Difference between revisions of "HOWTO Mac OS X Server (10.4)"
(New page: == Assumptions == # You are running 10.4.11 Server, stock system # There are no modifications to Python (still stock) == Procedure == 1. Get the software <pre>cd ~/source curl -O http:/...) |
|||
| Line 6: | Line 6: | ||
== Procedure == | == Procedure == | ||
| − | 1. Get the software | + | === 1. Get the software === |
<pre>cd ~/source | <pre>cd ~/source | ||
curl -O http://superb-east.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2</pre> | curl -O http://superb-east.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2</pre> | ||
| − | 2. Unpack the software | + | === 2. Unpack the software === |
<pre>tar xvfj fail2ban-0.8.3.tar.bz2</pre> | <pre>tar xvfj fail2ban-0.8.3.tar.bz2</pre> | ||
| − | 3. Install the software | + | === 3. Install the software === |
<pre>cd fail2ban-0.8.3 | <pre>cd fail2ban-0.8.3 | ||
sudo python setup.py install | sudo python setup.py install | ||
| Line 20: | Line 20: | ||
<pre>sudo cp /System/Library/Frameworks/Python.framework/Versions/2.3/bin/fail2* /usr/local/bin</pre> | <pre>sudo cp /System/Library/Frameworks/Python.framework/Versions/2.3/bin/fail2* /usr/local/bin</pre> | ||
| − | 4. Fix an issue with Python 2.3 | + | === 4. Fix an issue with Python 2.3 === |
Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the <code>fail2ban</code> script (specifically something called <code>asyncore</code> [http://code.google.com/p/pyftpdlib/issues/detail?id=16]), so we need to make a modification to <code>/usr/share/fail2ban/server/asyncserver.py</code> as root. (I use <code>emacs</code>, but feel free to use what you like) | Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the <code>fail2ban</code> script (specifically something called <code>asyncore</code> [http://code.google.com/p/pyftpdlib/issues/detail?id=16]), so we need to make a modification to <code>/usr/share/fail2ban/server/asyncserver.py</code> as root. (I use <code>emacs</code>, but feel free to use what you like) | ||
| Line 30: | Line 30: | ||
<pre>asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))</pre> | <pre>asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))</pre> | ||
| − | 5. Make a spot for the log file: | + | === 5. Make a spot for the log file: === |
<pre>sudo touch /var/log/fail2ban.log</pre> | <pre>sudo touch /var/log/fail2ban.log</pre> | ||
| − | 6. Make a little change in the <code>ipfw</code> actions: | + | === 6. Make a little change in the <code>ipfw</code> actions: === |
We need to make a couple of changes in how <code>fail2ban</code> deals with adding rules. | We need to make a couple of changes in how <code>fail2ban</code> deals with adding rules. | ||
| Line 51: | Line 51: | ||
Note I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain. | Note I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain. | ||
| − | 7. Edit the fail2ban configuration files | + | === 7. Edit the fail2ban configuration files === |
Here's where you need to tell the program what you want to do. You can read all about this on the <code>fail2ban</code> wiki [http://www.fail2ban.org/wiki/index.php]. I'm only focusing on using ssh & tcpwrappers. | Here's where you need to tell the program what you want to do. You can read all about this on the <code>fail2ban</code> wiki [http://www.fail2ban.org/wiki/index.php]. I'm only focusing on using ssh & tcpwrappers. | ||
| Line 65: | Line 65: | ||
</pre> | </pre> | ||
| − | 8. Edit the fail2ban regex file for sshd | + | === 8. Edit the fail2ban regex file for sshd === |
In Mac OS X, when <code>sshd</code> logs a possible break-in attempt, it notes it in <code>/var/log/secure.log</code> with the phrase <b>POSSIBLE BREAK-IN ATTEMPT!</b> Note the exclamation point, and compare <code>/etc/fail2ban/filter.d/sshd.conf</code>. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here. | In Mac OS X, when <code>sshd</code> logs a possible break-in attempt, it notes it in <code>/var/log/secure.log</code> with the phrase <b>POSSIBLE BREAK-IN ATTEMPT!</b> Note the exclamation point, and compare <code>/etc/fail2ban/filter.d/sshd.conf</code>. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here. | ||
| Line 77: | Line 77: | ||
