Thanks -
Is it possible to close open network ports on the newest Mac Pro? We're implementing one as a server in a corporate environment and the in-house security/networking group uses automated security scanning software to "detect" open ports they'll want closed. They will have to be closed too in order to allow the machine on the network. If this can be done can you direct me towards any documentation on how it's done? Thanks.
In a normal workstation that is behind a firewall you control, NO ports are visible from the internet.
If you are setting up a Mac OS X Server, that software will control what ports are open. Your query may do better on this forum:
In a normal workstation that is behind a firewall you control, NO ports are visible from the internet.
If you are setting up a Mac OS X Server, that software will control what ports are open. Your query may do better on this forum:
As standard very few ports are open on a Mac, Apple only open ports for services that are turned on and few are turned on as standard. If you do chose to turn a network service on e.g. screen sharing then by necessity the relevant port has to be open.
The Mac comes with two built-in software firewalls, the simplest and sufficient for most people is accessed in System Preferences -> Security & Privacy and then under the Firewall tab. A more powerful one perhaps more suited to a Mac server rather than a Mac client is called pf also known as pfctl. This would be configured via the command line.
You should of course also have a network level firewall to protect your entire network from attacks from outside. This is what Grant was referring to.
Thanks John and Grant. "pf" and "pfctl" was what I was after - more so - some assurance that Apple hasn't locked down the OS so tight that that functionality was no longer available. It's been five years since I've had to re-visit this.
Grant - you probably know security behind the firewall has to be about as good as it needs to be from outside in some organizations. Thanks for the forum recommendation.
Trust me both - I have been through this PCI compliance level exercise with this Windows-centric security group and their, then, Nessus (now "http://www.tenable.com/") scanners which found tons of stuff. Here's scan results example scan from an old Lion server still in service. You have to justify or figure out a way to close off anything listed.
33929 (1) - PCI DSS compliance
17704 (1) - OpenSSH S/KEY Authentication Account Enumeration
17705 (1) - OPIE w/ OpenSSH Account Enumeration
17744 (1) - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing
14272 (25) - netstat portscanner (SSH)
22964 (4) - Service Detection
10180 (1) - Ping the remote host
10267 (1) - SSH Server Type and Version Information
10287 (1) - Traceroute Information
11153 (1) - Service Detection (HELP Request)
11936 (1) - OS Identification
12264 (1) - Record Route
19506 (1) - Nessus Scan Information
21745 (1) - Authentication Failure - Local Checks Not Run
25220 (1) - TCP/IP Timestamps Supported
39520 (1) - Backported Security Patch Detection (SSH)
45590 (1) - Common Platform Enumeration (CPE)
54615 (1) - Device Type
56209 (1) - PCI DSS compliance : Remote Access Software Has Been Detected
58651 (1) - Netstat Active Connections
10.x.x.x (tcp/22)
Port 22/tcp was found to be open
10.x.x.x (udp/88)
Port 88/udp was found to be open
10.x.x.x (udp/123)
Port 123/udp was found to be open
10.x.x.x (udp/137)
Port 137/udp was found to be open
10.x.x.x (udp/138)
Port 138/udp was found to be open
10.x.x.x (tcp/443)
Port 443/tcp was found to be open
10.x.x.x (udp/464)
Port 464/udp was found to be open
10.x.x.x (tcp/625)
Port 625/tcp was found to be open
10.x.x.x (tcp/1640)
Port 1640/tcp was found to be open
10.x.x.x (udp/3283)
Port 3283/udp was found to be open
10.x.x.x (udp/3659)
Port 3659/udp was found to be open
10.x.x.x (tcp/5218)
Port 5218/tcp was found to be open
10.x.x.x (udp/5353)
Port 5353/udp was found to be open
10.x.x.x (udp/50007)
Port 50007/udp was found to be open
10.x.x.x (udp/53568)
Port 53568/udp was found to be open
10.x.x.x (udp/56064)
Port 56064/udp was found to be open
10.x.x.x (udp/58499)
Port 58499/udp was found to be open
10.x.x.x (udp/58872)
Port 58872/udp was found to be open
10.x.x.x (udp/61289)
Port 61289/udp was found to be open
10.x.x.x (udp/61389)
Port 61389/udp was found to be open
10.x.x.x (udp/61991)
Port 61991/udp was found to be open
10.x.x.x (udp/63693)
Port 63693/udp was found to be open
10.x.x.x (udp/64686)
Port 64686/udp was found to be open
10.x.x.x (udp/64921)
Port 64921/udp was found to be open
10.x.x.x (udp/65032)
Port 65032/udp was found to be open
This document enumerates what ports are used for what.
TCP and UDP ports used by Apple software products - Apple Support
If you are NOT offering a particular Service on your Server, the Server software should shut them off. For example, if you disable ssh connections, you should see port 22 close in response
You may find these two official Apple Documents to be of help.
TCP and UDP ports used by Apple software products - Apple Support
OS X Server: Ports used by Profile Manager - Apple Support
You should also note that OS X 10.7 aka. Lion is no longer supported by Apple, just as Windows 2007 Server is no longer supported by Microsoft. As a result it will not be getting security patches.
While there is some argument for keeping even older Mac OS X 10.6.8 servers aka. Snow Leopard Servers I would suggest replacing that Lion Server with at least a Yosemite/Server.app 5.x server. (Snow Leopard Server is significantly different to newer i.e. Lion or later server software from Apple and in some cases these substantial differences justify keeping such an old server operating system.)
It is possible to turn off SSH on a Mac server, Apple call this 'Remote Login'. SSH is however very useful and can be 'hardened' by disabling logins except for ones using authorised_keys i.e. disabling plain text password logins.
Ok yes thanks Grant
John yes - I'm ramping up now for a long overdue hardware refresh and doing some prelim checks. The replacement box will need SUS and Profile Manager support for Mac OS as well as file server and Universal Type Server support. Hopefully the new differences won't be too radicle (or worse unusable).
Ports Management Question
