Richard
There are some steps you can take in preparing your Mac to run better as a server. Some of the things you don’t really need as you Mac is going to run headless (sans monitor) is a screensaver. If you have a screen saver running that would be a wast of CPU. To turn of the screen saver open up the System Prefences and select the Desktop & Screensaver icon. On the screen saver tab drag the “Start screen saver” slider all the way to “never” to turn it off. While your here anyway select a “Solid Color” for your desktop, this saves some graphics memory and will speed up communication when using the “Remote desktop” feature.
Next select the “Energy saver” in the System Preference overview. To keep your machine active at all times you’ll need to move the “Put the computer to sleep” slider to never to prevent the computer to go into sleep mode and be inactive. Also don’t forget to un-check the box “Put the hard disks to sleep when possible” to keep your machine responding quickly. On the “Options” tab un-check the “Allow power button to sleep the computer” to be able to reboot the machine without keyboard and monitor. Check the box “Restart automatically after a power failure” to have your machine reboot after a power failure or accidental loss of power when your not at home.
To speed up booting your machine, and when you don’t really need it, turn off Bluetooth.
Next icon “Sharing”, we’ll going to install our own web and mail server and we want our machine to run securely so we don’t need/want the following options:
- Personal File Sharing
- Windows Sharing
- Personal Web Sharing
- Remote Apple Events
- Printer Sharing
- Xgrid
We do like, for remote management of our machine:
- Remote Login (SSH)
- FTP Access
- Apple Remote Desktop
However we need to secure these openings we just created:
Remote Desktop
For Apple Remote Desktop click on the “Access Privileges…” button and select the users you want to be able to connect to your machine. Please check the box “VNC viewers may control screen with password” and type in a difficult password which is not easy to guess. This enables you to use a program like “Chicken of the VNC” to access your Mac remotely.
Remote Login
To secure the SSH remote logins you’ll need to edit the file ‘/etc/sshd_config‘ with your favorite editor.
I will go through some of the options you’ll want to change if you want to use SSH:
Protocol
The default installation of OpenSSH allows both SSH version 1 and version 2 connections. Version 1 is known to suffer from security vulnerabilities, and it is strongly recommended that only version 2 be used. To disable version 1 connections use:
Disable root access
To disallow the root user to login, add/uncomment the line:
Only allow specific users
By default, all users who have local accounts on the system are permitted to login through SSH. This is not necessary and only provides attackers with more possibilities for an attack. Users with permission to SSH to the systems should be clearly defined and SSH configured to only allow access to those users.
DenyUsers <usernames>
- <usernames> is a list of usernames separated by spaces
- Usernames can contain * and ? as wildcards
- user@host format can be used; it specifies that the given user is allowed/denied only from the host specified
Passwords
To prevent users with no password (this should never be the case) access to the system add/uncomment this line:
This are the simple ones, there are more elaborate schemes, that will secure your system a lot better. Hope you found it useful. I you know other options/settings that will help please leave a comment or post in the forums.
Other resources on SSH
- Check out these articles from 2004 at the O’Reilly MacDevCenter.
- MacGeekery: Basic OS X Security
- For general security tips check out the white papers from Corsaire
- If you like point and click configuration you might want to give SSH Helper a spin.
And as a last thing to install you need the Apple developer tools. It’s called XCode and you can find it on your install-disk or download it from developer.apple.com
Next step: Installing MySQL
Comments
11:31 pm
you also might want to disable dashboard because it consumes unnecessary RAM. There is an article on this here: http://www.macworld.com/weblogs/macosxhints/2005/08/disabledashboard/index.php
2:00 pm
Surely Personal Web Sharing is an Apache set up – why not use that?
2:15 pm
Personal Web Sharing gives you a very limited installation of Apache. If you want to host more than one website and use it as a proper web-server with all the latest security patches you’d be better of with a proper installation of Apache as described on this site and others.
10:52 am
Thanks for clarifying, Richard – and for an incrediby helpful site.
12:04 pm
Does anyone know how to add SSH only users (i.e. user accounts that don’t exist with mac os x home folders). FTP too? I need to add these to my server, but really don’t know how.
8:04 pm
Yes you can, use the ‘dscl’ program to add your users. But be carefull on the problems with controlling them in a secure manner.
8:48 pm
My sshd_config file doesn’t have AllowUsers or DenyUsers. Do you just add those in anywhere?
8:51 pm
Yes, the order in which everything is listed is not important.
For more info you can always type “man sshd_config” in a Terminal window.
9:12 pm
Thanks for that Richard…
10:38 pm
How do you feel about the setup provided stock under Snow Leopard Server. I realize that Personal Web Sharing is not secure and not complete, but would you propose the same for the server edition of the OS?
8:36 am
@Aaron, I have no real experience with OS X Server. But I think you can reuse the SSH stuff mentioned here to better secure your server.
1:31 am
Thank you for the useful web page and articles. Just thought I’d point out for security’s sake (since security should be if extremely high priority on a server) that using FTP and VNC as-is are both quite insecure options. The simple solution to this problem in both cases is SSH which you already installed by this point anyhow. SSH comes with SFTP (Secure FTP) capability, so you can simply disable/uninstall old (insecure) FTP.
VNC suffers from the same security issue as FTP does (namely, cleartext password transfer thru the network) but can easily be secured by using the port tunneling feature of SSH to tunnel port 5900 (or any other port being used by VNC) to the local machine which you are connecting from. Since this tunnel will be encrypted it makes VNC quite secure, AND removes the need to open extra ports at the firewall.
I realize this particular article is now unsupported, but this advice also holds true for newer server setups as well. FTP is basically obsolete and should have died ages ago, and although VNC is super useful, it tends to be insecure but easily remedied.
11:16 pm
Hi Richard I followed your tutorials and successfully installed Apache, MySQL and PHP. My only question is that I would like to share me external drive on my server with my 2 other Macs. Since you recommended to turn off Personal File Sharing how can I do this? Is their a secure way of sharing it? Thanks in advance.
5:44 am
@Roberto, it depends… If your server is running at home make sure your last hop onto the internet (mostly your ASDL router) has a firewall turned on with the AFP ports blocking. (Preferred you block everything incoming besides web and mail)