(or, Why a firewall isn’t just a nice idea anymore)

So my “Weekend Home Project” these past couple of days has been setting up an OS X Lion Server on a new Mac Mini. This came as a result of a desire to tinker somewhat (I sometimes feel nostalgic for my former life as an IT consultant), but also primarily its use as a much more capable home router than what my Time Capsule provides. The latter point was prompted by my switch to Teksavvy as my ISP and their offering of native IPv6 connectivity along with a pair of subnets for both IPv4 and IPv6.

I originally plugged it in last Tuesday without giving too much thought to setting up a firewall on it… The only listening service was sshd, and I had already hardened that to work with only a single, non-root account and require public-key authentication for that one rather than a password and everything else living quietly on private IPs behind NAT. So, for the first few days it was easier just to keep the firewall off until I actually had time to tweak it appropriately.

Well, after about three days I took a peek at the sshd log file only to discover that I had over 2,300 (!) failed login attempts using a wide range of different, random user accounts from a wide range of IP addresses. These were just the actual login attempts — I also had well over 10,000 random connections (presumably port scans). The really interesting thing is that this was on a run-of-the-mill ISP-assigned static IP address, not one that had been published in any meaningful DNS entries.

Since sshd had already been locked down, the issue was more amusing than a cause for any real concern. Surprisingly few attempts were against the “root” account — probably on the assumption that most boxes would have it disabled (which I did) — and none of the attempts were against any of the other “real” accounts — they were merely educated guesses as to accounts that might appears on an ssh server (e.g. uucp, news, gateway, admin, webmaster, etc), or generic names like “bob” and “john”. However, even if someone had guessed the name of the one account that was enabled, they still would have needed to produce a 2048-bit RSA private key to get anyway.

Of course, this all assumes that the particular sshd process has no vulnerabilities that can be exploited, and of course one can only imagine what kind of activity would have occurred had other services been available on that box without a firewall. Obviously, now that I’ve had time to tweak the firewall appropriately, all non-essential ports have been closed off to the outside world; particularly important as everything on my home network now has a public IPv4 address — even the Apple TVs. :)