I followed the instructions from this article (except for the dynamic DNS step) http://sixcolors.com/post/2015/07/setting-up-your-home-mac-for-remote-file-access/ and was wondering if I need to take any additional steps to secure the connection. I am aware of Back to my Mac through iCloud, but that doesn't work on the network that I will be remote screen sharing from.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Do I Need to Secure Remote Screen Share?
- Thread starter bob616
- Start date
- Sort by reaction score
Are you screen sharing over the internet directly to port 5900? If so, such a connection is insecure. Some screen sharing clients even waen you of that.
I screen share either when connected to a VPN of my home network or over SSH (http://www.tech-otaku.com/networking/establishing-ssh-tunnel-remotely-access-mac-afp-vnc/)
I screen share either when connected to a VPN of my home network or over SSH (http://www.tech-otaku.com/networking/establishing-ssh-tunnel-remotely-access-mac-afp-vnc/)
I agree with NazgulRR. I never do VNC/screen sharing directly over the internet. I use the SSH tunnel option, preferably using SSH key-based authentication instead of a password. In addition to many desktop VNC applications, there are a number of iOS apps that support VNC over SSH with key-based authentication, including Jump Remote Desktop.
Here's documentation from Apple about how to set up an SSH key pair:
https://help.apple.com/advancedserveradmin/mac/4.0/#/apd3D410789-F9BD-4D8B-919F-3A1977007068
That article is from Apple's Advanced Server Administration guide, but it should work the same on any recent version of OS X (including non-server versions).
If your remote machine is running OS X Server, you should also seriously consider enabling the Application Firewall. This adds dynamic blacklisting capabilities to the built-in firewall, and it can be configured to block malicious hosts for [X] number of minutes after [Y] number of failed login attempts. The default configuration will block hosts for 15 minutes after 10 failed attempts.
Documentation for enabling the Application Firewall on 10.7 through 10.10 can be found here:
https://support.apple.com/en-us/HT200259
And here:
https://help.apple.com/advancedserveradmin/mac/4.0/#/apd4288B31F-0C3D-4004-9480-4B7E0AFBB818
And an overview of the command-line options can be found here:
http://krypted.com/mac-security/using-afctl-to-manage-the-adaptive-firewall-in-os-x-yosemite-server/
Pro-tip! Run the afctl command with the -T option to set the failure threshold for blocking a host that's trying to connect. The -H option is used to set how long the host is blocked (in minutes).
For example, running...
afctl -T 5
...will block the IP address of a host after 5 failed login attempts.
Running...
afctl -H 120
...will block the IP address of a host for 120 minutes.
That's probably way more than you wanted to know... but it's important to be cognizant of security these days.
Here's documentation from Apple about how to set up an SSH key pair:
https://help.apple.com/advancedserveradmin/mac/4.0/#/apd3D410789-F9BD-4D8B-919F-3A1977007068
That article is from Apple's Advanced Server Administration guide, but it should work the same on any recent version of OS X (including non-server versions).
If your remote machine is running OS X Server, you should also seriously consider enabling the Application Firewall. This adds dynamic blacklisting capabilities to the built-in firewall, and it can be configured to block malicious hosts for [X] number of minutes after [Y] number of failed login attempts. The default configuration will block hosts for 15 minutes after 10 failed attempts.
Documentation for enabling the Application Firewall on 10.7 through 10.10 can be found here:
https://support.apple.com/en-us/HT200259
And here:
https://help.apple.com/advancedserveradmin/mac/4.0/#/apd4288B31F-0C3D-4004-9480-4B7E0AFBB818
And an overview of the command-line options can be found here:
http://krypted.com/mac-security/using-afctl-to-manage-the-adaptive-firewall-in-os-x-yosemite-server/
Pro-tip! Run the afctl command with the -T option to set the failure threshold for blocking a host that's trying to connect. The -H option is used to set how long the host is blocked (in minutes).
For example, running...
afctl -T 5
...will block the IP address of a host after 5 failed login attempts.
Running...
afctl -H 120
...will block the IP address of a host for 120 minutes.
That's probably way more than you wanted to know... but it's important to be cognizant of security these days.
Thanks for the links on SSH key-based authentication.
One question: I often use SFTP for file access on OSX (Forklift) and iOS (Documents, Infuse, etc.). I authenticate the SFTP connection with the password. Would key-based authentication work for this as well?
I would assume so. SFTP is FTP over SSH. I don't normally use FTP, so I've never attempted doing SFTP with SSH keys.
You are correct. I avoid leaving ports completely open whenever possible. I use a pfSense-based firewall to set up access rules for ports that I need to use remotely (e.g. Allow access to port 22 from these 4 IP addresses only. Deny all others.)
For ports that must be left open (like port 25 for SMTP), I suggest using an in-line network Intrusion Detection/Prevention System (IDPS) to detect and mitigate malicious activity, as well as country-blocks and other blacklists. Network DMZs, ACLs, and defense-in-depth network topologies are important, too. And don't forget to use strong, routinely-changed administrator passwords, and to install security patches in a timely manner.
None of these methods are guaranteed to be absolutely 100% secure. But a well-trained and properly equipped Security Incident Response Team can continuously monitor alerts, investigate alarms, and make changes/contain threats quickly.
No one should leave open ports on a network that contains critical or particularly sensitive data.
Do not, I repeat, DO NOT leave port 5900 open on your AirPort Extreme and forward it to an iMac (or any computer, for that matter) which contains your financial information, customer data, confidential work data, or sensitive/private health records.
I apologize, Altemose. This information is primarily for the benefit of the other thread participants.
Why are you apologizing? We both agree on the point and you gave an in depth awesome answer describing the risk and methods of mitigating it!