I have followed this link: Turn on the adaptive firewall in macOS Server
and I get this output, but I don't know if I have indeed activated the adaptive firewall:
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
Token : 13540967312582709951
No ALTQ support in kernel
ALTQ related functions disabled
I want to let the adaptive firewall automatically add users with several failed attempts to login.
I have successfully added a certain IP to the firewall blacklist, but I was unable to see it at hb_summary, don't know if it is supposed to show manually added IP's there. And it was not adding automatically when I supposedly turned it on.
There was a brute force attack at my IMAPs port, and my adaptive firewall was not adding that IP in the blacklist. Only postfix was dealing with it by doing a fatal error because of too many errors and the program terminated, but it was just for a very short period of time.
Server specs:
- Server.app 3.2.2
- Mac OS X 10.9.5
Best Answer
After diving into the Adaptive Firewall once more I got the impression that the whole system is flawed and the documentation is a mess.
The command
.../hb_summary
apparently doesn't work at all because it seems to rely on the file /private/var/db/af/blockedHosts getting populated by ipfw which isn't activated in 10.9 (and wouldn't work with the 400.AdaptiveFirewall anchor). pf doesn't use the file blockedHosts at all.The best you can do is the following:
Enable the Adaptive Firewall service
Populate the whitelist with
Define max bad auth attempts (e.g. 3) and ban time (e.g. 60 minutes)
This will modify the file /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/AdaptiveFirewall.plist.
Check the mod with:
sudo killall emond
Add known bad hosts for a long time:
(Please be aware of the y2038 problem). This will modify the file /private/var/db/af/blacklist. Hosts added here usually don't survive a reboot.
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f
To get blocked hosts enter:
To get pf's state enter
sudo pfctl -s all
.This is tested with hostile
ssh
andopenssl s_client -connect imapserver_ip:993
login attempts.After a reboot the
.../afctl -f
command will start pf and af but in at least one of two cases it doesn't block hostile login attempts though it's announced in the log file.Improvements:
After modifying the keys debugLevel and logEvents in the file /etc/emond.d/emond.plist,:
creating the file /System/Library/LaunchDaemons/com.apple.afctl_boot.plist with the content:
and loading it with:
it seems to work more reliably. The Adaptive Firewall will be loaded at boot time. No further afctl launch command is required!