How are people protecting there Mac mini Which are running as servers at home ? I have a Mac mini running 24x7 running apple mail, Dropbox, keyboard maestro and hazel. I plan to add homebridge also.
With all these important apps running how do I protect the Mac mini ?
(as others have suggested) Disable UPnP on your gateway device.
Religiously keep everything on your network patched.
Adopt a backup strategy that ensures that a regular (preferably rotating) backup is always off-line and in no way accessible by any actions that can be made on any of your computers. This is the surest protection against ransomware.
Test your backups regularly.
Encrypt everything.
As far as anti-malware software goes, thatâs a tricker recommendation. My view is that if youâre absolutely positively convinced that you donât need it, thatâs probably a good sign that you do (On a server thatâs never used as a desktop, the need is lower, in my opinion)
A malware protection solution will not protect against UPnP issues on your router. It will help with issues on your mac, but a port once opened usually stays open. So disabling UPnP on a network level for me is a must.
ClamXav has become an inferior protection option, according to all comparison reviews. I paid for it the 1st year or two it went commercial to support the developer (Iâd been using it for years when it was free) but itâs much slower than the competition, and not as good.
Filevault only protects when you are logged out of the user account. Since this is a server its kind of pointless unless the theft of the physical hardware is a concern.
In order to make the server connect to the internet you need to open ports on the router and firewall. This is where the BIG RISK is. Setting up and guarding the connection to the internet.
As mentioned above disabling UPNP on the router and other networked equipment should be considered a mandatory first step. Unfortunately this means there is no easy router setup to make a server talk to the internet.
Universal Plug and Play
Its a protocol that enables networked devices to automatically configure the network so they can connect with each other.
Problem is that the upnp protocol
can easily be tricked to configure the networkâŠ
This thread is confusing. Everyone is making these recommendations without knowing much about use cases outside of hazel, Dropbox, and home brew. Does this server even need to accept inbound connections from the internet? If not, securing it just became a lot easier.
My router doesnât even support upnp, but devices in the same Vlan can pass the traffic. I run opendns umbrella and implement most if not all policy on the network. I donât run endpoint security solutions on most of my machinesâŠ
How would âthe internetâ see it is a server?
thatâs because servers usually have open ports (or answer when someone comes knocking) A port opened is usually bi-directional, out AND in, so opening a port on the router exposes the corresponding port on the internal machine.
Any service that needs bi-directional communication (VPN, Mail, Backup, VNC) you name it will have to communicate back to the mac, even if only to say transmission succeeded.
Never said anything about what the internet sees; not really understanding what youâre saying. If heâs setting up a machine to accept inbound connections from the internet, itâs a server.
Port opening is NOT bi-directional the way youâre defining it. Not from the perspective of administering a firewall or the way a client communicates. Those communications back to clients are usually on ephemeral ports. You donât need to enable inbound 443 for Dropbox to work on your Mac for example. Not the way TCP worksâŠ