Articles by: jgardner

Mac OS X Server's adaptive firewall (afctl) does a good job of catching brute-force login attacks on most services, but it doesn't catch PPTP attacks. The script below checks the system log for such attacks, and then uses afctl to block offending hosts for a week (you can, of course, change the parameters if you wish). I recommend using a cron job to run this script every 10-15 minutes.

Read on for the script… 

This may work on Leopard Server as well, but I haven't tested it. There are several brute-force VPN protocol attacks rampant on the internet, and they may leave your VPN service in an unusable state by flooding it with connection requests. 

Read on for a solution… 

Tiger includes a nicely-integrated Jabber server, but for those of us who have not yet upgraded, here’s the trick to getting jabberd running on Panther.

After upgrading my home system to Tiger, I noticed that my RsyncX backups to an external FireWire drive were no longer working. Much consternation and hair-pulling later, I realized that the Spotlight indexing was causing problems with RsyncX. I used mdutil to disable indexing on that drive, and the problem was solved.

Ed. Note: keep in mind that Spotlight indexing can make any type of file transfer take longer due to the overhead of indexing every file. This is especially true when you’re moving large amounts of small files.

Thursby’s ADmitMac is a full-featured SMB/CIFS client that contains a lot of great features to hook Mac OS X into an Active Directory infrastructure. Be aware, though, that there is a downside involved. Thursby chose to implement a different method of handling resource forks on non-AFP filesystems than Apple uses in its samba-based SMB client. Basically, Thursby’s method takes advantage of multi-fork-savvy filesystems (like NTFS) whereas Apple’s doesn’t.

The upshot of this is that if you have two Mac clients, one using ADmitMac and the other using the "stock" SMB client, both accessing an SMB share, neither will be able to see resource forks saved by the other system. This is no big deal for some files (notably those with a known DOS-style 3-letter filename extension like ".doc" or ".xls"), but it can make other files completely unusable. For example, Eudora files rely on the type/creator codes in the resource fork; without the resource fork, Eudora doesn’t know what to do with the various files.

I quizzed a Thursby engineer on this incompatibility, and he pointed out that their DAVE product, which was the first SMB client for Macintosh, used this method because it adhered to Microsoft’s Services for Macintosh standard. They are simply carrying on the tradition of doing it the Microsoft-recommended way.

This incompatibility is a huge issue that Thursby seems reluctant to address. Thursby’s implementation may be superior to Apple’s on technical grounds; nonetheless, they need to either convince Apple to do it their way, or change ADmitMac (or at least offer an administrative option) to do it the Apple way. As it stands now, unless sysadmins go with an "all or none" approach to ADmitMac in their organization–now and into the foreseeable future–they’re asking for trouble. That’s an expensive prospect.

Get Windows to play nice with your OS X clients using NFS

AD integration works reasonably well for Mac OS X clients, but what if you’re running, say, an XServe G5, and you need to provide access to Windows-based home directories for multiple command-line users (via ssh, telnet, etc.) on your server simultaneously?

updated 3/29/05: fixed missing whacks in Windows paths.

For those of us who either don’t want to use sieve, or haven’t been able to make it work properly–despite Mr. Rennich’s best efforts to help–setting up procmail filtering is not too difficult.