[newcomer]

Running OS X 10.2.6 on an iBook.

I access the Internet through a network in the private halls of residence i live in. it is not connected to the university network.

most users on the network are on windows and apparently there are a lot of viruses floating round on it, since many Wintel users are always online, yet with no AV software or firewall. i regularly run Virex on my Home directory and so far I've been clean.

However a friend running Windows who has Norton av software is constantly getting reports of port scans. now i don't even know what these things are. If they are harmful, am I vulnerable on OSX? Do I have a firewall for example?

These may sound like idiot questions, but if anyone can offer some simple beginners advice on the sort of network security precautions an OS X user should take, then I'd be really grateful.

[Rainy Day]

Generally speaking, don't worry about the viruses floating around. They're for the "benefit" of our Windoze using friends.

Port scans are of a little more concern as the could be a hacker trying to probe your system for an open door (although are more likely a virus trying to find its way into a Windoze system). A good firewall, and shutting down nonessential services such as file, printer and web sharing will do a good job of closing doors to hackers. Do not, under any circumstances, run an FTP server on your Mac (if you have, change your passwords immediately!) Use SFTP or SSH instead.

While an external firewall is best, MacOS X 10.2 and later ship with a software firewall: System Preferences -> Sharing -> Firewall. Enable it.

Probably your biggest liability to a hacker breaking into your computer over the network is either by enabling the root user (absolutely no need for this under any circumstances under MacOS X, and disabled by default), and the choice of weak passwords, particularly account passwords. Passwords should be at least 8 characters in length and NOT be composed of words in any language, proper names of real people, fictional characters, etc. They should contain a mix of upper and lower case, numbers and punctuation characters.

Some will claim that passwords should be changed frequently, however this advice is not always good. It is far more secure to have a strong, well guarded password than frequently changed passwords which are easy to remember but weak.

Make sure you keep abreast of - and apply - Apple's Security Updates. System Preferences -> Software Update is your friend.

Avoid running M$ software.

[newcomer]

Cheers. Helpful advice. I started the OS X firewall, with none of the boxes checked - so I guess that is the highest level of paranoia protection the os x firewall will provide?

[Rainy Day]

Yes, you are correct.

Important safety tip: if you check any of those boxes, not only will you be poking a hole in the firewall for the given port, but you will also be starting up that service! But that's true only for the Apple supplied services. Any port/service which you define will have no collateral effect.

Likewise, if you start an Apple supplied service, the firewall will automatically check the box for that service. While this might be convenient for novices, it can also be a security risk if you don't know to expect this behavior. It's too bad Apple chose to operate the user interface this way. I can see where a person might want to enable the Apache web server (i.e. Personal Web Sharing) strictly for private use, like to develop a web site locally on their machine, but wouldn't want to serve up web pages to the outside world. Unfortunately, there's no straightforward way to do this (although it can effectively be done by running Apache on an alternate port).

Just one reason why an external firewall is more secure. Nonetheless, Apple supplies a software firewall, so it might as well be used for the safety which it does afford. But it's not bulletproof.