OSX Server Security Breach ?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by discosoap, Apr 11, 2009.

  1. discosoap macrumors regular

    Mar 20, 2008
    The Netherlands
    Hi all,

    I am using a Mac Mini (10.4.11, 2nd gen 1.66 CD, 2 GB Ram, 2 TB storage) as my file- and ftp server. My Mini is connected to a GB-switch (my Macbook is connected as a client to that switch) and then the switch is connected to a router downstairs which is used in my student home (with 4 other people using the LAN). I want to be the only one able to access it for filesharing from my Macbook (as I don't want to serve my 2TB in data to the internet or my room mates just yet ;) )

    Here is my problem; i regularly restart my server, and last time I did I got the message below. There were 3 file sharing clients connected to my Mini :)eek: Aaaargh!!!!) How is this possible (I am sure it weren't my room mates, as they (and their laptops) were not on the network that time) :confused:???? Where do these connected clients come from ?? The internet (which would be a nightmare/security breach, right)??

    My question; how can I check and manage the number of clients connected to my Mini at any time. How can I ban people from using my Mini. What is a good way to lock down my Mini server (I use a firewalled router, OSX Firewall (stealth mode/udp blocking) and Norton Internet Security (including Firewall) simultaneously ).
    I thought I was protected with 3 firewalls, but I am not. I felt exposed to the internet, and I don't know where to start securing this server. Am I overlooking something here ?? Please, any advice would be greatly appreciated.

    Thanks from Holland :apple:

    Attached Files:

  2. discosoap thread starter macrumors regular

    Mar 20, 2008
    The Netherlands
    Maybe I was not clear ??

    OK, maybe I was not clear ??My basic question is, how can I see who is connected to my server as a file sharing client ?? Obviously there were clients connected who shouldn't have been. (see image below). Anyone, anyone at all please ????

    Attached Files:

  3. discosoap thread starter macrumors regular

    Mar 20, 2008
    The Netherlands
    Please please Help!!!

    Ok so 2 days, no response :confused:. I don't know if my question is not straightforward enough, or whether I am asking the wrong question. I searched the internet and found these apps to monitor connected Apple file share users http://www.hornware.com. This is maybe step 1 to a solution, as it enables me to at least monitor who's connected. However my problem remains; Where do these clients come from, and what is the security risk ?? Isn't there anyone who knows something about file sharing, fileservers etc ?? Please any response would be appreciated :)
  4. Consultant macrumors G5


    Jun 27, 2007
    Well you said 4 other people on your lan.
    Other people can access your public folder.

    Or if you have weak password people might have guessed it.

    Perhaps iTunes music sharing is on?

    Maybe the wireless network is not secured.
  5. discosoap thread starter macrumors regular

    Mar 20, 2008
    The Netherlands
    Dear consultant,

    thanks so much for your response!! However, I am sure my room mates were not on the LAN, in fact I should have been the only one connected at that time. My password is 16 characters long, and is very hard to guess, so I don't see a problem there.
    Itunes music sharing is off (only file sharing and remote desktop are turned on and protected by the OSX firewall). The wireless network is safe enough (WPA), I am sure there were no unauthorised clients connected to the wireless network at the time.

    I understand these are all factors to check, but I am reasonably sure these are not the problem.

    Again, I really don't understand where these clients came from. Are there other ways to check this ?? And what are the security risks when unauthorised file sharing clients are connected. Do they have acces to the full 2 TB, the current user files or only to the Guest folder ???

    Any further help would be greatly appreciated!!
  6. Consultant macrumors G5


    Jun 27, 2007
    Hey discosoap,

    Unless they have your user password or if you install suspicious software, anyone connected can only see your public folder Which is empty by default.

    Few things to check out:

    Log into the router and see what computers are connected

    Open Terminal and enter last

    Open Console for logs
  7. Jimmi1321 macrumors newbie

    Jan 8, 2010
    i resume this thread.

    Same "problem" here.
    Sometime when i close the Imac i got the more useres connected message.

    Seems all ok so far,

    but checking the router i got this...

    Click for full size - Uploaded with plasq's Skitch

    Note My IP is using a wireless antenna:
    So I have a router connected to an alvarion antenna

    Can that user be just another one connected to the same antenna?

    are there security issues??
  8. myjay610 macrumors regular

    Jan 6, 2008
    Do you have public folders enabled? By default most OS X installs will allow people to connect via AFP and see the public folders, if that's the case it could be someone on that. You could try a 'netstat -a | grep tcp' command from the terminal and see what connections you have established over the afpd port (548) at the time you see the message you originally saw.

    Since you ARE running OS X server you could also enable the firewall service and create an explicit allow rule for only the IPs you want to connect over the AFP then everyone else will be implicitly denied.
  9. myjay610 macrumors regular

    Jan 6, 2008
    iTunes music sharing would not show that message since iTunes sharing does not use AFP. That message is only for people who have a connection established on port 548 with the server.
  10. DeepIn2U macrumors 603


    May 30, 2002
    Toronto, Ontario, Canada
    This may not be related ... however, Jimmi, I think you should consider MAC Filtering on your router.
  11. shadyMedia macrumors newbie

    Apr 6, 2009
    I'm guessing that this is just the Regular 10.4 OS and not the Mac OS X Server edition? Correct me if I'm wrong.

    But I would take a look in the secure logs if the "Users" are connecting to a share or the computer in general there should be something on your logs there.

    Did you open Terminal and type last? What did you see there
  12. calderone macrumors 68040


    Aug 28, 2009
    I don't think the OP is running OS X Server. Jimmi could be though.
  13. Jimmi1321 macrumors newbie

    Jan 8, 2010
    Thank you for your help!

    I'm using a regular snow leopard.

    may be it's time to take more care of my imac security
    I had a lot of shared folder wich i used to connect from my powerbook.
    Now i closed some. And i set up only one user to access them.

    As for the mac address. Which ones should i set up?
    imac + powerbook + iphone + (new mbp coming)
    + Alvarion antenna??

    other than terminal last and console should i check something else???
  14. myjay610 macrumors regular

    Jan 6, 2008
    All I do is disable guest access and use a strong password for my account, besides that MAC filtering for me is just extra paranoia...
  15. dinamo9 macrumors member

    Mar 25, 2008
    Opening this thread, as I have the same concern today.
    Got the same message that someone was connected.
    I forgot to remove a folder from my file sharing with some private stuff. Luckily nothing too bad, but I was definitely upset with the files that were in there, if someone got them.

    I only use my computer from home, so today when I was travelling I completely forgot to consider security. I didn't even have a password set on my account, and no firewall.

    Since I got the message that someone was connected when I tried to restart I'm afraid that they may have got access to more then just my shared folder?
    Couple questions.

    1) If I close the lid on my macbook, and therefore connection to internet, does that mean the person connected loses connection to my computer?
    2) How can I find out who actually connected? I did the netstat -a | grep tcp and got a list, but there are no dates or times (would it help to post the list?)

    This is obviously a huge learning lesson, and I immediately beefed up my security, enabled firewall, added a password, and removed shared folders.

    I'm still worried, so any input on what I should be concerned about or how to figure out who may have connected is greatly appreciated.

Share This Page