Quick Tips to Foil Mac Break-in Attempts
As Mac users, many of us don't spend as much time worrying about security as our counterparts on other platforms. While it's true that Macs don't encounter as much malware as Windows, though, it hardly means we're immune from security risks, as I discovered myself this week.
Breaking and entering
On Tuesday morning, I checked in on some downloads that had been running overnight on my home Mac mini. Strangely, the computer wouldn't respond to either Screen Sharing requests or the Bluetooth keyboard and wireless mouse that I normally use, so I hard restarted it. Upon booting it up again--during which it acted normally--I decided to see if I could figure out what had caused the crash.
My first stop in situations like this is the Console app, which lives in the Applications/Utilities folder. This program lets you access log files for your Mac and its installed software. A quick scan through the All Messages section yielded a possible culprit: one similar line was repeated hundreds of times.
It looked something like this:
6/1/10 9:59:40 AM sandboxd sshd(403) deny mach-per-user-lookup
If that looks like gibberish to you, don't worry: it didn't make much sense to me either. I did know that sshd is the daemon--the background program--for Secure Shell (SSH), which is a remote login protocol.
I threw the whole string into Google and found a suggestion to check another Console log, /private/var/secure.log, for more information. Secure.log is the location where, as the name might suggest, OS X logs security-related activities. Sure enough, it was happy to spell out exactly what had happened in gorey detail, with hundreds of lines of entries like this:
Jun 1 04:05:41 Defiant sshd: Invalid user admin from 184.108.40.206
Jun 1 04:05:43 Defiant sshd: reverse mapping checking getaddrinfo for ip103.hellovoice.com [220.127.116.11] failed - POSSIBLE BREAK-IN ATTEMPT!
As I skimmed back over the list, it was easy to tell that basically what had happened was this: some remote source was repeatedly trying to log in to my mini and trying a large number of possible usernames and passwords. As you can see, it traced the attempt back to a site called hellovoice.com, which appears to be a messaging services company based out of Asia, though there's probably a better than even chance that the real culprit had just co-opted that computer to do its bidding as well.
While my system remained uncompromised--as far as I can reasonably tell, anyway--the whole experience was still a bit unsettling. Fortunately, there are a couple of simple things that can help protect you from such an attack.
I like my passwords like I like my coffee: strong
The number one point to make is have strong passwords. Passwords are one of the few aspects of security that are in your hands, as a user. You can keep your system up to date with the last patches, but that won't do you a whit of good if your password is, say, 'password.' Attacks like the one that targeted me work by rotating through an extensive list of commonly-used usernames and passwords.
Fortunately, making strong passwords isn't that hard. Mac OS X can even help you gauge a password's strength with its built-in Password Assistant (check out this Mac Gems piece on getting easier access to the utility).
My go-to tip for creating strong passwords that are easy to remember is this: pick a favorite quote, song lyric, or saying and use the first letter of each word. For example, say you're a Dickens fan: you might pick "It was the best of times, it was the worst of times." Then just take the first letter of each word and you get the seemingly gibberish string 'iwtbotiwtwot'. Then throw in a number on the end or beginning--preferably something with some significance, say the year A Tale of Two Cities was published, 1859--and you get 'iwtbotiwtwot1859', the kind of password that people aren't going to remember even if they do see it. But all you need to do to remember it is remember the source quotation. (See Joe Kissell's article on creating strong passwords for more tips.)
No port in a storm
One of the reasons I got into trouble was that I'd set up my mini so I can access it from outside of my home network. That meant configuring my home router to forward certain types of connections to the Mac mini. It's kind of like leaving a window open a crack: It's handy, in case you lock yourself out, but it also means that a thief might be able to crawl through if they happen to find it.
Many services, such as the remote login protocol that this attack targeted, rely on an open network port. Think of these ports a bit like a set of office mailboxes: messages for specific people go into specific pigeonholes. SSH usually "listens" for traffic on port 22, so it's an easy target for a malicious party to attack because they know where one place where that open window is likely to be.
I'd told my router, an AirPort Extreme, to forward any connection requests on port 22 to the mini's port 22. That way, whenever I connect to my router's external address (which is configured with Dynamic DNS) on port 22, I can log into the mini and have access to my files.
That same convenience opened me up to attacks like the one I encountered. However, there's one simple workaround that helps obfuscate which port is open: change the port on the router. Instead of having the router forward connections on port 22 to port 22 on the mini, have the router forward connections on port, say, 5201 (or any other commonly unused port) to port 22 on the mini.
On the AirPort Extreme, setting this up is a snap. Just fire up the AirPort Utility in Applications/Utilities, switch to Manual Setup mode in the Base Station menu, and click on the Advanced icon. In the Port Mapping section, you can add a new forward by clicking the Plus button and filling out the public port--in this case, 5201 or whatever you've chosen--and the private IP address of the machine you want to forward to, as well as the port on that machine: here, that's 22. Then you just have to remember to specify the new public port when you're using the remote login feature (most clients have a field that lets you enter that). Most other routers allow for similar port forwarding capabilities as well.
It's important to note that this doesn't in any way make your machine bulletproof. Techniques exist to tell you what ports are open on a given computer (like casing a house for that open window), so any attacker who's dedicated to breaking into your machine won't be easily thwarted. That's why it's best to make sure that both your Mac's firewall (in the Security preference pane) and your router's firewall are set up to allow as few connections as possible.
But if you want to retain the ability to remotely log into your computer, this ought to help you deter many of those common brute force attacks. At which point, you'd have better made strong passwords for all your accounts.
It's a scary world out there on the Internet, and as safe and secure as we might feel on our Macs, it's always important to take precautions. But you don't have to create an underground survival bunker to be safe--just remember to close your windows and lock your doors. While some will advocate taking things to extremes, security is always a trade-off and, as any expert will tell you, the only truly secure system is the one with no users.