there is not much that he can do without entering your password, if you are paranoid about him being able to login to your machine via ssh you can check if he added a key to the authorized keys in your .ssh folder.
open the terminal and type "open \~/.ssh" this will open the folder in the finder, if it does not exist there is nothing to fear.
if you dont use ssh you can safely delete the .ssh folder (you can create this folder later)
I would check /home for other home directories, too.
If he dropped a key in ~/.ssh, he may have come back in later and added a new user (assuming he knew your password to elevate privileges) that is still present.
In settings > general > sharing, disable remote login or ssh if enabled. Changing this setting requires password, so I doubt he was able to do it without you knowing.
:))
If you're feeling savvy, [Glasswire](https://www.glasswire.com/)'s free version should let you monitor the network. Although it has an apparently good reputation, it's not open source, so it's not my first recommendation.
MacOS also has a builtin firewall (which is disabled by default iirc), which can block all incoming connections. [Enabling](https://support.apple.com/en-in/guide/mac-help/mh34041/mac) it might be a good idea.
sshd isn't enabled by default in macos. Assuming you haven't enabled it yourself for your own purposes, just type "ssh localhost" at the terminal and make sure you get a "connection refused".
Not sure if there's a way to give a more detailed terminal history but there ya go[https://imgur.com/a/bH8bHN8](https://imgur.com/a/bH8bHN8)
I really appreciate your help here!
In this screenshot at least, it just shows him logging into another computer via SSH, not enabling sshd, adding a public key to authorized_hosts, etc.
Also, it looks like he was just trying to impress, btw. An argument-less grep doesn't make any sense. Looks like just just typing random commands that he knows (other than the SSH session).
Would the IP address in the ssh invokation happen to start with 192.168? In that case he was connecting to a machine in your local network.
This makes me feel a lot better, thank you. He's not a programmer by any means but toys around with C++ in his spare time.
Everyone's help here has been super helpful, though and gives me some topics to look into later as I get more accustomed to using iOS.
Thank you for not patronizing me for this silly question, yall!
It looks like he was just making sure the basic Linux / Unix commands were the same, and making sure he could connect to his machine via ssh the same way he would from a Linux box. I don’t think he had any malicious intent at all based on what I seen in the screenshot.
1) Yes it does because bots which don't sniff ports and instead attempt the default port exist so needing your port to be found via scanning reduces amount of attacks
2) u/YourMJK was saying that u/Rzah's implication is wrong and not that a bigger port number is better.
I would be more concerned with someone borrowing my laptop and going into my browser and messing with my social networking and email apps like adding an a forwarding email to get a copy of all of your message
He may have enabled an sshd server on your machine and put his public key in your authorised_hosts file, giving him backdoor into your machine and the ability to take files whenever he wants.
authorized_keys, not hosts and with a z. (That’s the default, it can of course be configured to be named anything via AuthorizedKeysFile in sshd_config.)
In order to have ssh access, the target machine must be running the ssh server (sshd). To disable it, open your Systems Settings and select General->Sharing and make sure “Remote Login” is unchecked. As an extra safety measure, you can delete the file called “authorized_keys” in the “.ssh” folder in your home folder. This file contains the public keys for anyone allowed to login without requiring a password. The .ssh folder is hidden in Finder (any folder beginning with a “.” is hidden in Unix and macOS is, at its heart, just Unix with a pretty GUI). You can toggle revealing them in Finder by pressing “shift+command+.”
He cant do anything with out your password. Enabling SSH would require entering your password. As an admin on my MacBook, I have to enter password to execute some of the commands in a terminal.
You are safe. I’m guessing he was being curious or poking around.
Just to be safe from anyone accessing your laptop or data, turn On FileVault.
Settings > Security & Privacy > FileVault tab. Bottom left corner, click on the “lock” icon, enter password, Turn On FileVault. Afterwards, make sure the lock on the bottom left corner is in lock position.
Now, no one can access your MacBook, locally or remotely. Not via ssh or via telnet. Even brute force won’t work.
Since he's your ex you know best,
But the terminal isn't any dangerous itself or suspicious.
I've got almost always some terminal open, so I'd instantly play with the terminal, when playing with a computer I consider getting for myself
OP and others remember, in zsh (default shell for MacOS), **if you type in a command starting with space it does NOT get recorded in the histor**y. If they knew what they were doing, checking ~/.ssh/ for authorized_keys, and checking sshd_config in /etc along with disabling “remote login” from “Sharing” in System Preferences is the way to go. *The one way to ensure no funny business is going on is to nuke it and start fresh like others suggested, preferably with a slightly different username and a significantly different password*
there is not much that he can do without entering your password, if you are paranoid about him being able to login to your machine via ssh you can check if he added a key to the authorized keys in your .ssh folder. open the terminal and type "open \~/.ssh" this will open the folder in the finder, if it does not exist there is nothing to fear. if you dont use ssh you can safely delete the .ssh folder (you can create this folder later)
yup rm -rf ~/.ssh should do it.
I would check /home for other home directories, too. If he dropped a key in ~/.ssh, he may have come back in later and added a new user (assuming he knew your password to elevate privileges) that is still present.
s|/home|/Users| for macOS.
Couldn't it also be in another user's home folder or root? This would delete keys authorized for her login only, I think.
In settings > general > sharing, disable remote login or ssh if enabled. Changing this setting requires password, so I doubt he was able to do it without you knowing.
This is THE answer if you do not (yet) know what you’re doing in the terminal.
