setting up a sharepoint

[aicul]

Hello,

I used to use SERVER to setup a sharepoint to access files remotely. Unfortunately, something has gone wrong and cannot get the SERVER sharepoint to work again.

As this setup is old (2 years) i'm wondering if there i a simpler way to setup a sharepoint for my internally held files so that I can access them remotely. I do not wish to use services such as DropBox as I already have the storage space locally at home.

Thanks for any useful tips.

 

[Mikael H]

Hello,

I used to use SERVER to setup a sharepoint to access files remotely. Unfortunately, something has gone wrong and cannot get the SERVER sharepoint to work again.

As this setup is old (2 years) i'm wondering if there i a simpler way to setup a sharepoint for my internally held files so that I can access them remotely. I do not wish to use services such as DropBox as I already have the storage space locally at home.

Thanks for any useful tips.

First of all two warnings:
Sharing files over the Internet using any protocol introduces a risk if you don't set it up correctly.
Sharing files over an unencrypted protocol means that anyone on the same network potentially can read not only your files as you transfer them, but also your login credentials. This in turn means that you're pretty much handing out control over your computer to anyone even mildly interested any time you log on to such a service.

With that out of the way:
macOS provides an excellent way of sharing files in a relatively secure manner using SSH/SFTP, which is encrypted.
The way I would do this, if I had to, would follow these approximate steps:
- Create a low rights user with a randomly generated, STRONG password (16 or more characters), and store the password in your password manager.
- Create a directory to share, accessible only by you and this low rights user, in the low rights user's home directory.
- In System Preferences -> Sharing, click Remote Login. In the Allow access for-area, select "Only these users", remove the Administrators group, and add your low-rights user.
- Activate Remote Login by checking the box.
- Create a port forwarding rule in your firewall from an arbitrary external port (>1024<65535) to port 22 on the Mac to limit the number of automated attacks on your system.

After this you should be able to reach the folders of this low rights user either by making a remote connection (⌘+K) to sftp://username:*@yourIPaddressOrDNSname:theExternalPort, or from the terminal by running sftp yourIPaddressOrDNSname -P theExternalPort and logging in.

Note, though, that this also opens up CLI access to your computer for your chosen user, so any known or unknown exploits that would let an attacker escalate their privilege level can be used to completely own your computer. Again: Use a GOOD password.
Even better: Read up on key based authentication and configure your SSH server to only allow that, if possible.

 

[aicul]

I truly appreciate the detailed response.

First an aside: I do not need more security than a password, truthfully if someone wants to read my documents I'll freely send them out. But lets not focus on the security aspect, I need the functionality of remote file access.

Also realise that I missed providing information that could be useful. There is a dedicated IP address which is correctly linked to a domain name.

In the past SERVER provided this simple setup quite nicely. But your suggestion is to use OSX remote login and a dedicated use id to channel data flow only to the drives I wish to see externally.

Concerning (s)FTP I understand I cannot delete with that feature, is that still true.

To be complete I have OSX 10.12.6 and Server 5.2

 

[Mikael H]

I truly appreciate the detailed response.

First an aside: I do not need more security than a password, truthfully if someone wants to read my documents I'll freely send them out. But lets not focus on the security aspect, I need the functionality of remote file access.

Also realise that I missed providing information that could be useful. There is a dedicated IP address which is correctly linked to a domain name.

In the past SERVER provided this simple setup quite nicely. But your suggestion is to use OSX remote login and a dedicated use id to channel data flow only to the drives I wish to see externally.

Concerning (s)FTP I understand I cannot delete with that feature, is that still true.

To be complete I have OSX 10.12.6 and Server 5.2

The regular file sharing functionality that was available in older OS X Server installations was, if I recall correctly, based on the protocols AFP or SMB. It would not be a good idea to present any of those protocols over an Internet-facing connection if you had a choice at all today. Again: Not only do you need to consider the potential security of your documents, but you also need to think of the security of your entire computer. I mentioned automated cracking attempts for the SFTP protocol earlier. That's not the only kind of attack attempts I see in my firewall logs... These old protocols were originally constructed for use within a local area network at a time when system developers could afford being a lot more naïve.
To support my point, Apple's current documentation actually mentions SFTP as the go-to protocol for file sharing.
(https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf)

I've never had issues deleting files over SFTP. Perhaps your experience was from a server that explicitly disallowed that function?

