Surgical Diversions

Add Alarm to Events Calendar PRO

Andy Fragen — Sun, 06 May 2012 18:09:00 +0000

Thanks to Joey Kudish and Jonah at Modern Tribe, Inc., I’ve converted my original hacked together code to add an alarm to a calendar event created using the Events Calendar PRO WordPress plugin into a plugin of my own. You can see/follow the original discussion on the Modern Tribe forum.

This plugin requires the Events Calendar PRO plugin. You will have to create an Additional Field from The Events Calendar Settings page.

You can then download, install and activate the The Events Calendar PRO Alarm plugin. If/when this functionality ever becomes part of Events Calendar PRO simply deactivate the plugin.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Happy Birthday Sophie

Andy Fragen — Tue, 20 Dec 2011 20:54:22 +0000

Happy birthday Sophie! Today it has been eleven years since you’ve blessed us and you continue to do so daily. I love you — Daddy Related posts: Happy Birthday Sophie! My beautiful daughter Sophie is 5 years old today. One... … Continue reading → Related posts:

Happy Birthday Sophie! My beautiful daughter Sophie is 5 years old today. One...
Happy Birthday Jonathan! My son is 10 today. I cannot describe the many...
Happy Birthday Sophie! It’s that time of year again. Happy Birthday to my...

Related posts brought to you by Yet Another Related Posts Plugin.

chroot’d SFTP on Mac OS X server

Andy Fragen — Fri, 16 Dec 2011 00:27:25 +0000

So here you are finding that you need to grant someone else SFTP access to your server. There are lots of reasons to do this, in my case it’s because I needed to grant access to someone’s web designer. We initially worked it out by him emailing me files and me SFTP’ing them up to the server in the correct location. Now he needs direct access to fix some things and I want to give him only what he needs without compromising security. Enter the chroot jail. After lots of googling and some encouragement from the Mac OS X Server email list, I’ve got it working. Here’s how it works.

First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.

From the Terminal, start off right.

sudo cp /etc/sshd_config /etc/sshd_config.bkup

sudo chown root /
sudo chmod 755 /
sudo mkdir -p /chroot/user/scratchpad
sudo chown -R root /chroot
sudo chown user /chroot/user/scratchpad
sudo chmod -R 755 /chroot

Every additional new user added will then be something along the lines of the following.

sudo mkdir -p /chroot/user2/scratchpad
sudo chown root /chroot/user2
sudo chown user2 /chroot/user2/scratchpad
sudo chmod -R 755 /chroot/user2

Every folder it the path to the chroot jail must be owned by root. I don’t think it matters what group the folder is in. What I did above was to

backup /etc/sshd_config
change ownership of the root directory to root
change permissions of the root directory to 755
create a chroot folder
create a user folder inside the chroot folder
create a folder inside the user folder that user can modify
set ownership and permissions

Now to edit /etc/sshd_config to the following.

#Subsystem  sftp    /usr/libexec/sftp-server
Subsystem   sftp    internal-sftp

Match User user
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
  ChrootDirectory /chroot/user

This creates a chroot jail that when the user logs in will drop them into the folder /chroot/user, in that folder is a folder they can add things to /chroot/user/scratchpad.

If you want to create a Group in Workgroup Admin for ‘Chroot Users’ then add the new users that you created in Workgroup Admin to the Group you won’t have to keep editing the /etc/sshd_config file. Instead of the above, add the following. Make sure you add the ‘Chroot Users’ group to the SSH access ACL in Server Admin.

Match Group chrootusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/%u

To test whether the above is working, issue the following from the terminal.

$ sftp user@domain.com Password: sftp>

Getting in is one thing. Now you have to mount the folder you want to use. Unfortunately you can’t use a symlink inside of a chroot jail. This is where MacPorts is your best friend. I don’t know why I’ve never seen fit to install this before. After installation just issue the following commands.

sudo port install fuse4x
sudo port install fuse4x bindfs

You might have to restart. Now with an empty folder created in /chroot/user you can mount --bind to a folder outside of the chroot jail. For example

sudo /opt/local/bin/bindfs -u user /Library/WebServer/Documents/mysite/yourfolder /chroot/user/scratchpad

So far this seems to work here.

