How to prevent login to mac from the Internet and local network?
Is it there a way to prevent logins to a mac completely:
- both from the Internet and local network?
- only from the Internet, retaining the local network logins - from Mac to mac?
You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
Is it there a way to prevent logins to a mac completely:
1) Don't enable Screen Sharing, VNC, SSH, or File Sharing. These are all configured through the System Preferences.
Don't install or configure any third party apps to allow remote access (Teamviewer, LogMeIn, etc.)
If you have a router at the source of your home network it most likely has your home LAN NAT'd which makes it difficult for anyone on the outside to access a specific machine, but you can still tighten network security by disabling UPnP, disabling remote administrator login & configuration of the router, and tighten the router's firewall settings to block any external network connections and disable port forwarding. How to properly configure & secure your home router in any more detail is beyond the scope of a simple post as each router is different. There are many online instructions for securing a home router. Keep in mind the tighter the router's security settings are it could affect the behavior of some apps such as online games or game consoles.
2) Everything from the answer for #1 apply here too except for whatever access you want to explicitly allow. Configure your home router as mentioned in the second half of the answer to #1 and don't use third party apps for remote access. Your router configuration is the most important for blocking computer access from the Internet, but you need to be careful if you install or use third party apps which allow remote access or sharing to make sure they are properly configured to only do what you want. If you use a cloud based service to access systems remotely, then you need to make sure those accounts are properly secured with two factor authentication.
1) Don't enable Screen Sharing, VNC, SSH, or File Sharing. These are all configured through the System Preferences.
Don't install or configure any third party apps to allow remote access (Teamviewer, LogMeIn, etc.)
If you have a router at the source of your home network it most likely has your home LAN NAT'd which makes it difficult for anyone on the outside to access a specific machine, but you can still tighten network security by disabling UPnP, disabling remote administrator login & configuration of the router, and tighten the router's firewall settings to block any external network connections and disable port forwarding. How to properly configure & secure your home router in any more detail is beyond the scope of a simple post as each router is different. There are many online instructions for securing a home router. Keep in mind the tighter the router's security settings are it could affect the behavior of some apps such as online games or game consoles.
2) Everything from the answer for #1 apply here too except for whatever access you want to explicitly allow. Configure your home router as mentioned in the second half of the answer to #1 and don't use third party apps for remote access. Your router configuration is the most important for blocking computer access from the Internet, but you need to be careful if you install or use third party apps which allow remote access or sharing to make sure they are properly configured to only do what you want. If you use a cloud based service to access systems remotely, then you need to make sure those accounts are properly secured with two factor authentication.
Thanks, indeed if you type in "ssh" in apple settings, amazingly enough you get two prompts, one of which will be remote login.
Anyways, I have tightened up the security settings of my home network for years now and there's not much more to be done, not sacrificing some functionalities completely. Still, I have some concerns especially as my OS X system's quirkiness has been growing with years of not being clean reinstalled. Hence my question accordingly:
Wanting to make a clean-install of the OS X system, do I have to resign to really plain installation with using no data from migration assistant whatsoever? Of course reinstalling applications with migration assistant wouldn't be a wise move, but I believe that in terms of security, data migration shouldn't be much of a problem, after all if I do have some or most files infected, they will be infected anyway till some good antiviral software job done on them. Don't you agree? However, most of all, I fear to migrate system settings, but what exactly is migrated in them? Perhaps there's nothing to fear about because this third part of all parts to be migrated in the migrator consists purely of feel-and-look type of settings having nothing to do with security, so nothing like for example opening some hidden ports I have never opened in system firewall or installing some nefarious scripts deep in the system?
PS. Could you please recommend for OS X some good:
1) antiviruses, having the functionality of scanning for a presence of a virus, malware, whatever suspicious in files and file system?
2) a good, highly developed firewall - scanning, blocking, managing, recording, and doing full statistics (up to months at least) all incoming and outgoing connections from a Mac? If the firewall would speak in terms of processes mostly, not user-friendly names of apps, this firewall should give decent information about the processes too - for example:
a) what is the origin of the process (Apple or not),
b) what are connections to other processes,
c) what urls, IPs, etc, it connects with,
d) are those locations known to be suspicious,
e) are those locations known to be outright criminal or harmful,
d) probably more useful info wouldn't go amiss...
bogmarcin wrote:
Wanting to make a clean-install of the OS X system, do I have to resign to really plain installation with using no data from migration assistant whatsoever?
That is what a clean install means. Erasing the drive and just installing macOS. What if anything you should migrate from a backup is your choice depending on what you are trying to do or resolve.
Of course reinstalling applications with migration assistant wouldn't be a wise move, but I believe that in terms of security, data migration shouldn't be much of a problem, after all if I do have some or most files infected, they will be infected anyway till some good antiviral software job done on them. Don't you agree?
AFAIK there are no viruses on macOS although there is adware and malware. If you have a problem, then migrating always has the chance of bringing the problem back to the clean install.
However, most of all, I fear to migrate system settings, but what exactly is migrated in them? Perhaps there's nothing to fear about because this third part of all parts to be migrated in the migrator consists purely of feel-and-look type of settings having nothing to do with security, so nothing like for example opening some hidden ports I have never opened in system firewall or installing some nefarious scripts deep in the system?
