Difference between revisions of "HOWTO Mac OS X Server (10.4)"

From Fail2ban
Jump to navigationJump to search
(→‎1. Get the software: update the download link)
Line 13: Line 13:
  
 
===1. Get the software===
 
===1. Get the software===
 +
Download the latest version from [http://sourceforge.net/projects/fail2ban/files/ the fail2ban SourceForge project].
 +
As of this writing, this is equivalent to doing this:
 
<pre>cd ~/source
 
<pre>cd ~/source
curl -O http://superb-east.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2</pre>
+
curl -O http://softlayer.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.3/fail2ban-0.8.3.tar.bz2</pre>
  
 
===2. Unpack the software===
 
===2. Unpack the software===

Revision as of 08:29, 5 August 2009

So, I had an afternoon to work on this, and I got a successful install. I was sad to find there was so little documentation from other people using Mac OS X Server, so I decided to write up what I did. This worked for me, and it'll probably work for you, but as always, YMMV.

Now, there may have been much simpler ways to accomplish this, and I'm sure it's a little rough around the edges, but it works, and I'm happy. Hopefully it'll help someone else.

Enjoy!

Assumptions

  1. You are running 10.4.11 Server, stock system
  2. There are no modifications to Python (still stock)

Procedure

1. Get the software

Download the latest version from the fail2ban SourceForge project. As of this writing, this is equivalent to doing this: 

cd ~/source
curl -O http://softlayer.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.3/fail2ban-0.8.3.tar.bz2

2. Unpack the software

tar xvfj fail2ban-0.8.3.tar.bz2

3. Install the software

cd fail2ban-0.8.3
sudo python setup.py install

The default install doesn't put the files in the correct spots, so we need to move them: 

sudo cp /System/Library/Frameworks/Python.framework/Versions/2.3/bin/fail2* /usr/local/bin

4. Fix an issue with Python 2.3

Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the fail2ban script (specifically something called asyncore [1]), so we need to make a modification to /usr/share/fail2ban/server/asyncserver.py as root. (I use emacs, but feel free to use what you like) 

sudo emacs /usr/share/fail2ban/server/asyncserver.py

Change line 135 from this: 

asyncore.loop(use_poll = True)

To this: 

asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))

5. Make a spot for the log file

sudo touch /var/log/fail2ban.log

6. Edit the fail2ban configuration files

Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [2]. I'm only focusing on using ssh & ipfw. 

sudo emacs /etc/fail2ban/jail.conf

In the section marked [ssh-ipfw], you'll want to make it look like so: 

enabled  = true
filter   = sshd
action   = ipfw
logpath  = /var/log/secure.log

7. Make a little change in the ipfw actions

We need to make a couple of changes in how fail2ban deals with adding rules.

I have two ethernet cards (one public-facing, the other private), and I want to lock down both avenues when needed, so we need to edit the ipfw.conf file: 

sudo emacs /etc/fail2ban/action.d/ipfw.conf

and change: 

actionban = ipfw add deny tcp from <ip> to <localhost> <port>

to this: 

actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
            ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>

Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above. If you only have one IP address, you could have left the <localhost> tag in place (just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)

(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.)

8. Edit the fail2ban regex file for sshd

In Mac OS X, when sshd logs a possible break-in attempt, it notes it in /var/log/secure.log with the phrase POSSIBLE BREAK-IN ATTEMPT! Note the exclamation point, and compare /etc/fail2ban/filter.d/sshd.conf. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here. 

sudo emacs /etc/fail2ban/filter.d/sshd.conf

and change: 

^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

to this: 

^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$

9. Add a startup file

Someone has provided a nice startup file for Mac OS X, but it needs a little editing. 

cd ~/source/fail2ban-0.8.3/files
sudo cp macosx-initd /System/Library/LaunchDaemons/org.fail2ban.plist
sudo emacs /System/Library/LaunchDeamons/org.fail2ban.plist

In the editor, get rid of the first two lines, such that the file begins with <?xml ...

10. Start it up

sudo /usr/local/bin/fail2ban-client start

You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with a look at the log file (/var/log/fail2ban.log).


See also

  1. http://www.fail2ban.org/wiki/index.php/Main_Page
  2. http://code.google.com/p/pyftpdlib/issues/detail?id=16
  3. http://www.infosecwriters.com/text_resources/pdf/securing-mac-os-x-tiger.pdf
Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.4)&oldid=2458"