3

I am planning to open up port 22 on my router to my iMac so I can login remotely. Login is required and allowed for only the admin user. The password is very secure--over 30 characters long. I'm not too worried about a bot breaking through the password but I am concerned about the system being bogged down. I looked into a few different brute-force prevention programs; sshguard, fail2ban, and Denyhosts. Each seem to have their pros and cons. However, I am finding almost zero documentation as it relates to setting one of these services up on anything above Mac OS X 10.11.

Are there other/newer services available? If not, is there any updated documentation for any of the previously mentioned services for High Sierra and the changes to the log systems? I've found a few discussion boards related to these changes to the log system but I'm looking for a tutorial for one of these services. Is there anything out there?

d84_n1nj4
  • 133
  • 1
    Use an SSH Key and turn off username/password logins. Also, go with a VPN for even more secure access. – Allan May 17 '18 at 20:34
  • @Allan would you recommend any tutorials on this? I’m new to network security. – d84_n1nj4 May 17 '18 at 20:50
  • The link I provided you walks you through the whole process of creating and using an SSH key for authentication. As for a VPN, it's just an encrypted end to end tunnel. As for tutorials (there's a ton of free resources available – Allan May 17 '18 at 20:54
  • Hi @Allan, I do have Private Internet Access, and they do have a port forwarding option. When I choose this, they provide the IP Address and Port Number. However, when this is active I cannot access my router--do I still need to add this port to my router settings and what IP address would I use, the one provided by PIA? As far as the SSH Key is concerned, can you let me know if my logic is correct. I create an SSH key on my iMac (host). Then I go to my Ubuntu laptop while it's off my local network and enter ssh-copy-id user@hostname.example.com to transfer the key to Ubuntu? – d84_n1nj4 May 18 '18 at 00:05
  • @Allan I made a post on PIA's website since this is probably PIA specific:

    https://www.privateinternetaccess.com/forum/discussion/33166/ssh-and-port-forwarding-with-pia-from-ubuntu-remote-to-imac-host#latest

     – d84_n1nj4 May 18 '18 at 15:11

1 Answers1

2

For anyone still looking for an answer to this question, I found macOS Fortress. While it does more than just blocking brute-force login attempts, you can install just the firewall portion on its own using MacPorts with:

sudo port install macos-fortress-pf
sudo port load macos-fortress-pf
sudo launchctl kickstart -k system/org.macports.macos-fortress-dshield
sudo launchctl kickstart -k system/org.macports.macos-fortress-emergingthreats

I'm not actually sure if those last two lines are necessary, but I included it just to be safe. I haven't actually tested whether this has successfully blocked a brute force login attempt yet, but it does seem to successfully block IP addresses from dshield.org and emergingthreats.net.

Bri Bri
  • 2,436