I have no idea what gets migrated with the various selections. It is a mysterious black box. All I know is that I don't trust Migration Assistant if I am trying to eliminate a problem with a clean install. The last time I used it changes made to the macOS system area that I wasn't expecting when I migrated just my user folder (no apps, no system wide settings, etc.). I chose to create a new user account on another clean install and manually migrate my data & the preferences I wanted.
PS. Could you please recommend for OS X some good:
1) antiviruses, having the functionality of scanning for a presence of a virus, malware, whatever suspicious in files and file system?
Not needed or recommended on a Mac as they usually cause more problems than they solve plus they impact system performance. If you believe you have adware or malware installed, then you can use MalwareBytes to scan the system and clean it. MalwareBytes does not need to be running all the time and can be configured not to run the real-time scanner.
2) a good, highly developed firewall - scanning, blocking, managing, recording, and doing full statistics (up to months at least) all incoming and outgoing connections from a Mac? If the firewall would speak in terms of processes mostly, not user-friendly names of apps, this firewall should give decent information about the processes too - for example:
You really shouldn't need any firewall software on a Mac. Most home network routers use NAT so it buffers your system from direct contact from the Internet and many routers have their own built-in firewall which will take care of your whole home network.
If you have to worry about other computers inside your network attacking the Mac, then you may have other issues to address like limiting their software, or putting them onto a separate internal network or VLAN so they cannot directly access your Mac or other systems. Use a guest WiFi network for any "guests" you have that you do not trust since a guest WiFi network usually is separate from the main network.
Like anti-virus software third party security software can cause more problems than it solves and it can impact system performance. I don't have any personal experience with the macOS firewall or any third party apps. Here is an article with some information, but I have no idea how good their information is.
https://www.makeuseof.com/tag/mac-really-need-firewall/
Thank you. I believe this is very relevant to people who have rather complex home networks:
If you have to worry about other computers inside your network attacking the Mac, then you may have other issues to address like limiting their software, or putting them onto a separate internal network or VLAN so they cannot directly access your Mac or other systems. Use a guest WiFi network for any "guests" you have that you do not trust since a guest WiFi network usually is separate from the main network.
Don't you think that someone who has old routers, smart TVs, and a rather complex NAS server should put as many of those devices as possible into separate VLANs of a main, modern and advanced router? I assume that the lost of some local communication can be sacrificed and a secondary router, such as VPN router, although put into VLAN by main router by default, can pass the main router and might be the Achilles heal of a local network because it opens it to the Internet from within (like smart TVs and unlike well managed computers and iOS smartphones in my opinion). In contrast, it seems to me that a router working as AP (extending the wifi coverage of a main router), no matter how old, should not pose much of a threat, should it? (Unless one of the home devices is infected already and need a separate VLAN anyway. Again, I assume that the main router will act as a proper firewall and this AP is just a harmless extension of the wireless network of this Wifi router which takes on all security all the same because the AP is not intended to do any securing but only extending wifi network.)
I believe one can go so far to put every device into separate VLAN and if need be create between them a tunnel connection such as VPN. But I have always run into issues with separate networks and find it hard to connect even separate VLANs, although I believe that establishing VPN through the Internet between them would not be that hard. However, if you simply need it for some remote computer managing, it might be throwing the safety of the local network's ordinary connection with the bathwater of VPN via the Internet. What do you think?
Anyways, are there some simple rules for establishing connections between such networks and subnetworks which would make it easy? In particular, I personally think that easy opening tunnels in local network between specific devices working in separate VLANs would be important and should be a feature of every router but I do not know how to do that and probably it is usually implemented only in rare business routers or you have to learn how to program routers running open-source software. I have already tried to establish such inter-VLAN connections several times on my pretty advanced, but not enterprise class and rather just home router, in sections such as LAN / Route. Unfortunately, with little or no effect so far. But perhaps I don't know how to do this properly. From what I have learnt I figured that the metric should be 1 with one layer of subnets. In other words, a net consisting of main router plus its subnets (say VLANs) directly dependent on the router should be described as metric 1. But perhaps I get it wrong, although I experimented with other metrics and settings too, again to no avail.
Apple! Why on earth one can't edit one's own posts here? I wanted to change this:
" VPN router, although put into VLAN by main router by default, "
which I have written against my intention - I believe typically it's the opposite, i.e. a secondary router is not in a separate VLAN of a main router, although by default the secondary one creates it's own LAN
Not connecting IoT devices at all to the network is the best first step as the manufacturers include insecure junk which include advertisements and data tracking among other things. The "apps" on these devices are usually sub par as well and the vendors don't address security issues properly or in a timely manner since there is no money in it for them to do so. Get a dedicated device to perform the work of any integrated devices such as smart TVs.
Most average home routers don't include the advanced networking features beyond a basic firewall. Most users should not need any complex advanced network configurations. If you are going for advanced networking, then you will most likely need to look elsewhere for advice which specializes in advance network configurations. I'm not a networking expert although I could figure it out in time although I do understand the basics.
How to prevent login to mac from the Internet and local network?