MacOS – Alternative for `fail2ban` on the server running OS X 10.6.8

firewallmacosNetworkosx-serverssh

I have dedicated my old MacBook as a home server. It runs, among other stuff, the following services:

Webserver (Apache, PHP, MySQL) i.e. OwnCloud/WebDAV
Torrent client
SSH server
VPN
Some game servers

Although a MacBook is not the best hardware for the job, this works fine for private use and I have my backups running for the inevitable crash.

To keep unwanted people out, I have a 'normal' firewall and fail2ban running.

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Setting fail2ban up is done by modifying different configuration files. In these files you can state 'which' log file to scan, what to look for (regex), and, if a match is found, what action to take. But setting it up can be a real hassle and takes hours for a normal guy like myself.

Is there a good GUI or alternative for fail2ban? The main purpose is to block unwanted users from my system. I prefer open-sourced solutions, but I am also willing to pay for good software.

note: I have the 'regular' OS X 10.6.8 running (i.e. I do NOT have OS X Server running)

Best Answer

You can use fail2web, but, as this is only a frontend to fail2ban, is not easier to use than modifying fail2ban's text files.

Related Solutions

MacOS – Looking for advice setting up a new Mac Mini with Lion Server

Although written for 10.5, this guide by Daniel Cuthbert (PDF) is fairly comprehensive and largely still applies to Lion.

Closing off screen sharing and tunneling it (if you need it at all) through SSH is probably a good idea.

Standard rules apply:

Only open absolutely necessary ports to the outside world
Keep your software up to date
Disable any unused services & Apache modules
Disable any listeners you don't need, rebind those you do need to localhost only if they're not needed outside (lsof -i is your friend)
Check that your firewall is really working as expected (nmap from an outside host)

Mac specific things:

Make sure the console is password protected, locks if you're using screensharing and doesn't auto-login on startup
You may want to enable verbose boot messages by default, it'll make debugging easier in case things go bad: sudo nvram boot-args="-v"

How does one lock down OS X Server using the PF firewall

You should:

understand pf basics - here is many guides on the Internet, you can safely read any Open/Free BSD guide. You must understand a few basic things:
- with PF, last rule wins (opposite of IPFW's "first rule wins")
- logging is in the pflog device if the 'tcpdump' format
- check the pfctl command using man pfctl
- also check man pf.conf
- you can create many simple text files that contains IP addresses (called tables) and using them in the filtering rules - see the example below.
AFTER this you can use two GUI frontends
- IceFloor (instead of the WaterRoof)
- Firewall builder (cross platform)

PF is not too hard if you have some knowledge about how firewalling works in general.

Fragment of pf.conf for table based filtering:

interface = "en0"
allowed_ports = "{ 80, 443 }"
table <badips> persist
table <noroute> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
block in on $interface from { <noroute>, <badips> } to any
pass in on $interface inet proto tcp from <badips> to $interface port $allowed_ports

The above example contains:

some basic definitions, like your interface name and some ports
definition for two tables, noroute for nonroutable addresses (RFC 1918) and the second badips that can contain your Geo IP based IP addresses
filtering rule - blocking anything from these tables
allowing ports 80 and 443 from badips (last rule wins)

Related Question