What Are Your Security Settings?

Joined
Jan 10, 2010
Messages
40
Reaction score
1
Points
8
still working my way around - just wondering how paranoid mac users are! :Smirk:

i do have the firewall up, that's about it.

anything else i need to check?
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
I would say turn the firewall on (particularly if you're not behind a router or if you're using a public network) and put it in "Stealth" mode. That's about it.

Stealth mode keeps your machine from responding to port scans. You can enable it by going to System Preferences => Security => Firewall tab => Advanced button.
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
anything else i need to check?

In addition to the advice by cw107, if you are using a router and running wireless, use the strongest possible encryption method that you can. Preferably WPA2.

Regards.
 
C

chas_m

Guest
Actually, turn the software firewall OFF. You already have a superior hardware firewall in place -- it's called your router. Your software firewall won't stop any port scans or DDOS attacks, because that's already been stopped at your router. Don't take my word for it, check your logs. Compare the ones from your software firewall to your hardware one.

You should however, as chscaq suggests, encrypt your wireless network if you're using one. WPA2 is recommended, and you can also limit the machines that can access it by MAC address (if you're unlikely to have or want guest users accessing it), and turn off the broadcasting of the SSID name (the wireless network's name).

For those in apartment complexes especially, these steps are useful.

Apart from that, it's more common sense: don't pirate software, don't fall for scareware, avoid porn and gambling sites (or use a proxy if you must), don't OK the install of anything you don't recall downloading.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Actually, turn the software firewall OFF. You already have a superior hardware firewall in place -- it's called your router. Your software firewall won't stop any port scans or DDOS attacks, because that's already been stopped at your router. Don't take my word for it, check your logs. Compare the ones from your software firewall to your hardware one.

That assumes the machine never leaves the internal network. If it does, particularly if it travels to public networks (at a Starbucks or a Hotel, for example), you're going to want it turned on.

It won't hurt anything to have both a software and hardware firewall turned on, so it's better to be safe than sorry IMO.
 

bobtomay

,
Retired Staff
Joined
Dec 22, 2006
Messages
26,561
Reaction score
677
Points
113
Location
Texas, where else?
Your Mac's Specs
15" MBP '06 2.33 C2D 4GB 10.7; 13" MBA '14 1.8 i7 8GB 10.11; 21" iMac '13 2.9 i5 8GB 10.11; 6S
We have also seen a lot of network issues related to cutouts, intermittent access and general access problems with the SSID turned off that disappeared once turned back on.

There shouldn't be any issue having SSID on with anyone using WPA2.
The real thieves/hackers/etc will be able to find the network in any case.
 
Joined
Jul 30, 2009
Messages
7,295
Reaction score
301
Points
83
Location
Wisconsin
Your Mac's Specs
Mac Mini (Late 2014) 2.6GHz Intel Core i5 Memory: 8GB 1600MHz DDR3
My security settings are classified information. Sorry.

If you tell anyone I posted here, I'll deny it.
 
Joined
Dec 28, 2009
Messages
396
Reaction score
5
Points
18
Your Mac's Specs
Macbook Unibody 2.26 Dual, 2GB RAM, 250 GB HDD
I have the firewall on in full stealth mode. To the poster above, how do I turn off those settings you mentioned?
 
C

chas_m

Guest
That assumes the machine never leaves the internal network. If it does, particularly if it travels to public networks (at a Starbucks or a Hotel, for example), you're going to want it turned on.

Nope.

Starbucks uses a router as well. So does the hotel. Indeed, so does everyone with broadband. This is simply not an issue for Mac owners, because the things you should be conscious of regarding security on a public network (unencrypted passwords, etc) are not dealt with by a software firewall. At all.

It won't hurt anything to have both a software and hardware firewall turned on,

Actually, it does. Conflicts between ports open/closed on the software vs hardware firewall are a constant issue with people who want to do things like use iChat, or p2p, FTP, VPN, Hulu, or certain SMTP setups (and that's just for starters). On a basic level (surfing, most email) you're not likely to have a problem with two firewalls on -- but beyond that you can easily and quickly run into conflicts. So really its best to just keep the software firewall off all the time (unless you are somehow using a highspeed connection directly and no router & its attendant hardware firewall are present -- in that case, yes you should use a software firewall).

This is WHY Apple does not ship OS X with the software firewall turned on.