 

[aicul]

point taken; I need a file share to upload onto remote PCs software that is readily available on the web, the only reason I have a share is to have them all in one spot.

There is a time when security is not requires, and yes... that mac is an old mac that is not connected to anything else except the web.

I need the functionality not the security (as that has been physically taken care of).

 

[Mikael H]

point taken; I need a file share to upload onto remote PCs software that is readily available on the web, the only reason I have a share is to have them all in one spot.

There is a time when security is not requires, and yes... that mac is an old mac that is not connected to anything else except the web.

I need the functionality not the security (as that has been physically taken care of).

Ah, that's good.

Unfortunately that also means that we're at the end of my ability to give any concrete help for the moment, since I don't have any machine available running older versions of macOS or the Server app.
In modern macOS versions, however, you'll find the file sharing settings under System Preferences -> Sharing -> File Sharing. If you have it there, check the settings, and try turning the sharing off and back on again in case some setting "rotted" for you.
Behind the Options button you can choose whether to serve files over AFP or SMB, and of the two, SMB should be the better protocol.

Some general troubleshooting tips:
- A very basic thing to test would be to physically connect another computer to the mac in question to see whether it can access the share with no other complicating factors involved.
- It should be possible to find out the name of the service providing the file share, and to a) check that it's alive, and b) search for messages from the service in the system logs to identify potential anomalies. I suspect the service is regular Samba, in which case the service name probably is smbd.
- Also double-check the firewall settings so it doesn't drop the kind of traffic you intend to use. (If you're not connected to anything dangerous you may temporarily turn off the firewall entirely to eliminate that factor from your trouble shooting).

If you get it working within your own network, or at least between two computers connected directly to each other, the next step is to make sure you've opened up for the correct protocol/ports in your Internet router.

 

[jtara]

"Sharepoint" is a Microsoft Office thingie. And a blast from the past!

Tell us more about the files. What kind, how many, how much storage? Who will be accessing these files? You, others, or both?

I would recommend using one of the cloud services instead. Most/all have a way of giving others access to some/all of the files. And that way, nobody is accessing YOUR computer. If you will use it to access some files e.g. when you are away with a notebook, then you won't need to leave your computer at home/office on.

Opening a port on your router to forward to your computer is generally a Bad Idea. You are ASKING for trouble. You are potentially opening up your whole computer (and others on your local network) to intrusion. All it takes is a misconfiguration or a vulnerability in the server software that is either unknown or unknown to you.

If it is just you, why not use iCloud?

Google Drive is also a popular choice.

Each cloud storage service typically has it's own app, and/or web access, and/or the ability to extend the MacOS filesystem to "see" your cloud files.

As well, there are third-party apps that can access multiple cloud services and extends the MacOS filesystem to access files transparently. CloudMounter is one that I use.

If you are on a budget, then raw S3 object storage (either on Amazon, or other cloud providers - IBM, others...) is cheaper than the consumer cloud storage offerings, and can be quite a bit less expensive. CloudMounter and similar apps can use it. As well, some popular backup apps can use it as well.

 

[aicul]

What surprises me in all this is that, once one states that there is "NO SPECIFIC SECURITY CONCERN" people actually persist in security.

Security is not a functionality in my case, its just a feature and its very low in the priority list.

Its more important for me to access the files, because not accessing files that are "public" is equivalent of no work.

But thanks for the feedback anyway.

 

[Mikael H]

What surprises me in all this is that, once one states that there is "NO SPECIFIC SECURITY CONCERN" people actually persist in security.

That's because similar to biological disease, a pwned, Internet-connected computer very rarely only affects its owner. Bad security stops being a purely personal choice once you understand that by actively making such a choice you're potentially aiding and abetting any bot net that relies on weaknesses in your specific implementation of the protocol you've opened up as an attack vector.
Now, creating an Internet-accessible SMB file share on a Mac is - for all we know today - less risky than doing the same on one of the old/unsupported versions of Windows, but that still doesn't mean it's a good idea, as I said in an earlier post.

