Difference between revisions of "HOWTO Mac OS X Server (10.4)"
| Line 39: | Line 39: | ||
<pre>sudo touch /var/log/fail2ban.log</pre> | <pre>sudo touch /var/log/fail2ban.log</pre> | ||
| − | ===6. Make a little change in the <code>ipfw</code> actions=== | + | ===6. Edit the <code>fail2ban</code> configuration files=== |
| + | |||
| + | Here's where you need to tell the program what you want to do. You can read all about this on the <code>fail2ban</code> wiki [http://www.fail2ban.org/wiki/index.php]. I'm only focusing on using <code>ssh</code> & <code>ipfw</code>. | ||
| + | |||
| + | <pre>sudo emacs /etc/fail2ban/jail.conf</pre> | ||
| + | |||
| + | In the section marked <code>[ssh-ipfw]</code>, you'll want to make it look like so: | ||
| + | <pre> | ||
| + | enabled = true | ||
| + | filter = sshd | ||
| + | action = ipfw | ||
| + | logpath = /var/log/secure.log | ||
| + | </pre> | ||
| + | |||
| + | ===7. Make a little change in the <code>ipfw</code> actions=== | ||
We need to make a couple of changes in how <code>fail2ban</code> deals with adding rules. | We need to make a couple of changes in how <code>fail2ban</code> deals with adding rules. | ||
| Line 55: | Line 69: | ||
ipfw add 201 deny tcp from <ip> to your-private-addy-here <port> | ipfw add 201 deny tcp from <ip> to your-private-addy-here <port> | ||
</pre> | </pre> | ||
| − | + | Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above. If you only have one IP address, you could have left the <code><localhost></code> tag in place (just make sure you've got <code><localhost></code> defined in <code>/etc/fail2ban/action.d/ipfw.conf</code>.) | |
| − | + | <i>(<b>Note:</b> I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.)</i> | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | </ | ||
===8. Edit the fail2ban regex file for sshd=== | ===8. Edit the fail2ban regex file for sshd=== | ||
Revision as of 03:33, 26 October 2008
So, I had an afternoon to work on this, and I got a successful install. I was sad to find there was so little documentation from other people using Mac OS X Server, so I decided to write up what I did. This worked for me, and it'll probably work for you, but as always, YMMV.
Now, there may have been much simpler ways to accomplish this, and I'm sure it's a little rough around the edges, but it works, and I'm happy. Hopefully it'll help someone else.
Enjoy!
Assumptions
- You are running 10.4.11 Server, stock system
- There are no modifications to Python (still stock)
Procedure
1. Get the software
cd ~/source curl -O http://superb-east.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2
2. Unpack the software
tar xvfj fail2ban-0.8.3.tar.bz2
3. Install the software
cd fail2ban-0.8.3 sudo python setup.py install
The default install doesn't put the files in the correct spots, so we need to move them:
sudo cp /System/Library/Frameworks/Python.framework/Versions/2.3/bin/fail2* /usr/local/bin
4. Fix an issue with Python 2.3
Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the fail2ban script (specifically something called asyncore [1]), so we need to make a modification to /usr/share/fail2ban/server/asyncserver.py as root. (I use emacs, but feel free to use what you like)
sudo emacs /usr/share/fail2ban/server/asyncserver.py
Change line 135 from this:
asyncore.loop(use_poll = True)
To this:
asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))
5. Make a spot for the log file
sudo touch /var/log/fail2ban.log
6. Edit the fail2ban configuration files
Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [2]. I'm only focusing on using ssh & ipfw.
sudo emacs /etc/fail2ban/jail.conf
In the section marked [ssh-ipfw], you'll want to make it look like so:
enabled = true filter = sshd action = ipfw logpath = /var/log/secure.log
7. Make a little change in the ipfw actions
We need to make a couple of changes in how fail2ban deals with adding rules.
I have two ethernet cards (one public-facing, the other private), and I want to lock down both avenues when needed, so we need to edit the ipfw.conf file:
sudo emacs /etc/fail2ban/action.d/ipfw.conf
and change:
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
to this:
actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>
Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above. If you only have one IP address, you could have left the <localhost> tag in place (just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)
(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.)
8. Edit the fail2ban regex file for sshd
In Mac OS X, when sshd logs a possible break-in attempt, it notes it in /var/log/secure.log with the phrase POSSIBLE BREAK-IN ATTEMPT! Note the exclamation point, and compare /etc/fail2ban/filter.d/sshd.conf. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here.
sudo emacs /etc/fail2ban/filter.d/sshd.conf
and change:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
to this:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$
9. Add a startup file
Someone has provided a nice startup file for Mac OS X, but it needs a little editing.
cd ~/source/fail2ban-0.8.3/files sudo cp macosx-initd /System/Library/LaunchDeamons/org.fail2ban.plist sudo emacs /System/Library/LaunchDeamons/org.fail2ban.plist
In the editor, get rid of the first two lines, such that the file begins with <?xml ...
10. Start it up
sudo /usr/local/bin/fail2ban-client start
You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with a look at the log file (/var/log/fail2ban.log).