Here's a couple of Windows-based (and remember, security is WAY more of an issue with them than it is with us) responses to the question "do I need the software firewall if I have a hardware firewall?"

Do i need a software firewall if i have a router? - Neowin Forums

Do I Need a Firewall?

You will see this basic answer again and again: if you (or the hotspot you are connecting to is using a router that's not 20 years old, then it is already doing everything a firewall can do for you. More firewall ≠ better.
 
Joined
May 19, 2009
Messages
8,428
Reaction score
295
Points
83
Location
Waiting for a mate . . .
Your Mac's Specs
21" iMac 2.9Ghz 16GB RAM - 10.11.3, iPhone6s & iPad Air 2 - iOS 9.2.1, ATV 4Th Gen tvOS, ATV3

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Nope.

Starbucks uses a router as well. So does the hotel. Indeed, so does everyone with broadband. This is simply not an issue for Mac owners, because the things you should be conscious of regarding security on a public network (unencrypted passwords, etc) are not dealt with by a software firewall. At all.

Sure, but if someone is probing you on a public network (i.e. one of the other machines on the same LAN), your computer is going to be responsive. Additionally, if someone happens to join a LAN and is infected with a worm that your machine is vulnerable to, you're at risk.

In my professional experience as a network admin for more than a decade now, I'll have to humbly disagree with you on this point. Sure, if you're having connectivity problems, by all means, don't run a software firewall. But I can tell you that I've had my software firewall turned on and in stealth mode both on my Windows machines and my Macs for quite a long time now and never have I had an issue that was directly attributable to the firewall being turned on. With that said, I have had to repair customer machines infected by worms that exploited a zero-day vulnerability in Windows that would otherwise have been safe if they were firewalled at the client. In particular, the CodeRed and Blaster worms should have been a wake-up call to any Windows user considering not running a software firewall. Those worms were the reason that MS finally forced the firewall on by default when they released SP2 for XP.

In my opinion, an ounce of prevention is worth a pound of cure - especially with Apple's lackadaisical attitude toward patching security vulnerabilities.
 
Joined
Mar 30, 2004
Messages
4,744
Reaction score
381
Points
83
Location
USA
Your Mac's Specs
12" Apple PowerBook G4 (1.5GHz)
I also agree that you should have a host-based (software) firewall in addition to a network firewall. A network firewall only protects you from the Internet...not from other machines on a local network behind that network firewall.

It's less of a problem if you have a desktop at home and have a small network of computers you control. But if you're a notebook user, or a student on a university ResNet, or a corporate user on an internal network, then you should protect yourself against the other network users.
 
C

chas_m

Guest
I also agree that you should have a host-based (software) firewall in addition to a network firewall. A network firewall only protects you from the Internet...not from other machines on a local network behind that network firewall.

Uh, no.

1. The software firewall in Mac OS X does the same thing as a hardware firewall, only less well. So it will not protect you from local machines unless a local machine launches a DDOS attack. Which is pretty ridiculous, you could just walk over to them and throw your Starbucks latte at them if they did that. :)

2. You don't need protecting from local machines. A Mac with its default setup (all sharing turned off) is ALREADY IN STEALTH MODE. But don't take my word for it, test it yourself. Turn off your software firewall, and go here:
https://www.grc.com/x/ne.dll?bh0bkyd2
Run all the tests you want. You are "stealth" on all ports (in other words, no packets come back from "sniffing" tests).

And before anyone says "well that's a windows site," ahem -- TCP is TCP. Ports is ports. No difference.

Bottom line: if you're feeling paranoid, rather than hide behind multiple firewalls, you should probably ask yourself some hard questions about your internet behaviour.

If you want to run a software firewall to make yourself feel good, be my guest. Unless you are running certain specific services (like FTP, VPN, etc), having both hardware&software firewalls on may not cause any issues.

But don't pretend you are getting any "extra protection."
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Well, it's not in stealth mode, because it responds to ICMP echo (ping). The test results you're seeing on GRC.com are likely viewed while sitting on a DSL/Cable modem, which is using NAT in and of itself (i.e. you've got a private IP address, your modem has the public IP address and routes traffic to you acting, in effect, like a router).

But I was surprised to find that you are somewhat right. I opened up my MacBook Pro's ipfw, running 10.6.2 and ran a port scan from my desktop PC running Windows 7. I used a couple of different products to do the scan and in both cases, found that no well-known ports were responsive. I did not run a full port scan, since it would have taken forever (and it's doubtful that a hacker having identified the presence of your machine would waste that much time, unless it was a high-value target).

