HOWTO Mac OS X Server (10.5)

From Fail2ban
Jump to: navigation, search

For the history of this with 10.4 see HOWTO Mac OS X Server (10.4)

That page was copied to this one and modified. It is not at all clear whether these instructions will work on 10.5.7. This is unfinished. Update: It works on 10.6.0.

Assumptions

  1. You are running 10.5.7 (or 10.6)
  2. There are no modifications to Python (still stock)

Procedure

1. Get the software

Download the latest version from the fail2ban SourceForge project. As of this writing, this is equivalent to doing this:

cd ~/source
curl -O http://softlayer.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.3/fail2ban-0.8.3.tar.bz2

2. Unpack the software

tar xvfj fail2ban-0.8.3.tar.bz2

3. Install the software

cd fail2ban-0.8.3
sudo python setup.py install

4. Make a spot for the log file

sudo touch /var/log/fail2ban.log

5. Edit the fail2ban configuration files

Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [1]. I'm only focusing on using ssh & ipfw.

sudo emacs /etc/fail2ban/jail.conf

In the section marked [ssh-ipfw], you'll want to make it look like so:

enabled  = true
filter   = sshd
action   = ipfw
logpath  = /var/log/secure.log


(Note! In /var/log/secure.log all events related to keyboard-interactive logins can be found. However, if you want to detect failed attempts on for example a ssh-daemon running on another port only allowing rsa-authentication (useful if you want to port forward through your NAT-router), some extra tweaking is required. By adding
*.info /var/log/ssh_info.log
to
/etc/syslog.conf
you can gather IP-address and connection attempts from this file instead.
)

6. Make a little change in the ipfw actions if you have two IP addresses

We need to make a couple of changes in how fail2ban deals with adding rules.

I have two ethernet cards (one public-facing, the other private), and I want to lock down both avenues when needed, so we need to edit the ipfw.conf file:

sudo emacs /etc/fail2ban/action.d/ipfw.conf

and change:

actionban = ipfw add deny tcp from <ip> to <localhost> <port>

to this:

actionban = ipfw add 200 deny tcp from <ip> to your-public-addy-here <port>
            ipfw add 201 deny tcp from <ip> to your-private-addy-here <port>

Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above. If you only have one IP address, you could have left the <localhost> tag in place (just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)

(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain. This should be done whether or note you have two IP addresses)

Further enhancement

While the above actionban does block unwanted addresses from specific ports it suffers from defining all the banned address on a single rule number with a specific port. When the unban command is issued for the first blocked address it will remove the entire rule set with that number (in the above case rules 200 and 201) including any addresses that were banned after the first one. This is not desirable since any of the addresses added between the first ban and it's corresponding unban will now be allowed by the firewall and only logged as already banned by fail2ban (until their ban time is up or fail2ban is reloaded).

A solution to this problem is to use the following:

actionban = t=150
 while [ `ipfw list |grep -ic 00$t | awk '{print $1;}'` != '0' ] 
 do ((++t)) 
 done 
 ipfw add $t deny tcp from <ip> to any

This will search and use the first available rule number starting at 150. When it is time to unban an address, only the one rule is removed thus preserving the other banned addresses.

Some attackers will cycle through the ports while using the same IP address. By changing to your-private-addy-here <port> to to any in the ipfw add rule the firewall will block all bad traffic on this server, not just a specific port. If you still need to specify your server's IP address just leave off the <port> so it blocks all the traffic.

(Note: This method works until the counter reaches 1000 at witch time wanted rules may be deleted. If you have a large number of banned addresses you may want to consider permanently banning some of them.

--Td 18:33, 3 February 2010 (UTC)

Using afctl

Instead of using ipfw directly, you may wish to use the built-in afctl function, which handles all the ipfw junk for you.

