Since Mac OS X is derived from BSD Unix, a lot of care has been taken to make OS X a secure platform. To that end Apple has disabled most network services in the default installation. However, the moment you enable services such as FTP, or Telnet (not recommended, use Secure Shell instead), you open your computer to the outside world.
Access Control
Mac OS X uses the tcp daemon (tcpd), a.k.a. tcp wrappers developed by Wietse Venema, to control what ports and what services are available to outside users. What Apple has left out are the configuration files for tcpd. The man page for the configuration files is hosts_access. There are two files: /etc/hosts.deny, and /etc/hosts.allow.
hosts.deny
When running a internet server, paranoia can be a good thing. The best approach is to deny every incomming connection, and then to permit certain services and hosts. Here is an example of a default /etc/hosts.deny file:
# # hosts.deny This file describes the names of the hosts which are # denied the use of local INET services, as decided # by the '/usr/sbin/tcpd' server. # ALL: ALL:deny
You probably want to leave this one untouched.
hosts.allow
Now that we have denied everyone access, we have a secure, but worthless, server. We have to let the good guys in.
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # ALL:10.0.0.20 ALL except shell:192.168.1. ALL except shell:foo.hmug.org ipop3d:mac.com
Here we have four examples:
- Unrestricted, by IP address. The host 10.0.0.20, a presumably trusted host
- Restricted, by range of IP addresses. The subnet 192.168.1. can do everything but open a shell connection.
- Restricted, by domain. The domain hmug.org. can do everything but open a shell connection.
- By specific protocol. The domain mac.com can retrieve e-mail.
For more information fire up the Terminal and bring up man tcpd and man hosts_access.
Installation
You need superuser access to your Mac OS X machine. Mac OS X by default does not provide superuser, or root, access. You can do this in two ways:
- sudo shell, where shell is tcsh, bash, etc.
- Set root password. See Setting Root Password
Option 1 is safer.
Customize
You need to tailor these two files to your needs. The example file is harmless, since the hosts either are on test networks (10.x.x.x, and 192.168.1.x), don't reverse name lookup (foo.hmug.org), are not going to retrieve e-mail (mac.com) from your host. However, please edit, or comment out, these are example entries anyway.
Comments
In most cases Unix style configuration files use the # mark to denote a comment. Anything to the right of the # mark is ignored.
Version 2.2.0 - 20070309