Mac Mini Server: Utilization and Security

[mackpro]

Hey Everyone,

I've had my Mac Mini server online (with a static IP) for 4 years thanks to the wonderful folks at Mac Stadium. Here is what I use it for as of now:
- Crashplan backup server for 9 Macs in the field.
- Air Video HD Server for iPhones and Apple TVs.
- Plex server for old home movies.
- General fileserver (via AFP) with 4TB of storage connected.

The primary reason for getting in the Mac Mini server game was to have a solid online and offsite backup solution. However in 4 years I've never had to restore a single file! Been lucky I guess.

I would love to get more suggestions from the community to take better advantage of my server. Does anyone have ideas? (I would also love suggestions for how to keep my server as secure as possible.)

 

[phrehdd]

I would highly suggest you do an exercise where you do a real restore. A fail over or disaster recovery isn't a real fail over or disaster recovery until you do one.

Also, consider putting up either a proxy or external firewall. The former could be set with some firewall settings or just get the firewall. An alternative is to use software that reports to you your ports, you elect to close down those you don't need and/or get a learning software firewall that you slowly implement by learning which ports you really do use and why.

The above may seem like a great bit of work but it really isn't and is just the most basic of decent examples of security for any computer that can hook up to the Internet. Some routers are pretty "smart" these days and can take on some of the work as well and that might be the first place to start (other than Apple's routers which have far less control though easy to set up).

 

[mackpro]

I would highly suggest you do an exercise where you do a real restore. A fail over or disaster recovery isn't a real fail over or disaster recovery until you do one.

Also, consider putting up either a proxy or external firewall. The former could be set with some firewall settings or just get the firewall. An alternative is to use software that reports to you your ports, you elect to close down those you don't need and/or get a learning software firewall that you slowly implement by learning which ports you really do use and why.

The above may seem like a great bit of work but it really isn't and is just the most basic of decent examples of security for any computer that can hook up to the Internet. Some routers are pretty "smart" these days and can take on some of the work as well and that might be the first place to start (other than Apple's routers which have far less control though easy to set up).

Excellent suggestion, which learning software firewall would you recommend?

Also, the restore is a great idea. I've done restores for the remote Macs but never for the server itself. Would be a hell of a restore with over 7 TB of data being synced with Crash Plan.

 

[phrehdd]

Oh you are asking a question that requires your* taste and time. There are a few out there but I'll cut to the quick here so you have some ideas for trial and decide what you prefer. I'll just say I prefer hardware firewalls and for larger set ups, also proxy servers but here goes.

To keep this short I'll suggest two to start with -

1) Murus
2) LittleSnitch

Murus exploits the actual built in firewall and gives far better access ease than going to terminal to engage this BSD Unix firewall found in OSX. The GUI front end offered by OSX via System Preferences is in two words - pathetic and crippled.

LittleSnitch is not a bad app but its more about learning how to use it. As the name implies, it reports back activities and related info. You can then set up rules based on this.

I'll just say you might start with concepts such as "white list," "black list" and controlling "ports." Of the latter, it is not a bad practice to shut down/block ports that normally are not used by your system. Some ports of course you want to keep open. Fortunately OSX installed isn't as "open" as Windows.