Screen and File sharing security

Discussion in 'macOS' started by WMuntean, Nov 3, 2010.

  1. WMuntean macrumors regular

    Joined:
    Aug 23, 2007
    #1
    I've been using my MacMini as a server to backup and sync several Macs on my local LAN but recently I found the need to access certain files outside my LAN. That said, I set my router to forward ports 548, 9, and 5900 (file sharing, WOL, and screen sharing, respectively) to my MacMini. This has actually worked rather well for me -- other than WOL. So in an attempt to diagnose the WOL issue I started probing my router's incoming logs (to see if I can successfully send a WOL magic packet from outside my network) and thats when I noticed a few random IPs probing port 5900. So my question is, what are some security measures that I can take in order to prevent someone form accessing my MacMini from the open ports?

    In theory couldn't a simple program attempt to repeatedly connect to a port and brute force a password?

    Excuse my naivety with networking, but I'm a little concerned. I did some searching but I couldn't find anything substantial on the forums.

    Any input is much appreciated.
     
  2. Kholdstate macrumors newbie

    Joined:
    Nov 3, 2010
    #2
    I'm not really sure what wol is but I had a ssh server running and noticed tonnes of attempts to connect to it (my guess is those were brute force dictionary word attempts on the root user). My solution was to change to a non-standard port which got rid of most if not all of these attempts.

    Else you might consider using VPN...
     
  3. WMuntean thread starter macrumors regular

    Joined:
    Aug 23, 2007
    #3
    Thanks! How were you able to change ports? I can forward a port to a specific internal IP address, but I'm not quite sure how to change the functionality of actual port numbers (if that even makes sense). For example, I opened a free port (8910) and tried to log in using the Screen Sharing app with my external IP followed by :8910 (specifying the open port), however, this didn't seem to work. I've read elsewhere that you can actually forward port numbers to other port numbers, but I'm unaware of that option with my Linksys router, perhaps its under a nontransparent name.
     
  4. macbook123 macrumors 68000

    Joined:
    Feb 11, 2006
    #4
    What's the best way to log in remotely to the mac I have at home from my laptop while away from home? I'm interested in two ways of doing this:

    1) Using a Terminal, i.e. ssh-based login

    2) Full VNC-type login

    I'm having some trouble figuring out:

    a) what to change about the settings of my home Mac without making it overly insecure. I'm using Snow Leopard on both home and portable Mac

    b) what the IP address to ssh to would be. My provider is comcast cable. I'm using an Airport Extreme as router.

    Thanks all in advance for your help.
     
  5. LPZ macrumors 65816

    Joined:
    Jul 11, 2006
    #5
    Read up on ssh-tunneling and keypair authentication.
     
  6. Kholdstate macrumors newbie

    Joined:
    Nov 3, 2010
    #6
    WMuntean: I'm not sure about linksys routers but most routers I've used can be configured to change the port. Mine forwards from 8022 visible on the outside to 22 on the inside.

    Look at this picture of how d-link works (what they call public and private).

    http://farm4.static.flickr.com/3011/2969650558_809c585bc0.jpg

    It may also be possible to configure the software to run on a different port, I don't think this is possible using the settings in system preferences but if you edit the appropriate configuration file it might work.

    macbook123: This depends entirely on what you want to do with your remote login but based on how you posed the question I'm guessing VNC is the solution for you. In order to get that to work you will need to do port forwarding from your router to your computer at home. Your IP you can find by visiting a site like:

    http://www.whatismyip.com/

    However it is very likely that your provider changes your ip every now and then so you might need to check it more frequently. You could tie a dynamic dns to your ip and have it updated automatically by configuring your router to do this (if this is a feature available on the airport) or running a software on your computer (not sure about one for mac). You can get a dynamic dns on dyndns.com or a multitude of other sites.

    From a security standpoint I don't think the VNC supplied with osx encrypts the traffic (someone correct me if I'm wrong) so you would be vulnerable to eavesdropping which could be a problem if you use wifi-hotspots or don't trust your network administrator at work or something. If you want to be safe against those type of threats you should do what LPZ suggests, else just make sure you have a strong password on your account.
     

Share This Page