Security? I don’t need to be secure… Do I?

Why does your Information Technology team tell you not to turn on that Web server, or leave SSH turned on when your not using it?  Because they want you to be secure…

Here’s a perfect example…

Mar 30 16:14:06 68 sshd[2933]: Did not receive identification string from 96.10.82.114
Mar 30 16:21:57 68 com.apple.SecurityServer[24]: checkpw() returned -2; failed to authenticate user root (uid 0).
Mar 30 16:21:57: — last message repeated 1 time —
Mar 30 16:21:57 68 com.apple.SecurityServer[24]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Mar 30 16:21:57 68 sshd[2957]: Failed password for root from 96.10.82.114 port 12210 ssh2
Mar 30 16:21:58 68 sshd[2960]: Invalid user simoni from 96.10.82.114
Mar 30 16:21:58 68 com.apple.SecurityServer[24]: getpwnam() failed for user simoni, creating invalid credential
Mar 30 16:21:58: — last message repeated 1 time —
Mar 30 16:21:58 68 com.apple.SecurityServer[24]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Mar 30 16:21:58 68 sshd[2960]: Failed password for invalid user simoni from 96.10.82.114 port 12418 ssh2
Mar 30 16:21:59 68 sshd[2962]: Invalid user dilli from 96.10.82.114
Mar 30 16:21:59 68 com.apple.SecurityServer[24]: getpwnam() failed for user dilli, creating invalid credential
Mar 30 16:21:59: — last message repeated 1 time —
Mar 30 16:21:59 68 com.apple.SecurityServer[24]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Mar 30 16:21:59 68 sshd[2962]: Failed password for invalid user dilli from 96.10.82.114 port 12429 ssh2
Mar 30 16:22:00 68 com.apple.SecurityServer[24]: checkpw() returned -2; failed to authenticate user root (uid 0).
Mar 30 16:22:00: — last message repeated 1 time —
Mar 30 16:22:00 68 com.apple.SecurityServer[24]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Mar 30 16:22:00 68 sshd[2964]: Failed password for root from 96.10.82.114 port 12449 ssh2
Mar 30 16:22:01 68 sshd[2967]: Invalid user ale from 96.10.82.114
Mar 30 16:22:01 68 com.apple.SecurityServer[24]: getpwnam() failed for user ale, creating invalid credential

This user used SSH on the mac for a few days, and then forgot to turn it off.  We don’t know how long these script kiddies were attacking the system, attempting to guess the password…  But between the reasonably strong password, and LaunchD automatically throttling back SSHD launches, they never cracked the system.  But that was partially due to the fact that the user happened to see the attempts in the System Log…

Please review your System Preferences’s Sharing configuration, and if you are not running a web site turn off “Web Sharing”.  If you are not using SSH, then please turn off “Remote Login”. And most important of all, if you are not allowing Windows users to login to your system, make sure File Sharing is turned off.

If you wish to File Share with the other Macintosh systems, and exclude the Windows users… Choose File Sharing.  Click Options, and make sure “Share Files and Folder using SMB” is turned off.  And make sure that “Share Files & Folders using FTP” is turned off.  Unless your running an FTP server, there is no reason for that option to be on (in most cases).

If you are not sure about any of the other settings, ask your local IT representative for help.  I’m sure that they would rather take 5 minutes to review security settings, then spend hours cleaning up your system from a script kiddie attack.