2.4.5 Disable Remote Login


Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers. OS X does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. OS X no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most OS X computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server.


Perform the following to implement the prescribed state:
Run the following command in Terminal:
sudo systemsetup -setremotelogin off

See Also


Item Details


References: 800-53|AC-17

Plugin: Unix

Control ID: cded578302685e70d73f24588528b42c7df0d882536900ef3d8c7d63927e76ea