Using afctl requires that you create a new file in the action.d directory. Call it afctl.conf and give it the following contents:

# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = /usr/libexec/afctl -a <ip> -t 2880
actionunban = /usr/libexec/afctl -r <ip>
[Init]
localhost = 127.0.0.1

If you want fail2ban to manage host unbans, set the actionban -t value to a value (in minutes) that is longer than the bantime value in jail.conf (which is in seconds, so don't get confused). If you want afctl to manage unbans, set the actionban -t value to whatever you want the bantime to be, and clear the actionunban.

Now, in the jail.conf file, create sections for the desired services.

[ssh-afctl]
enabled  = true
filter   = sshd
action   = afctl
logpath  = /var/log/secure.log

[ftp-afctl]
enabled  = true
filter   = 10.5-ftp
action   = afctl
 ogpath  = /var/log/secure.log

[pop3-afctl]
enabled  = true
filter   = 10.5-pop3
action   = afctl
logpath  = /var/log/system.log

[pop3s-afctl]
enabled  = true
filter   = 10.5-pop3s
action   = afctl
logpath  = /var/log/system.log

[imap-afctl]
enabled  = true
filter   = 10.5-imap
action   = afctl
logpath  = /var/log/system.log

[imaps-afctl]
enabled  = true
filter   = 10.5-imaps
action   = afctl
logpath  = /var/log/system.log

The default ssh filter works fine for Mac OS X Server 10.5, but if you want fail2ban to monitor ftp, pop, and imap connections per the configuration above, you need to create the following files in the filter.d directory:

10.5-ftp.conf

# Fail2Ban configuration file for FTP service on Mac OS X Server 10.5
#[INCLUDES]
before = common.conf
[Definition]
_daemon = ftpd
failregex = ^%(__prefix_line)sFailed authentication from: .* \[<HOST>\]
ignoreregex = 

10.5-imap.conf

# Fail2Ban configuration file for IMAP service on Mac OS X Server 10.5
[INCLUDES]
before = common.conf
[Definition]
_daemon = imap
failregex = ^%(__prefix_line)sbadlogin from: \[<HOST>\]
ignoreregex = 

10.5-imaps.conf

# Fail2Ban configuration file for IMAPS service on Mac OS X Server 10.5
[INCLUDES]
before = common.conf
[Definition]
_daemon = imaps
failregex = ^%(__prefix_line)sbadlogin from: \[<HOST>\]
ignoreregex = 

10.5-pop3.conf

# Fail2Ban configuration file for POP3 service on Mac OS X Server 10.5
[INCLUDES]
before = common.conf
[Definition]
_daemon = pop3
failregex =  ^%(__prefix_line)sbadlogin: .* \[<HOST>\]
             ^%(__prefix_line)sbadlogin: \[<HOST>\]
ignoreregex = 

10.5-pop3s.conf

# Fail2Ban configuration file for POP3S service on Mac OS X Server 10.5
[INCLUDES]
before = common.conf
[Definition]
_daemon = pop3s
failregex = ^%(__prefix_line)sbadlogin: .* \[<HOST>\]
            ^%(__prefix_line)sbadlogin: \[<HOST>\]
ignoreregex = 

8. Add a startup file

Someone has provided a nice startup file for Mac OS X, but it needs a little editing.

cd ~/source/fail2ban-0.8.3/files
sudo cp macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
sudo emacs /Library/LaunchDaemons/org.fail2ban.plist

In the editor, get rid of the first two lines, such that the file begins with <?xml ...

You must also modify the /etc/fail2ban/fail2ban.conf Change: socket = /var/run/fail2ban/fail2ban.sock To: socket = /var/run/fail2ban.sock

9. Start it up

sudo /usr/local/bin/fail2ban-client start

You should see some informational text appear, then your prompt will return to you. You can verify that things are running smoothly with

sudo cat /var/log/fail2ban.log

See also

  1. http://www.fail2ban.org/wiki/index.php/Main_Page
  2. http://code.google.com/p/pyftpdlib/issues/detail?id=16
  3. http://www.infosecwriters.com/text_resources/pdf/securing-mac-os-x-tiger.pdf