HOWTO Mac OS X Server (10.4)
So, I had an afternoon to work on this, and I got a successful install. I was sad to find there was so little documentation from other people using Mac OS X Server, so I decided to write up what I did. This worked for me, and it'll probably work for you, but as always, YMMV.
Now, there may have been much simpler ways to accomplish this, and I'm sure it's a little rough around the edges, but it works, and I'm happy. Hopefully it'll help someone else.
Enjoy!
Assumptions
- You are running 10.4.11 Server, stock system
- There are no modifications to Python (still stock)
Procedure
1. Get the software
cd ~/source curl -O http://superb-east.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2
2. Unpack the software
tar xvfj fail2ban-0.8.3.tar.bz2
3. Install the software
cd fail2ban-0.8.3 sudo python setup.py install
The default install doesn't put the files in the correct spots, so we need to move them:
sudo cp /System/Library/Frameworks/Python.framework/Versions/2.3/bin/fail2* /usr/local/bin
4. Fix an issue with Python 2.3
Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the fail2ban script (specifically something called asyncore [1]), so we need to make a modification to /usr/share/fail2ban/server/asyncserver.py as root. (I use emacs, but feel free to use what you like)
sudo emacs /usr/share/fail2ban/server/asyncserver.py
Change line 135 from this:
asyncore.loop(use_poll = True)
To this:
asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))
5. Make a spot for the log file
sudo touch /var/log/fail2ban.log
6. Edit the fail2ban configuration files
Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [2]. I'm only focusing on using ssh & ipfw.
sudo emacs /etc/fail2ban/jail.conf
In the section marked [ssh-ipfw], you'll want to make it look like so:
enabled = true filter = sshd action = ipfw logpath = /var/log/secure.log
7. Make a little change in the ipfw actions
We need to make a couple of changes in how fail2ban deals with adding rules.
I have two ethernet cards (one public-facing, the other private), and I want to lock down both avenues when needed, so we need to edit the ipfw.conf file:
sudo emacs /etc/fail2ban/action.d/ipfw.conf
and change:
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
to this:
actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>
Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above. If you only have one IP address, you could have left the <localhost> tag in place (just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)
(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.)
8. Edit the fail2ban regex file for sshd
In Mac OS X, when sshd logs a possible break-in attempt, it notes it in /var/log/secure.log with the phrase POSSIBLE BREAK-IN ATTEMPT! Note the exclamation point, and compare /etc/fail2ban/filter.d/sshd.conf. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here.
sudo emacs /etc/fail2ban/filter.d/sshd.conf
and change:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
to this:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$
9. Add a startup file
Someone has provided a nice startup file for Mac OS X, but it needs a little editing.
cd ~/source/fail2ban-0.8.3/files sudo cp macosx-initd /System/Library/LaunchDeamons/org.fail2ban.plist sudo emacs /System/Library/LaunchDeamons/org.fail2ban.plist
In the editor, get rid of the first two lines, such that the file begins with <?xml ...
10. Start it up
sudo /usr/local/bin/fail2ban-client start
You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with a look at the log file (/var/log/fail2ban.log).
