Protecting the Home Server

We recently moved from dialup to a nice fiber optic connection to the Internet (No, I’m not getting into why it wasn’t until 2008 that we got broadband). Now that we have a good connection with good up and down speeds I decided to turn on port forwarding on our primary router, an AirPort Base Station (802.11n model).

I have all incoming packets forwarded to my Mac OS X Server and things work very well. I can access my server from anywhere. And with a DynDNS account, I can easily remember the address. I’ve been running like this for a little over a month now and I’m starting to get tired of all of those messages in my secure.log and the failed authentications in my SMTP server log.

I seriously don’t understand the desire to hack other people’s systems.

But there are clearly people out there that want to do Bad Things with my server and I need to protect it. Up until now I have been trusting the server services to protect themselves, the OS to protect itself and user accounts to have sufficiently secure passwords.

Trust is a funny thing. It has no place on today’s Internet. Time to lock things down.

Lock down unnecessary services
I’d already done this, but I wanted to make sure to mention it. If a service isn’t needed I turned it off. I can always turn it on later. I guess I should mention that Mac OS X Server’s default state is for services to be off.
Lock down services
Mac OS X Server includes service access control lists (SACLs). You can allow access to server services based on user or group. Since I want SSH enabled, but I don’t want anyone but me to be able to access the server via SSH I set up my SACL appropriately:
Serveradmin Sacls-2
Configure firewall
Mac OS X Server also includes a very customizable firewall. I want to configure it to allow anyone within my home network to access any services but to restrict access to the server to inbound clients. Since all inbound clients will appear to connect to my server from my router’s IP address, I will set up a new Address Group for and restrict to to only the services/ports that I want. The nice thing about this is that I can always change these settings remotely later if I want.

Add the router to an Address Group:
Serveradmin Firewall Addgrps

Skip over to Advanced and configure a Deny All rule for the Router. This will set up a default secure state:
Serveradmin Firewall Adddeny

These rules are numbered and processed in order from lower to higher number. The first rule to ‘hit’ will trigger. In our example we will add new rules to allow access to IP ports from the router for particular services. First we’ll allow access to the web server over the standard web port (80):
Serveradmin Firewall Addallow80

After you add the allow rule make sure it is above the deny rule in the Advanced Rules list by dragging as necessary.
Serveradmin Firewall Advanced

I’ll go ahead and allow access for all of the ports that I want externally accessible.

Now I don’t have to just trust in the services to protect themselves, the OS to protect itself and users to have good passwords. I can trust the firewall to prevent anyone from getting to some services and externally visible services to protect themselves and I guess I’ll still have to trust users to have good passwords. Of course with that, I can use Open Directory password policies…

Next step I’ll enable VPN so that I can get to my home network remotely.

Happy serving!

Technorati Tags: , ,

Posted in Mac OS X Server, Server How-To | Tagged , , | 2 Comments

Subscribe to CalDAV Calendars Using Older Versions of iCal

OK, I’ll admit that this may not be the most popular post (of the 3 so far…) but I did the research so I thought I’d share my results.

Lets say that your have iCal Server running and have users happily using iCal on Leopard to do the group calendar thing. What happens if you have a user on Tiger (or earlier – or another calendar client that doesn’t support CalDAV) who wants to see a user’s calendar? Naturally this calendar subscription will be read/only, but at least the user will be able to see the calendar.

The trick is that the iCal Server requires that only authorized users be able to read a user’s calendar. This is a Good Thing as it keeps your calendars safe from prying eyes.

To allow a user to have subscribe access to your iCal Server calendar just delegate them permission to at least read the calendar.

Using iCal on a Leopard system that is connected to your iCal Server go to the Preferences item under the iCal menu. Go to the Accounts tab and choose the account that you want to access. Click the Delegation tab and press Edit… beside Manage access to my account. Click the + button and type in the username of a calendar server user. That user will now have read/only access to your calendar. If you want them to have read/write access check the Allow Write checkbox.

You’re done there. The user you just entered will be able to read (write) your iCal Server calendar. The next thing it to subscribe to this calendar.

Here is the generic URL format for iCal:


To subscribe, just put the proper URL into the Subscribe sheet in iCal.

BTW- this works with iCal in Leopard as well.

Posted in iCal Server, Server How-To | Tagged , , , | 1 Comment

Setting up iCal Publishing for Mac OS X Server

The new iCal Server in Leopard server is a great tool, but it isn’t the only way to share calendar data on the Internet. In the days before Leopard Server, the way to share your calendar from iCal was to publish it on .Mac (now MobileMe) or a WebDAV share. Mac OS X Server’s web server is fully capable of hosting WebDAV shares and it is quick and easy to set up.
Continue reading

Posted in iCal Server, Mac OS X Server, Server How-To | Tagged , , , , | 25 Comments

Stylesheet sampler





  • li


  1. li
Posted in Blog | Comments Off on Stylesheet sampler