Limit remote connections...

Hello Peter,

Thanks for the help.

I would like to set it up such that I can access my laptop SECURELY from any network. For example, my laptop could be at home and I would like to access it when I am at work or moving (mobile network).

On a related subject, I would like to know how secure is it to enter my laptop login credentials on 3rd party apps when accessing files over SMB/ SFTP/ SSH, etc? Is there a possibility that these 3rd party apps can misuse the login credentials provided in any way?

Hello MrHoffman,

Thanks for the detailed response.

You’ve installed an app that advertises your network location to Google, to allow connections into your Mac. That’s how most of these apps work. That’s also how these apps can punch through a firewall.

Given that this is how they 'have to' work, I wanted to stick with something more reliable like from Google, than something like a Team-viewer.

Any time you specify Admin credentials when installing an app on macOS (as happens with various apps not acquired from the Mac App Store), that app then has full system access. Those apps can also see the local network, and can view unsecured network traffic.

Apps acquired directly from legitimate app vendors usually don’t poke at local security (and somebody usually notices those that do), though some apps also do themselves contain vulnerabilities. And some apps have done sketchy and surprising things.

Apps from the app store do not have full system access, and—absent macOS security vulnerabilities —the app access and reach within macOS is constrained.

How effective are the security settings then? For example, I can block incoming internet connections to apps using the built-in Firewall settings, block full disk access using Privacy settings, etc. It is strange that there are absolutely no built-in way of blocking complete internet access or limiting access to local networks alone. That way there is nothing that malicious apps can send anything outside of the local network. In those cases we have to rely on 3rd party apps like Radio Silence, which can be used to block total network access for apps that don't need to connect to internet for core functionality. Unfortunately such firewall based apps are not available within the AppStore.

ssh is a secure tunnel. Current ssh security is pretty solid. sftp uses ssh, and is built and connects using ssh. If you prefer, you can set up and use digital certificates to log into ssh and sftp, which means an attacker will need to have acquired your private key, basically a vastly more complex password, and a password that is never exposed over the network when making a connection. This using what’s called public-key security.

I’d recommend against using SMB or other file-sharing services over an untrusted connection. Use sftp, or use a VPN, if you must remotely access a file share.

Even if file operations are secure using SSH (I thought SMBv3 is secure too), my concern is how safe is it to give out our login credentials (in case of a Windows laptop, that would basically be the Microsoft Account Credentials). Can these apps use such info for malicious purposes?

If you must expose part of your network for remote access, consider setting up what is known as a DMZ; isolate the remote-accessible systems from other local network hosts, and avoid loading sensitive data onto those remotely-accessible systems.

I will learn about these. Thanks for the guidance.

Life is full of compromises, and so is our experience with technology. Honestly speaking, there is no company or developer anyone can trust. Because we don’t know them. It is always a compromise we make with our data, in return for the services we get.

The best one can do is to stick with reputable/ popular entities as much as possible, whilst finding ways to minimize the risk, and then be optimistic.

Since there cannot be that trust factor, there has to be as much control over the setup as possible.

For example, when I use 3rd party apps like file managers on my rooted Android, to connect to my laptop over SMB/ SFTP, my only consolation is that those apps are restricted to access only the LAN, and their access to Internet is blocked via a firewall. Unfortunately, such a system is not available on iOS, macOS or Windows.

The point is, we often have to make good with the best available option, whether we actually trust or not. And then work on ways and means to limit potential damage.