With the latest security blunder in High Sierra 10.13.1 had a bug that allowed anyone with local access to your Mac the ability to authenticate using the root account. The key is they need local access, but once enabled they could install software to spy on you, and we read some reports that users with remote desktop or screen sharing turned on could have commands sent to modify your Mac without your knowledge.
If you aren’t savvy with tech lingo, then just think of root as your behind the scenes system administrator account. Normally, this account is disabled from logging in and hidden from your view as a user. In smart phones, you may have heard of folks “rooting” their phone to customize it or put special software that the manufacture doesn’t allow. This shows you the power of this system account that IT people rely on to help you.
Of course not everyone was effected to the same degree by this bug, but security professionals are recommending everyone running the latest OS update via the App Store or install the patch made available today: https://support.apple.com/en-us/HT208315
This should sound scary in today’s day and age of constant and escalating attacks, but more importantly it should get you thinking about how to secure your Mac. All of our clients were patched early this morning after we were alerted to the issue last evening and we were able to test the fix. That’s what is so great about our plans! We can be actively securing high sierra for those who upgraded before it becomes a security breach. If you are looking for more ways to lock down your Mac, we suggest enabling FileVault, considering a Firmware password, and installing software to scan for malware such as our favorite BitDefender.
One of the most important and most requested service for our clients has been secure remote access to their office or server. With more and more contractors and employees working remotely VPN has become a staple service of OS X Server. The alternative to VPN is far quicker and easier solution of opening up access into your office network by poking holes in your firewall or router. The quicker and easier path comes at the price of security not something worth compromising. Unfortunately many small business owners take their chances because they never had reason for concern before, or they feel that larger companies are the focus not the small ones. They couldn’t be more wrong as hackers simply exploit weakness, and they have more recently focused more to attacking small businesses because it’s easier. In fact PC World and Entrepreneur Magazines both have articles out explaining the shift in focus. Before diving into VPN setup let’s first review what should be done.
In order to help protect you and your business online Start On Technology recommends the follow:
- Ensure you are using a hardware firewall to protect your network on your router. For those unsure, looking for an extra layer, or interested in this tutorial should install Ice Floor a software firewall for free on their Mac. Please remember this tool is from a donation funded project, so please do as we have and donate to ensure it will stay available for everyone.
- Use two factor authentication when possible. An example is for users of Google Apps downloading the Google Authenticator app on their device and enabling two factor authentication to their Google Account. This can prevent unauthorized access by requiring a secondary code or pin to gain access just like the PIN on your debit card.
- Don’t use the same password for everything and consider using a password generator and storage solution to make this easier to manage. Changing passwords often places the odds back in your favor at the very least.
- Be aware of odd emails alerting you to login to your account. Make sure the address bar makes sense to the company contacting you. It’s very easy for anyone to replicate a site and capture your username and password by using misdirection.
- Be aware what information is being put in the cloud or on your devices and the level of security provided. Features such as passcodes, remote wipe, and encryption can help reduce the risk of theft.
- Contact us for a full network evaluation and explanation of your current setup.
Using Haynet’s IceFloor v2.0.1 software helps us manage the software firewalls on a server that helps prevents unauthorized access and allows VPN on OS X Server to work in many different environments by using NAT. In this example we will setup the server in a colocation environment or data center hosted with our friends at macminicolo.net a typical situation where you would want to manage remote access and setup a VPN.
- Create a VLAN in the Network pane of System Preferences ( > System Preferences > Network) by clicking on the gear next to the plus and minus symbols and selecting “Manage Virtual Interfaces…” then + add a New VLAN. Give it a name, ID, and make sure the interface is Ethernet.
- Go to your newly created VLAN and select manual IPv4 Configuration then assign an IP address, subnet, and Router (same as IP address). See graphic below and make sure to click Apply to save.
- Launch IceFloor 2.0.1 and navigate to the NAT section. Select to share your Internet connection from your WAN port (i.e. Ethernet en0) to computers using the VLAN (vlan0). Also check the Redirect DNS box as shown below.
- Now you can set up your VPN service. Be sure to set up your client addresses to match your new VLAN. In this example we would set the VPN to start at 192.168.2.2 and add as many addresses as we need. Then move to DNS settings and make sure your machine’s IP is one of the DNS servers. Be sure to set your host name and type then you are all set to switch the service on.
Now you should be able to set up clients to use your VPN service to your colocated or office Mac Mini. Of course you will need adjust your firewall to allow the VPN traffic into the network from the outside. Otherwise have smooth secure surfing my friend and give us a ring or shoot us an email if you need our services in setting up this IceFloor configuration for OS X Server VPN.