Difference between revisions of "HOWTO Mac OS X Server (10.5)"

For the history of this with 10.4 see HOWTO Mac OS X Server (10.4)

That page was copied to this one and modified. It is not at all clear whether these instructions will work on 10.5.7. This is unfinished. Update: It works on 10.6.0.

Assumptions

1. You are running 10.5.7 (or 10.6)
2. There are no modifications to Python (still stock)

Procedure

1. Get the software

Download the latest version from the fail2ban SourceForge project. As of this writing, this is equivalent to doing this:

cd ~/source
curl -O http://softlayer.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.3/fail2ban-0.8.3.tar.bz2

2. Unpack the software

tar xvfj fail2ban-0.8.3.tar.bz2

3. Install the software

cd fail2ban-0.8.3
sudo python setup.py install

4. Make a spot for the log file

sudo touch /var/log/fail2ban.log

5. Edit the fail2ban configuration files

Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [1]. I'm only focusing on using ssh & ipfw.

sudo emacs /etc/fail2ban/jail.conf

In the section marked [ssh-ipfw], you'll want to make it look like so:

enabled  = true
filter   = sshd
action   = ipfw
logpath  = /var/log/secure.log

(Note! In /var/log/secure.log all events related to keyboard-interactive logins can be found. However, if you want to detect failed attempts on for example a ssh-daemon running on another port only allowing rsa-authentication (useful if you want to port forward through your NAT-router), some extra tweaking is required. By adding

*.info /var/log/ssh_info.log

to

/etc/syslog.conf

you can gather IP-address and connection attempts from this file instead. )

6. Make a little change in the ipfw actions if you have two IP addresses

We need to make a couple of changes in how fail2ban deals with adding rules.

I have two ethernet cards (one public-facing, the other private), and I want to lock down both avenues when needed, so we need to edit the ipfw.conf file:

sudo emacs /etc/fail2ban/action.d/ipfw.conf

and change:

actionban = ipfw add deny tcp from <ip> to <localhost> <port>

to this:

actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
            ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>

Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above. If you only have one IP address, you could have left the <localhost> tag in place (just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)

(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain. This should be done whether or note you have two IP addresses)

Further enhancement

While the above actionban does block unwanted addresses from specific ports it suffers from defining all the banned address on a single rule number with a specific port. When the unban command is issued for the first blocked address it will remove the entire rule set with that number (in the above case rules 200 and 201) including any addresses that were banned after the first one. This is not desirable since any of the addresses added between the first ban and it's corresponding unban will now be allowed by the firewall and only logged as already banned by fail2ban (until their ban time is up or fail2ban is reloaded).

A solution to this problem is to use the following:

actionban = t=150
 while [ `ipfw list |grep -ic 00$t | awk '{print $1;}'` != '0' ] 
 do ((++t)) 
 done 
 ipfw add $t deny tcp from <ip> to any

This will search and use the first available rule number starting at 150. When it is time to unban an address, only the one rule is removed thus preserving the other banned addresses.

Some attackers will cycle through the ports while using the same IP address. By changing to your-private-addy-here <port> to to any in the ipfw add rule the firewall will block all bad traffic on this server, not just a specific port. If you still need to specify your server's IP address just leave off the <port> so it blocks all the traffic.

(Note: This method works until the counter reaches 1000 at witch time wanted rules may be deleted. If you have a large number of banned addresses you may want to consider permanently banning some of them.

--Td 18:33, 3 February 2010 (UTC)

7. Edit the fail2ban regex file for sshd

In Mac OS X, when sshd logs a possible break-in attempt, it notes it in /var/log/secure.log with the phrase POSSIBLE BREAK-IN ATTEMPT! Note the exclamation point, and compare /etc/fail2ban/filter.d/sshd.conf. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here.

sudo emacs /etc/fail2ban/filter.d/sshd.conf

and change:

^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

to this:

^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$

8. Add a startup file

Someone has provided a nice startup file for Mac OS X, but it needs a little editing.

cd ~/source/fail2ban-0.8.3/files
sudo cp macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
sudo emacs /Library/LaunchDaemons/org.fail2ban.plist

In the editor, get rid of the first two lines, such that the file begins with <?xml ...

You must also modify the /etc/fail2ban/fail2ban.conf Change: socket = /var/run/fail2ban/fail2ban.sock To: socket = /var/run/fail2ban.sock

9. Start it up

sudo /usr/local/bin/fail2ban-client start

You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with

sudo cat /var/log/fail2ban.log

See also

1. http://www.fail2ban.org/wiki/index.php/Main_Page
2. http://code.google.com/p/pyftpdlib/issues/detail?id=16
3. http://www.infosecwriters.com/text_resources/pdf/securing-mac-os-x-tiger.pdf