Security Questions.
 

Hi. I just Monday joined the 'broadband' group when I got a DSL account.

I read some threads here and toyed around a bit and was able to successfully ssh from work to home. Thank you all for your questions and answers in these forums. I think that I can get afp to work over ssh, but I have to get back to my office tomorrow to test my attempt. I'm also going to test whether I can print something from my office to my home printer.

My questions are not related to setting things up, because I think I can find enough information here to set up most things. The thing I really can't make up for by reading is a lack of perspective on security. So here are some questions:

1a. Just how big is the risk of having port 22 open to the world?
b. How about port 80?
c. How about port 515?
d. How about port 548?
2. Are there some additional precautions I should take?
3. I've read some about VPN. Is there any sense in setting up a VPN when this is just a connection between a single machine at work to a single machine at home?

I am careful to make good passwords and passphrases, so that should not be a problem. Anything else that comes to the top of your head/tip of your tongue would be appreciated.

Thank you.

I think you'd definitely benefit from learning to use ipfw from the command line. That way you could change your rules on the fly from a remote location, all you'd have to allow open to the world is ssh. And you can change which port the sshd listens on.. or is it xinetd that listens and starts sshd when needed?

So, you're saying that with ipfw I could open and close ports in the router remotely (as long as ssh is open)? I guess I would ssh into my computer and then use ipfw from within the remote computer to close/open other ports. Ahhh, cool idea.

Is the reason that I would change the port that sshd (or xinetd) listens on is to make it more difficult for someone to find an opening into my computer?

Thanks for the information, yellow.

Please excuse the poor question. I know that it is not really quantifiable...
Just answer whatever comes to you in terms of advice to someone who was wanting to do this.

The risk in having a port open is directly related to how "hardened" (resistant to attack, i.e. bug free) the program that is listening at that port is.
E.g. for port 80, the program listening is Apache. If you keep it up to date (as Apple mostly does via SoftwareUpdate), Apache itself is quite resistant to attack. But if you have any CGI scripts installed, the question evolves to how resistant those scripts are to attack.

True, but unless you are actually using any particular port for serving something, you should close it. Apache is great (unlike IIS) but if you aren't serving web pages you should have port 80 closed.

Trevor

Agreed. No matter how well hardened a program is, it is definitely riskier than no program at all.
I was merely attempting to explain how one might estimate the risk of having open ports.

Thanks Trevor and hayne. I have now closed that port...I set it up for a moment just to see that I could.

I've been doing some reading, and I have a few followup questions, if I could.

1. Is there a way to allow connections from a range of addresses (say from 185.x.y.z)? I currently have for ssh:
add 110 allow tcp from any to any 22 in

I know that my address from the university will only be in a specific range, and that seems a lot safer. [Only my computer-literate irate students can come after me.]

2. My router uses NAT. Assuming that I've set up NAT to open port 22 and 548, is it really necessary then to use ipfw except to open and close port 548 remotely as needed (and to limit addresses as in 1).

The reason behind this question is that it will be awhile before I know enough about ipfw *not* to close off something needed for the dsl to work properly.

3. What are the default OS X firewall settings? Are they essentially *just* the sharing pane closing various ports?

Thank you.

allow tcp from 185.0.0.0/8 to any 22 in
or
allow tcp from 185.123.0.0/16 to any 22 in
or
allow tcp from 185.123.123.0/24 to any in

Depending on how many octets you want to apply granular control to.

If you've got a router, you don't really need ipfw. I missed that distinction earlier.

Apple's GUIfied ipfw control is worthless.

Default settings are:

allow ip from any to any via lo*
deny ip from 127.0.0.0/8 to any in
deny ip from any to 127.0.0.0/8 in
deny ip from 224.0.0.0/3 to any in
deny tcp from any to 224.0.0.0/3 in
allow tcp from any to any out
allow tcp from any to any established
deny tcp from any to any

Lots of excellent advice here, but the statement above I don't particularly agree with. I guess it's a matter of style or personal preference, but I'm the kind of person who locks my car when it's in my closed and locked garage. If a thief gets past my garage door, they still have to get past my car doors.

In the case of computer security, even if your router is unassailable (which it isn't), an intruder can insert himself directly on your LAN, especially if you use Airport/802.11x, and then compromise your computer while sitting in a car parked in front of your house, or some other nearby location.

Trevor

Sure. I guess it depends on your level of paranoia.

Thank you very much for your time and useful information. Just one more question (or two) and I think I'll be set.

What does each of the above allow and why 123?

Doh!

With ssh and afp allowed from the router and the Sharing Preference Pane, then it is already allowed for all ranges. Thus, I'd need to tell ipfw to *deny* access to all addresses except the 185.x.y.z range. I guess a reasonable way to do this would be to either
1) Turn off ssh and afp in the Sharing Preference Pane and then use ipfw to allow all ssh and afp for the 185.x.y.z range.
or
2) Leave ssh and afp on in the Sharing Preference Pane, and use ipfw to deny ssh and afp to all and then to allow for the 185.x.y.z range. It reads them and applies them in order...but would it already deny my connection before it realized that I was in the right range and allow my connection?
3) Maybe there is a way to deny for all except 185.x.y.z?

