fail2ban or similar?

[option8]

i’ve been using, with good results, a script called fail2ban (http://www.fail2ban.org/) on my linux servers. it limits dictionary attacks on incoming SSH and other ports by monitoring failed password attempts. a certain number in a limited time triggers iptables to ban that IP. as i said, it works like a charm on my linux web server and my home machine (which i log into from afar via SSH).

now i’d like to see if there’s something similar, or a port of fail2ban, for OS X (client and/or server).

the main problem i’m having with my 10.4 mail server right now is that occasionally a dictionary attack on POP will clog the pipes and bring the POP server to a halt. luckily, IMAP and SMTP still work during this, but clients who log in using POP are unable to get in until i can log in and restart the POP process.

i’d love to find a working fail2ban configuration for OS X/darwin or a similar solution that i can use to ban IPs based on # of connections per minute, failed logins, or something of that nature.

i’m using courier (authlib/pop3/imap) to serve mail on this box, by the way.

[option8]

so… nothing?

i have tons of log messages like this that tell me something like fail2ban is needed:

(sophie is my server’s hostname)

Apr 11 08:02:20 sophie com.apple.SecurityServer: authinternal failed to authenticate user normann.
Apr 11 08:02:25 sophie com.apple.SecurityServer: authinternal failed to authenticate user kai.
Apr 11 08:02:28 sophie com.apple.SecurityServer: authinternal failed to authenticate user studio.
Apr 11 08:02:31 sophie com.apple.SecurityServer: authinternal failed to authenticate user nurit.
Apr 11 08:02:34 sophie com.apple.SecurityServer: authinternal failed to authenticate user hari.
Apr 11 08:02:38 sophie com.apple.SecurityServer: authinternal failed to authenticate user manfred.
Apr 11 08:02:44 sophie com.apple.SecurityServer: authinternal failed to authenticate user dominik.
Apr 11 08:02:47 sophie com.apple.SecurityServer: authinternal failed to authenticate user nastuh.
Apr 11 08:02:51 sophie com.apple.SecurityServer: authinternal failed to authenticate user claudius.
Apr 11 08:02:56 sophie com.apple.SecurityServer: authinternal failed to authenticate user geyer.
Apr 11 08:03:00 sophie com.apple.SecurityServer: authinternal failed to authenticate user renate.
Apr 11 08:03:05 sophie com.apple.SecurityServer: authinternal failed to authenticate user norbert.
Apr 11 08:03:08 sophie com.apple.SecurityServer: authinternal failed to authenticate user cornelia.
Apr 11 08:03:11 sophie com.apple.SecurityServer: authinternal failed to authenticate user herr.
Apr 11 08:03:14 sophie com.apple.SecurityServer: authinternal failed to authenticate user liane.
Apr 11 08:03:19 sophie com.apple.SecurityServer: authinternal failed to authenticate user reinhold.
Apr 11 08:03:21 sophie com.apple.SecurityServer: authinternal failed to authenticate user digital.
Apr 11 08:03:25 sophie com.apple.SecurityServer: authinternal failed to authenticate user pay.
Apr 11 08:03:29 sophie com.apple.SecurityServer: authinternal failed to authenticate user bobby.
Apr 11 08:03:32 sophie com.apple.SecurityServer: authinternal failed to authenticate user mp3.
Apr 11 08:03:40 sophie com.apple.SecurityServer: authinternal failed to authenticate user music.
Apr 11 08:03:49 sophie com.apple.SecurityServer: authinternal failed to authenticate user index.
Apr 11 08:03:52 sophie com.apple.SecurityServer: authinternal failed to authenticate user ethan.
Apr 11 08:03:56 sophie com.apple.SecurityServer: authinternal failed to authenticate user isabelle.
Apr 11 08:04:10 sophie com.apple.SecurityServer: authinternal failed to authenticate user mariane.

*bump*

[khiltd]

Looks like fail2ban is a Python script that sets up ipfw rules based on the results of log parsing. What part of it are you finding doesn’t work on OS X?

[mosx86]

I’ve been using denyhosts — http://denyhosts.sourceforge.net/ — with great success and basically have running as a daemon being monitored by launchd.

The 10.4 configuration directions are a little wonky and want you to use asl.log, but secure.log works just fine and you don’t have to mess with the SSHD REGEX.

Also, you notice that in 10.5 the asl.log is a binary file. There is a syslog command you can use to read it, but I don’t think it’s possible to use it w/ denyhosts so you’ll be using the secure.log anyway.

Getting daemon mode to work with launchd is pretty trivial and you can use something like lingon to create the plist and load it.

[Author]

Posts