH. I don't normally use FTP, so I've never attempted doing SFTP with SSH keys.
 
Leaving an open port on any network is a security risk.

You are correct. I avoid leaving ports completely open whenever possible. I use a pfSense-based firewall to set up access rules for ports that I need to use remotely (e.g. Allow access to port 22 from these 4 IP addresses only. Deny all others.)

For ports that must be left open (like port 25 for SMTP), I suggest using an in-line network Intrusion Detection/Prevention System (IDPS) to detect and mitigate malicious activity, as well as country-blocks and other blacklists. Network DMZs, ACLs, and defense-in-depth network topologies are important, too. And don't forget to use strong, routinely-changed administrator passwords, and to install security patches in a timely manner.

None of these methods are guaranteed to be absolutely 100% secure. But a well-trained and properly equipped Security Incident Response Team can continuously monitor alerts, investigate alarms, and make changes/contain threats quickly.

No one should leave open ports on a network that contains critical or particularly sensitive data.

Do not, I repeat, DO NOT leave port 5900 open on your AirPort Extreme and forward it to an iMac (or any computer, for that matter) which contains your financial information, customer data, confidential work data, or sensitive/private health records.

I apologize, Altemose. This information is primarily for the benefit of the other thread participants.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.