HOWTO Mac OS X Server (10.5)
For the history of this with 10.4 see HOWTO Mac OS X Server (10.4)
That page was copied to this one and modified. It is not at all clear whether these instructions will work on 10.5.7. This is unfinished.
Assumptions
- You are running 10.5.7
- There are no modifications to Python (still stock)
Procedure
1. Get the software
Download the latest version from the fail2ban SourceForge project. As of this writing, this is equivalent to doing this:
cd ~/source curl -O http://softlayer.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.3/fail2ban-0.8.3.tar.bz2
2. Unpack the software
tar xvfj fail2ban-0.8.3.tar.bz2
3. Install the software
cd fail2ban-0.8.3 sudo python setup.py install ===4. Make a spot for the log file=== <pre>sudo touch /var/log/fail2ban.log
5. Edit the fail2ban configuration files
Here's where you need to tell the program what you want to do.
You can read all about this on the fail2ban wiki [1].
I'm only focusing on using ssh & ipfw.
sudo emacs /etc/fail2ban/jail.conf
In the section marked [ssh-ipfw], you'll want to make it look like so:
enabled = true filter = sshd action = ipfw logpath = /var/log/secure.log
6. Make a little change in the ipfw actions
We need to make a couple of changes in how fail2ban deals with adding rules.
I have two ethernet cards (one public-facing, the other private),
and I want to lock down both avenues when needed,
so we need to edit the ipfw.conf file:
sudo emacs /etc/fail2ban/action.d/ipfw.conf
and change:
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
to this:
actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>
Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above.
If you only have one IP address, you could have left the <localhost> tag in place
(just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)
(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.)
7. Edit the fail2ban regex file for sshd
In Mac OS X, when sshd logs a possible break-in attempt, it notes it in /var/log/secure.log with the phrase POSSIBLE BREAK-IN ATTEMPT! Note the exclamation point, and compare /etc/fail2ban/filter.d/sshd.conf. Their line doesn't have an exclamation point, and thus won't catch those notes. We'll fix that here.
sudo emacs /etc/fail2ban/filter.d/sshd.conf
and change:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
to this:
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$
8. Add a startup file
Someone has provided a nice startup file for Mac OS X, but it needs a little editing.
cd ~/source/fail2ban-0.8.3/files sudo cp macosx-initd /System/Library/LaunchDaemons/org.fail2ban.plist sudo emacs /System/Library/LaunchDeamons/org.fail2ban.plist
In the editor, get rid of the first two lines, such that the file begins with <?xml ...
9. Start it up
sudo /usr/local/bin/fail2ban-client start
You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with
sudo cat /var/log/fail2ban.log