You say that "not accessing files (...) is equivalent of no work". In my first reply, I provided enough information to get you started on a file sharing regime over a protocol that - unlike the SMB protocol - is built from the ground up with security in mind, and which is natively supported on Macs. I still recommend looking into a solution based around SSH/SFTP if at all possible, given your needs, but I do understand that it will require you to read up on something new, and that it may require slight changes to your workflow, with which you may be uncomfortable in the short term.

Ultimately what you elect to do is your choice, but don't be surprised that we who work in the field cringe when we see this kind of naïveté, just like a physician would when reading an anti-vaccination post from a misinformed parent. We deal with the fallout from such bad decisions on a regular basis.

 

[aicul]

Thank you Mikale, but did you read the title of the thread ?

It's "setting up a sharepoint", so ok security, but not ONLY Security.

And for the record your SMB solution did not work.

You can cringe, but I'm not the naive person here, i'm the human, others think that mainstream IT needs to be overcomplicated, it does not, and security is not a function its a feature. Function comes first, features are add-ons that people add if needed.

I'm sure you made a good point on security, my point is getting function (files available) to work, then adding the features (security level) I may need.

But thanks for your attempts to help

 

[Mikael H]

You can cringe, but I'm not the naive person here, i'm the human, others think that mainstream IT needs to be overcomplicated, it does not, and security is not a function its a feature. Function comes first, features are add-ons that people add if needed.

And there you put your finger on the real problem: We've never really had an "Apple of home/small business network security".
There's no other reason than the amount of work involved, for why we couldn't have one-click solutions to sharing files out of our homes, where both the actual sharing and the necessary level of security were the functions (as they should be), and the feature was simplicity.
As it is, the money lies in recurring payments or monetization of users, which pretty much by definition means the simple solutions that do get developed are cloud-based [Something] as a Service models.

Anyway: I don't mean to be a douche here, and I too am sorry that it's not simpler to set stuff up, but I got a bit rubbed the wrong way by your frustration with the tips you did get.

 

[jtara]

You said you need to install software that you store on a dedicated machine on PCs. Do you mean Windows computers, or Macs?

There is a much simpler, faster, and much more secure solution. Why don't you just carry a thumb drive with the needed software?

If you are installing on Macs, there is an easy solution that would download the files from their respective homes, rather than from your remote computer. Homebrew is a program initially meant for installing Linux-y tools on Macs, either pre-compiled or built-on-demand (needs XCode). But recently it's been expanded with "casks" to be able to download and install pretty much any of the applications "readily available on the web". And there is a separate program called mas that can be used with Homebrew to download/install apps from the Mac App Store. You can write a "Brewfile" with a list of applications that you want to download/install. It's a small text file.

There are probably similar programs for Windows.

If this will not work for you, and you still want to expose a mac holding these applications to the world, it would be helpful if you tell us exactly HOW (what program?) did you use in the past to access your "sharepoint". (We can't guess what you mean by "sharepoint"!) Telling us how you did the downloading on the "PCs" would help establish that.

 

[aicul]

Why don't you just carry a thumb drive with the needed software?.

Because I'm human and prefer not to have to carry something, but like to use the advantages of remote availability. And a small card is easily lost.

And there you put your finger on the real problem: We've never really had an "Apple of home/small business network security".

Half agree. But here I am sure you have a more complete view.

The important thing is to realise that function (access to files) does come before any feature (like security). And having a complex secure environment only means a non security specialist does not know when his IT setup is breached (assuming only info is stolen) because only a security specialist can confirm that.

So I thrive in having IT help me rather than for it to add a layer of complication for the all too often easily stated "it's for your security". Once I have classified my data to my own security scheme, I need not add more security than is actually warranted.

I stay on my observation that function (access to files) is far more important to features (security). I do think a standalone Mac that just has the files (in RO) is only exposed to a DOS attack. Such an attack would be equivalent to loosing the smart card that JTARA proposes (loss of access to the files).

Anyway I have finally got the file sharing working, but alas, Apple has removed the option on the Files APP. So I cannot check if I have the files on my phone (like during a meeting) and confirm I can quickly help my customer because I first have to sit at a computer (which I do not do at a meeting).

but I got a bit rubbed the wrong way by your frustration with the tips you did get.

Fair enough, no offense taken and meant.

Thanks all for the help