But this paints a rosier picture than is reality. Reality is that if a vulnerability were identified, running no software firewall and sitting on a publicly accessible LAN would leave you susceptible to a worm that exploits that vulnerability. Additionally, if you happen to be running a piece of software that opens ports (like an IM client, for example) and that software has a vulnerability (as was discovered in iChat back in 2007), you could also be susceptible to a worm.

So, I stand by my argument that unless there is a problem directly attributable to the software firewall, it's better to have it running - particularly on a portable machine that leaves the relative safety of a home network.

Oh and please keep your metaphors clean, this is a family-friendly forum.
 
C

chas_m

Guest
But this paints a rosier picture than is reality. Reality is that if a vulnerability were identified, running no software firewall and sitting on a publicly accessible LAN would leave you susceptible to a worm that exploits that vulnerability. Additionally, if you happen to be running a piece of software that opens ports (like an IM client, for example) and that software has a vulnerability (as was discovered in iChat back in 2007), you could also be susceptible to a worm.

And a list of these worms I will get on my Mac, along with documented cases of infection via iChat is ... where, again?

Oh and please keep your metaphors clean, this is a family-friendly forum.

I do apologise for that.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
And a list of these worms I will get on my Mac, along with documented cases of infection via iChat is ... where, again?

Let me google that for you

There are no other worms at the present, but that doesn't mean there won't be in the future. Especially when vulnerabilities are being found and it's taking Apple 6-9 months to patch. And that's only the OS, third party applications can also have vulnerabilities that could expose you to a worm or other exploitation.
 
C

chas_m

Guest
Okay, so we have ... one. One worm, that's long since gone (no cases reported in your link since 2006).

Given that there haven't been any new reports of worms since then, I think I will stand by my contention that this really isn't an issue on Macs, that the chance of future problems is low, and that a software firewall is an unnecessary duplication of services already provided by the hardware firewall.

I do appreciate you reminding me about Leap-A, but I'm afraid it's not a very strong case (particularly when compared to Windows, but even just relative to the Mac).

I also think you're mischaracterising Apple's response time. There have been occasions where they've taken their time to patch an issue, and there have been occasions where they've been pretty speedy. Microsoft is likewise quite lackadaisical on patching some issues far more serious than the sort that produced Leap-A.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Okay, so we have ... one. One worm, that's long since gone (no cases reported in your link since 2006).

Given that there haven't been any new reports of worms since then, I think I will stand by my contention that this really isn't an issue on Macs, that the chance of future problems is low, and that a software firewall is an unnecessary duplication of services already provided by the hardware firewall.

It all goes back to my theory that an ounce of prevention is worth a pound of cure. If the firewall doesn't break anything, I don't see the harm in running it (or recommending it when asked).

I do appreciate you reminding me about Leap-A, but I'm afraid it's not a very strong case (particularly when compared to Windows, but even just relative to the Mac).

And I understand where you're coming from. In the Windows world, there is a much stronger case for running a software firewall, simply by virtue of the sheer number of worms that exist for the platform. Chances are much exponentially higher that you would encounter one on a public network.

I also think you're mischaracterising Apple's response time. There have been occasions where they've taken their time to patch an issue, and there have been occasions where they've been pretty speedy. Microsoft is likewise quite lackadaisical on patching some issues far more serious than the sort that produced Leap-A.

Oh, I don't know about that. Microsoft releases patches almost weekly (I'm keenly aware of them since I'm tasked with implementing updates for my desktops at work). Usually any reported vulnerability is patched inside of a week, it's very rare that an exploit exists before the patch is released.

Apple on the other hand has a track record of taking 6 months or more to release an update, and it's not exactly unusual that an exploit is released before that update finally surfaces. Examples:

This one was reported to Apple back in June and the patch was released about 2 weeks after the exploit was built and shown off as a proof of concept:
Leopard and Snow Leopard flaw exploited in proof of concept, real-world tomfoolery surely coming soon -- Engadget

This one was reported and patched by Sun in their own Java implementation, but it took Apple over 6 months to get theirs done:
Apple has yet to patch "critical" Java vulnerability

So you can see where my sentiment comes from. But it doesn't matter - clearly you have your own strongly held beliefs and that's fine. But I'm sure you can now understand why I made the recommendation.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top