HOWTO Mac OS X Server (10.5)
For the history of this with 10.4 see HOWTO Mac OS X Server (10.4)
That page was copied to this one and modified. It is not at all clear whether these instructions will work on 10.5.7. This is unfinished. Update: It works on 10.6.0.
Assumptions
- You are running 10.5.7 (or 10.6)
- There are no modifications to Python (still stock)
Procedure
1. Get the software
Download the latest version from the fail2ban SourceForge project. As of this writing, this is equivalent to doing this:
cd ~/source curl -O http://softlayer.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.3/fail2ban-0.8.3.tar.bz2
2. Unpack the software
tar xvfj fail2ban-0.8.3.tar.bz2
3. Install the software
cd fail2ban-0.8.3 sudo python setup.py install
4. Make a spot for the log file
sudo touch /var/log/fail2ban.log
5. Edit the fail2ban configuration files
Here's where you need to tell the program what you want to do.
You can read all about this on the fail2ban wiki [1].
I'm only focusing on using ssh & ipfw.
sudo emacs /etc/fail2ban/jail.conf
In the section marked [ssh-ipfw], you'll want to make it look like so:
enabled = true filter = sshd action = ipfw logpath = /var/log/secure.log
(Note! In /var/log/secure.log all events related to keyboard-interactive logins can be found. However, if you want to detect failed attempts on for example a ssh-daemon running on another port only allowing rsa-authentication (useful if you want to port forward through your NAT-router), some extra tweaking is required. By adding
*.info /var/log/ssh_info.log
to
/etc/syslog.conf
you can gather IP-address and connection attempts from this file instead. )
6. Make a little change in the ipfw actions if you have two IP addresses
We need to make a couple of changes in how fail2ban deals with adding rules.
I have two ethernet cards (one public-facing, the other private),
and I want to lock down both avenues when needed,
so we need to edit the ipfw.conf file:
sudo emacs /etc/fail2ban/action.d/ipfw.conf
and change:
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
to this:
actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>
Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above.
If you only have one IP address, you could have left the <localhost> tag in place
(just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)
(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain. This should be done whether or note you have two IP addresses)
Further enhancement
While the above actionban does block unwanted addresses from specific ports it suffers from defining all the banned address on a single rule number with a specific port. When the unban command is issued for the first blocked address it will remove the entire rule set with that number (in the above case rules 200 and 201) including any addresses that were banned after the first one. This is not desirable since any of the addresses added between the first ban and it's corresponding unban will now be allowed by the firewall and only logged as already banned by fail2ban (until their ban time is up or fail2ban is reloaded).
A solution to this problem is to use the following:
actionban = t=150
while [ `ipfw list |grep -ic 00$t | awk '{print $1;}'` != '0' ]
do ((++t))
done
ipfw add $t deny tcp from <ip> to any
This will search and use the first available rule number starting at 150. When it is time to unban an address, only the one rule is removed thus preserving the other banned addresses.
Some attackers will cycle through the ports while using the same IP address. By changing to your-private-addy-here <port> to to any in the ipfw add rule the firewall will block all bad traffic on this server, not just a specific port. If you still need to specify your server's IP address just leave off the <port> so it blocks all the traffic.
(Note: This method works until the counter reaches 1000 at witch time wanted rules may be deleted. If you have a large number of banned addresses you may want to consider permanently banning some of them.
--Td 18:33, 3 February 2010 (UTC)
Using afctl
Instead of using ipfw directly, you may wish to use the built-in afctl function, which handles all the ipfw junk for you.
Using afctl requires that you create a new file in the action.d directory. Call it afctl.conf and give it the following contents:
# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5 [Definition] actionstart = actionstop = actioncheck = actionban = /usr/libexec/afctl -a <ip> -t 2880 actionunban = /usr/libexec/afctl -r <ip> [Init] localhost = 127.0.0.1
If you want fail2ban to manage host unbans, set the actionban -t value to a value (in minutes) that is longer than the bantime value in jail.conf (which is in seconds, so don't get confused). If you want afctl to manage unbans, set the actionban -t value to whatever you want the bantime to be, and clear the actionunban.
Now, in the jail.conf file, create sections for the desired services.
[ssh-afctl] enabled = true filter = sshd action = afctl logpath = /var/log/secure.log [ftp-afctl] enabled = true filter = 10.5-ftp action = afctl ogpath = /var/log/secure.log [pop3-afctl] enabled = true filter = 10.5-pop3 action = afctl logpath = /var/log/system.log [pop3s-afctl] enabled = true filter = 10.5-pop3s action = afctl logpath = /var/log/system.log [imap-afctl] enabled = true filter = 10.5-imap action = afctl logpath = /var/log/system.log [imaps-afctl] enabled = true filter = 10.5-imaps action = afctl logpath = /var/log/system.log
The default ssh filter works fine for Mac OS X Server 10.5, but if you want fail2ban to monitor ftp, pop, and imap connections per the configuration above, you need to create the following files in the filter.d directory:
10.5-ftp.conf
# Fail2Ban configuration file for FTP service on Mac OS X Server 10.5 #[INCLUDES] before = common.conf [Definition] _daemon = ftpd failregex = ^%(__prefix_line)sFailed authentication from: .* \[<HOST>\] ignoreregex =
10.5-imap.conf
# Fail2Ban configuration file for IMAP service on Mac OS X Server 10.5 [INCLUDES] before = common.conf [Definition] _daemon = imap failregex = ^%(__prefix_line)sbadlogin from: \[<HOST>\] ignoreregex =
10.5-imaps.conf
# Fail2Ban configuration file for IMAPS service on Mac OS X Server 10.5 [INCLUDES] before = common.conf [Definition] _daemon = imaps failregex = ^%(__prefix_line)sbadlogin from: \[<HOST>\] ignoreregex =
10.5-pop3.conf
# Fail2Ban configuration file for POP3 service on Mac OS X Server 10.5
[INCLUDES]
before = common.conf
[Definition]
_daemon = pop3
failregex = ^%(__prefix_line)sbadlogin: .* \[<HOST>\]
^%(__prefix_line)sbadlogin: \[<HOST>\]
ignoreregex =
10.5-pop3s.conf
# Fail2Ban configuration file for POP3S service on Mac OS X Server 10.5
[INCLUDES]
before = common.conf
[Definition]
_daemon = pop3s
failregex = ^%(__prefix_line)sbadlogin: .* \[<HOST>\]
^%(__prefix_line)sbadlogin: \[<HOST>\]
ignoreregex =
8. Add a startup file
Someone has provided a nice startup file for Mac OS X, but it needs a little editing.
cd ~/source/fail2ban-0.8.3/files sudo cp macosx-initd /Library/LaunchDaemons/org.fail2ban.plist sudo emacs /Library/LaunchDaemons/org.fail2ban.plist
In the editor, get rid of the first two lines, such that the file begins with <?xml ...
You must also modify the /etc/fail2ban/fail2ban.conf Change: socket = /var/run/fail2ban/fail2ban.sock To: socket = /var/run/fail2ban.sock
9. Start it up
sudo /usr/local/bin/fail2ban-client start
You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with
sudo cat /var/log/fail2ban.log