<pre>^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$</pre> | <pre>^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$</pre> | ||
| − | 9. Add a startup file | + | === 9. Add a startup file === |
Someone has provided a nice startup file for Mac OS X, but it needs a little editing. | Someone has provided a nice startup file for Mac OS X, but it needs a little editing. | ||
| Line 89: | Line 89: | ||
In the editor, get rid of the first two lines, such that the file begins with '<?xml ...' | In the editor, get rid of the first two lines, such that the file begins with '<?xml ...' | ||
| − | 10. Start 'er up! | + | === 10. Start 'er up! === |
<pre>sudo /usr/local/bin/fail2ban-client start</pre> | <pre>sudo /usr/local/bin/fail2ban-client start</pre> | ||
| Line 98: | Line 98: | ||
Enjoy! | Enjoy! | ||
| + | |||
| + | ==See also== | ||
| + | #http://www.fail2ban.org/wiki/index.php/Main_Page | ||
| + | #http://code.google.com/p/pyftpdlib/issues/detail?id=16 | ||
| + | #http://www.infosecwriters.com/text_resources/pdf/securing-mac-os-x-tiger.pdf | ||
Revision as of 03:03, 26 October 2008
Assumptions
- You are running 10.4.11 Server, stock system
- There are no modifications to Python (still stock)
Procedure
1. Get the software
cd ~/source curl -O http://superb-east.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2
2. Unpack the software
tar xvfj fail2ban-0.8.3.tar.bz2
3. Install the software
cd fail2ban-0.8.3 sudo python setup.py install
The default install doesn't put the files in the correct spots, so we need to move them:
sudo cp /System/Library/Frameworks/Python.framework/Versions/2.3/bin/fail2* /usr/local/bin
4. Fix an issue with Python 2.3
Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the fail2ban script (specifically something called asyncore [1]), so we need to make a modification to /usr/share/fail2ban/server/asyncserver.py as root. (I use emacs, but feel free to use what you like)
sudo emacs /usr/share/fail2ban/server/asyncserver.py
Change line 135 from this:
asyncore.loop(use_poll = True)
To this:
asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))
5. Make a spot for the log file:
sudo touch /var/log/fail2ban.log
6. Make a little change in the ipfw actions:
We need to make a couple of changes in how fail2ban deals with adding rules.
I have two ethernet cards (one public-facing, the other private), and I want to lock down both avenues when needed, so we need to edit the ipfw.conf file:
sudo emacs /etc/fail2ban/action.d/ipfw.conf
and change:
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
to this:
actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>
Note I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.
7. Edit the fail2ban configuration files
Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [2]. I'm only focusing on using ssh & tcpwrappers.
sudo emacs /etc/fail2ban/jail.conf
In the section marked [ssh-ipfw], you'll want to make it look like so:
enabled = true filter = sshd action = ipfw logpath = /var/log/secure.log
8. Edit the fail2ban regex file for sshd
In Mac OS X, when sshd logs a possible break-in attempt, it notes it in /var/log/secure.log with the phrase POSSIBLE BREAK-IN ATTEMPT! Note the exclamation point, and compare /etc/fail2ban/filter.d/sshd.conf. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here.
sudo emacs /etc/fail2ban/filter.d/sshd.conf
and change:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
to this:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$
9. Add a startup file
Someone has provided a nice startup file for Mac OS X, but it needs a little editing.
cd ~/source/fail2ban-0.8.3/files sudo cp macosx-initd /System/Library/LaunchDeamons/org.fail2ban.plist sudo emacs /System/Library/LaunchDeamons/org.fail2ban.plist
In the editor, get rid of the first two lines, such that the file begins with '<?xml ...'
10. Start 'er up!
sudo /usr/local/bin/fail2ban-client start
You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with a look at the log file (/var/log/fail2ban.log).
Now, there may have been much simpler ways to accomplish this, but it works, and I'm happy. This was the result of an afternoon of experimentation, so it's probably rough around the edges. Hopefully it'll help someone else.
Enjoy!