Any preferences here?
Thanks.

Purely an example of an IP with more specific octets.
IMO, 185.0.0.0/8 is too open. I doubt that your school is large enough to have all 255 subdomains in the 185.x range. So you should be using at least 185.xxx.0.0/16, where xxx is whatever the next set of numbers for your school's IP range.

For example, I work a Duke:
Duke University uses 152.3.x.x for it's Academic side.
Duke University Health System uses 152.16.x.x for it's side.

If I were to allow any 152.x.x.x address to my machine, I'd also be allowing a buncha other colleges in the NC area, the US Department of Transportation, the Department of Veterans Affairs, the Lord Corporation, Glaxo Welcome, simply to name a few.

So I limit all network connections to my Macs from 152.16.0.0/16. This ensures that I only see Health System traffic.

Changing the port SSH listens on to protect your system won't really make your machine more secure. There are tools available which can detect SSH is running on a non standard port.

Better to use tcp wrappers and only allow connections to your machine on port 22 from specificed IP addresses. This is a much better method then just changing SSH from port 22 to some random port.

As opposed to using ipfw to do the same thing? What advantages are there to tcpwrappers?

Since I've had the router set up correctly for access to my computer on ports 22 and 548, it seems like my home computer keeps getting new leases from the DHCP server every 1-3 hours. Previously, it had kept them for a whole day (or until I reset it to get myself out of a jam :-)). Since midnight I've gotten a new IP at: 2:14 am, 3:14 am, 4:14 am, 5:14 am, 8:50 am, 10:50 am, 11:50 am, 1:50 pm. I did not connect between midnight and 9am so the resets are not caused by connections. I have an application running which forwards to me the new IP address, but still it plays some havoc with connecting from work. I've checked my system logs and nothing unusual is reported...in fact, things are unusually quiet.

Do you suppose that they or their server are unhappy about me doing this? No rules which I've read say anything about not being allowed to use ssh to connect. They do have, for $5 per month, an add-on for remote web access to the files on my computer but I don't take that as an indication that they do not want me to access my files for free myself. I made the assumption that the $5/mo is making it easy for someone who cannot technically do it themselves.

Are the dynamic IPs really that dynamic or is something funny going on?

Which new DHCP addresses are you getting? New ones from your ISP or new ones from the router?

The router gets a new address from the DHCP server. [I'm assuming. The router always gives an IP of 192.168.1.x to the computer. Something tells me that I might no know enough to interpret your question correctly.]

I try to ssh in and get the message
"ssh: connect to host www.xxx.yyy.zzz port 22: No route to host"
and then after a long delay, IPMenu sends me the message:
"Your IP address has changed to:
aaa.bbb.ccc.ddd"

IPMenu is supposed to send me the new address when it changes, but it is taking a half hour or more before I actually get it here...maybe there are some internet problems today.

This leads me to believe that IPMenu is sending the IP address every hour if there is a change in the IP address. I may have misinterpretted the meaning of the checkbox "When external IP changes, email:" as being separate from the checkbox relating to frequency of updates. So, the emails might very well be getting to me immediately.

At any rate, the ips are changing more frequently lately.

I would think then that you need to look at the setting on your router and make sure it's not misconfigured. And/or looking into getting a static IP from your ISP so you can skip all the DHCP foolishness with your router's IP. But, I don't think that your router should be requesting a new DHCP address for itself every hour or so. Of course, this could be a problem on your ISP's end as well. If they are having troubles with their routers or DHCP servers..

Tcp wrappers allows you to restrict connections not only from only specific source IP's, it allows you to restrict connections from specific users coming from specific IP's, using specific protocols. I don't think IPFW is quite that granular.

Nope, ipfw cannot do that. Thanks for the info.

I returned NAT to normal and the finally reset the router to factory defaults and flushed ipfw as well. Still I'm getting new IP's every couple of hours. Performance is not as good as it once felt in Safari (although I'm probably getting used to it), even though bandwidth speed tests still come out roughly the same. Things are better in Camino.

Thanks for your help. I'm going to use ifpw to restrict the range tightly as yellow suggested earlier. I can't use tcp wrappers, it seems, because I don't have a fixed ip address.

Thank you for your help everyone. I learned what I needed to know for now (although I have a long way to go overall).

I think I have the dynamic nature of the IPs figured out.

I can set it so that the connection is "when needed", "manually", or "always on". By default, it is set to be "when needed". So I'm guessing that after awhile it probably timed out and disconnected on its own; why it reconnects on its own (gets a new IP) I'm not sure. Perhaps it gets a new IP upon mouse movement or something like that.

At any rate, I set it to "always on" and I've had the same IP for the last 24 hours. I'm not sure what I'll do long term.