Mac mini security

How are people protecting there Mac mini Which are running as servers at home ? I have a Mac mini running 24x7 running apple mail, Dropbox, keyboard maestro and hazel. I plan to add homebridge also.

With all these important apps running how do I protect the Mac mini ?

Some options:

  • disable UPnP on your router
  • add Malwarebytes and Sophos home to the mini
  • enable firewall on the mini
  • add 2nd admin account, and do not log into that one. (just for emergency machine access)
  • enable filevault (just for physical theft)
  • add little snitch to the mini

That’s about it really

I would be worried most about external access through the router if UPnP is enabled. Ports can be opened and changed without you knowing.

1 Like

For that reason I’d consider a subscription (we discussed the major apps here) that protects real-time against threats like ransomware.

EDIT: And if you want a free option that handles ransomware, it seems that the well-regarded Avira utility offers that in its free tier. (Review.)

1 Like

Are you using the Mini just as a server or also as a desktop?

Just as a server and not desktop.

In that case what I’d do is:

  1. (as others have suggested) Disable UPnP on your gateway device.
  2. Religiously keep everything on your network patched.
  3. Adopt a backup strategy that ensures that a regular (preferably rotating) backup is always off-line and in no way accessible by any actions that can be made on any of your computers. This is the surest protection against ransomware.
  4. Test your backups regularly.
  5. Encrypt everything.

As far as anti-malware software goes, that’s a tricker recommendation. My view is that if you’re absolutely positively convinced that you don’t need it, that’s probably a good sign that you do :slight_smile: (On a server that’s never used as a desktop, the need is lower, in my opinion)

A malware protection solution will not protect against UPnP issues on your router. It will help with issues on your mac, but a port once opened usually stays open. So disabling UPnP on a network level for me is a must.

1 Like

Thanks. This is helpful to me! Where does ClamXAV fit into a possible strategy/solution?

ClamXav has become an inferior protection option, according to all comparison reviews. I paid for it the 1st year or two it went commercial to support the developer (I’d been using it for years when it was free) but it’s much slower than the competition, and not as good.

Filevault only protects when you are logged out of the user account. Since this is a server its kind of pointless unless the theft of the physical hardware is a concern.

In order to make the server connect to the internet you need to open ports on the router and firewall. This is where the BIG RISK is. Setting up and guarding the connection to the internet.

As mentioned above disabling UPNP on the router and other networked equipment should be considered a mandatory first step. Unfortunately this means there is no easy router setup to make a server talk to the internet.

I would recommend looking at Avira or Sophos home over ClamXav. They used to deliver good service, but the last few years… meh… ¯_(ツ)_/¯

1 Like

What do you mean by this?

Apparently today is my day to be dense (or maybe every day is), but what does this mean?

Universal Plug and Play
Its a protocol that enables networked devices to automatically configure the network so they can connect with each other.
Problem is that the upnp protocol
can easily be tricked to configure the network…

It’s been my experience that in information security, certainty is a sign of naiveté, ignorance, or inexperience. As in all things, there are exceptions, but it’s an astonishingly good rule of thumb that the more sure someone is that they don’t need a given control, the more they don’t understand the field well enough to make that determination. It’s a kind of corollary (or maybe just example) of the Dunning–Kruger effect.

1 Like

This thread is confusing. Everyone is making these recommendations without knowing much about use cases outside of hazel, Dropbox, and home brew. Does this server even need to accept inbound connections from the internet? If not, securing it just became a lot easier.

My router doesn’t even support upnp, but devices in the same Vlan can pass the traffic. I run opendns umbrella and implement most if not all policy on the network. I don’t run endpoint security solutions on most of my machines…

What ports do you need to open up to connect TO the internet? I always assumed the risks came from the internet when dealing with servers…

How would “the internet” see it is a server?
that’s because servers usually have open ports (or answer when someone comes knocking) A port opened is usually bi-directional, out AND in, so opening a port on the router exposes the corresponding port on the internal machine.

Any service that needs bi-directional communication (VPN, Mail, Backup, VNC) you name it will have to communicate back to the mac, even if only to say transmission succeeded.

Or did I not understand your question?

FYI, if you want to use Auto Login after a power outage, you cannot have File Vault turned on. “FileVault requires that you log in every time your Mac starts up, and no account is permitted to log in automatically.”

Never said anything about what the internet sees; not really understanding what you’re saying. If he’s setting up a machine to accept inbound connections from the internet, it’s a server.

Port opening is NOT bi-directional the way you’re defining it. Not from the perspective of administering a firewall or the way a client communicates. Those communications back to clients are usually on ephemeral ports. You don’t need to enable inbound 443 for Dropbox to work on your Mac for example. Not the way TCP works…