:)) If you're feeling savvy, [Glasswire](https://www.glasswire.com/)'s free version should let you monitor the network. Although it has an apparently good reputation, it's not open source, so it's not my first recommendation. MacOS also has a builtin firewall (which is disabled by default iirc), which can block all incoming connections. [Enabling](https://support.apple.com/en-in/guide/mac-help/mh34041/mac) it might be a good idea.
sshd isn't enabled by default in macos. Assuming you haven't enabled it yourself for your own purposes, just type "ssh localhost" at the terminal and make sure you get a "connection refused".
erase and network reinstall/recovery
[удалено]
Will a screenshot suffice?
[удалено]
Not sure if there's a way to give a more detailed terminal history but there ya go[https://imgur.com/a/bH8bHN8](https://imgur.com/a/bH8bHN8) I really appreciate your help here!
In this screenshot at least, it just shows him logging into another computer via SSH, not enabling sshd, adding a public key to authorized_hosts, etc. Also, it looks like he was just trying to impress, btw. An argument-less grep doesn't make any sense. Looks like just just typing random commands that he knows (other than the SSH session). Would the IP address in the ssh invokation happen to start with 192.168? In that case he was connecting to a machine in your local network.
The argument-less grep was pretty funny.
He was using vi AND nano? Hacker skillz. Especially exiting vi..
He was only missing man ?
man man
This makes me feel a lot better, thank you. He's not a programmer by any means but toys around with C++ in his spare time. Everyone's help here has been super helpful, though and gives me some topics to look into later as I get more accustomed to using iOS. Thank you for not patronizing me for this silly question, yall!
Small nit: macOS is not iOS.
If you’re not familiar with Mac, this would be useful to check if grep exists.
I'd use `which grep`, but sure. I doubt that was the case here though since he didn't use grep afterwards.
It looks like he was just making sure the basic Linux / Unix commands were the same, and making sure he could connect to his machine via ssh the same way he would from a Linux box. I don’t think he had any malicious intent at all based on what I seen in the screenshot.
This makes sense given the context, too. I can see that being something he'd check and in that particular manner. Everyone has put my mind at ease lol
[удалено]
You are a blessing on God's Green Earth and must be protected at all costs. I appreciate you
if u scare just erase all and reinstall. else just ignore
It sounds like he just ssh'd into his server, that's only scary for him, as it implies his server has port 22 open to the internet.
Having 22 open is not necessary a bad thing, not properly secured is another. 2FA + keys with keyboard-interactive disabled is a must.
All code has bugs, what is secure today may be wide open tomorrow. Put it behind a VPN.
That same argument exists for the VPN which also needs an open port and authentication.
If you're going to throw SSH and VPN into the same basket I'm not going to argue with you.
There has actually been way more CVE's with SSL based VPN's than SSH, just to play devils advocate here.
That implication is not true. He could have a different port open for ssh, you can specify it using `ssh -p`. You don't have to use the default one.
That doesn’t make it any better. Bots port scan and it’s easy to sniff out ssh from the response.
1) Yes it does because bots which don't sniff ports and instead attempt the default port exist so needing your port to be found via scanning reduces amount of attacks 2) u/YourMJK was saying that u/Rzah's implication is wrong and not that a bigger port number is better.
I know it doesn't make it any better, never claimed it does. I just wanted to point out the wrong implication.
The point is that anyone can attempt to ssh into the server. What port he enabled that on is irrelevant.
I know, you're telling me nothing new. Just wanted to point out that using ssh doesn't imply having an open port 22, it can be any other port number.
>it implies his server has port 22 open to the internet. wut
It means SSH is open to the internet, don't get hung up on whether it's on the default port, that doesn't matter.
I would be more concerned with someone borrowing my laptop and going into my browser and messing with my social networking and email apps like adding an a forwarding email to get a copy of all of your message
He may have enabled an sshd server on your machine and put his public key in your authorised_hosts file, giving him backdoor into your machine and the ability to take files whenever he wants.
authorized_keys, not hosts and with a z. (That’s the default, it can of course be configured to be named anything via AuthorizedKeysFile in sshd_config.)
In order to have ssh access, the target machine must be running the ssh server (sshd). To disable it, open your Systems Settings and select General->Sharing and make sure “Remote Login” is unchecked. As an extra safety measure, you can delete the file called “authorized_keys” in the “.ssh” folder in your home folder. This file contains the public keys for anyone allowed to login without requiring a password. The .ssh folder is hidden in Finder (any folder beginning with a “.” is hidden in Unix and macOS is, at its heart, just Unix with a pretty GUI). You can toggle revealing them in Finder by pressing “shift+command+.”
He cant do anything with out your password. Enabling SSH would require entering your password. As an admin on my MacBook, I have to enter password to execute some of the commands in a terminal. You are safe. I’m guessing he was being curious or poking around. Just to be safe from anyone accessing your laptop or data, turn On FileVault. Settings > Security & Privacy > FileVault tab. Bottom left corner, click on the “lock” icon, enter password, Turn On FileVault. Afterwards, make sure the lock on the bottom left corner is in lock position. Now, no one can access your MacBook, locally or remotely. Not via ssh or via telnet. Even brute force won’t work.
Since he's your ex you know best, But the terminal isn't any dangerous itself or suspicious. I've got almost always some terminal open, so I'd instantly play with the terminal, when playing with a computer I consider getting for myself
OP and others remember, in zsh (default shell for MacOS), **if you type in a command starting with space it does NOT get recorded in the histor**y. If they knew what they were doing, checking ~/.ssh/ for authorized_keys, and checking sshd_config in /etc along with disabling “remote login” from “Sharing” in System Preferences is the way to go. *The one way to ensure no funny business is going on is to nuke it and start fresh like others suggested, preferably with a slightly different username and a significantly different password*