HOWTO Mac OS X Server (10.4)
Assumptions
- You are running 10.4.11 Server, stock system
- There are no modifications to Python (still stock)
Procedure
1. Get the software
cd ~/source curl -O http://superb-east.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2
2. Unpack the software
tar xvfj fail2ban-0.8.3.tar.bz2
3. Install the software
cd fail2ban-0.8.3 sudo python setup.py install
The default install doesn't put the files in the correct spots, so we need to move them:
sudo cp /System/Library/Frameworks/Python.framework/Versions/2.3/bin/fail2* /usr/local/bin
4. Fix an issue with Python 2.3
Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the fail2ban script (specifically something called asyncore [1]), so we need to make a modification to /usr/share/fail2ban/server/asyncserver.py as root. (I use emacs, but feel free to use what you like)
sudo emacs /usr/share/fail2ban/server/asyncserver.py
Change line 135 from this:
asyncore.loop(use_poll = True)
To this:
asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))
5. Make a spot for the log file:
sudo touch /var/log/fail2ban.log
6. Make a little change in the ipfw actions:
We need to make a couple of changes in how fail2ban deals with adding rules.
I have two ethernet cards (one public-facing, the other private), and I want to lock down both avenues when needed, so we need to edit the ipfw.conf file:
sudo emacs /etc/fail2ban/action.d/ipfw.conf
and change:
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
to this:
actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>
Note I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.
7. Edit the fail2ban configuration files
Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [2]. I'm only focusing on using ssh & tcpwrappers.
sudo emacs /etc/fail2ban/jail.conf
In the section marked [ssh-ipfw], you'll want to make it look like so:
enabled = true filter = sshd action = ipfw logpath = /var/log/secure.log
8. Edit the fail2ban regex file for sshd
In Mac OS X, when sshd logs a possible break-in attempt, it notes it in /var/log/secure.log with the phrase POSSIBLE BREAK-IN ATTEMPT! Note the exclamation point, and compare /etc/fail2ban/filter.d/sshd.conf. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here.
sudo emacs /etc/fail2ban/filter.d/sshd.conf
and change:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
to this:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$
9. Add a startup file
Someone has provided a nice startup file for Mac OS X, but it needs a little editing.
cd ~/source/fail2ban-0.8.3/files sudo cp macosx-initd /System/Library/LaunchDeamons/org.fail2ban.plist sudo emacs /System/Library/LaunchDeamons/org.fail2ban.plist
In the editor, get rid of the first two lines, such that the file begins with '<?xml ...'
10. Start 'er up!
sudo /usr/local/bin/fail2ban-client start
You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with a look at the log file (/var/log/fail2ban.log).
Now, there may have been much simpler ways to accomplish this, but it works, and I'm happy. This was the result of an afternoon of experimentation, so it's probably rough around the edges. Hopefully it'll help someone else.
Enjoy!