Server-Side Email Filtering with Sieve Another post for the peripheral brain. When I first set...
WordPress Automatic Updates I think I finally have the automatic updates feature of...
Fail2ban and OS X Server, part deux As some of you might know I run my own...

Related posts brought to you by Yet Another Related Posts Plugin.

RIP Steve

Andy Fragen — Thu, 06 Oct 2011 00:02:59 +0000

It appears that Steve Jobs has finally lost his long battle with pancreatic cancer. I am saddened by the loss as Steve has greatly enriched my life through his creativity and genius.

There are very few people in the world that have enriched the lives of so many. We shall miss you Steve, but we’ll never forget you.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Squirrelmail Plugins

Andy Fragen — Thu, 17 Mar 2011 22:59:09 +0000

Just an FYI post.

I save all my added Squirrelmail plugins in /Users/Shared/squirrelmail_plugins/. Consequently if I need to reinstall any or all of them all I have to do is issue the following…

    sudo cp -R /Users/Shared/squirrelmailplugins/PLUGINFOLDER \
      /usr/share/squirrelmail/plugins
    sudo /usr/share/squirrelmail/config/conf.pl

Activate the plugins, save, quit and you’re good to go.

Server-Side Email Filtering with Sieve Another post for the peripheral brain. When I first set...
Webmail Authentication OK, my problem with my webmail and my Thunderbird user...
False Positive Just a personal reminder to keep in the memory bank....

Related posts brought to you by Yet Another Related Posts Plugin.

Sixteen Candles

Andy Fragen — Tue, 15 Mar 2011 16:33:24 +0000

Today is my son’s sixteenth birthday. Since I know he doesn’t read this blog I’m going to out our present to him of a new iPhone 3GS. He’s going to make out like a bandit as his grandparents are getting … Continue reading → Related posts:

Happy Birthday Jonathan! My son is 10 today. I cannot describe the many...
Happy Birthday Jonathan! Just a quick note to wish my son a happy...

Related posts brought to you by Yet Another Related Posts Plugin.

Setting up WebDAV Share in Mac OS X Server

Andy Fragen — Fri, 11 Mar 2011 01:33:39 +0000

As I attempt to transition from a laptop to an iPad, with no specific reason other than the iPad is sooooo kewl; I need to create my own online storage. Yes I have a Dropbox account, but I don’t control Dropbox.

Here’s what I did, YMMV.

From Server Admin, make new Web > Realm and set appropriate ACLs.
Create a folder in location/volume where data for Share is physically located.
Change permissions of folder to _www:admin (that’s what works for me)
Create a symlink to the share folder in the folder where your web server looks to for the domain’s data.

I know there’s probably a bit of information missing and if I showed images of the actual steps it might make things a bit clearer but I’m a little paranoid about my server and I don’t want to risk opening it up to further attack.

All this needs to be done before OS X will allow a "Connect to Server..." and mount your WebDAV share.

Setting up Snow Leopard iCal Server After scouring through the official documentation, and finding that lacking,...
chroot’d SFTP on Mac OS X server So here you are finding that you need to grant...
Fail2ban and OS X Server, part deux As some of you might know I run my own...

Related posts brought to you by Yet Another Related Posts Plugin.

Updating DNS settings

Andy Fragen — Fri, 04 Feb 2011 22:05:04 +0000

Just to document. I’ve updated the settings in /etc/named/named.ca by using the following command and then restarting DNS.

sudo curl ftp://ftp.internic.net/domain/named.root -o /var/named/named.ca

Not sure how often this should be done.

I also added the following to /etc/named.conf to reduced the error logging. I got that tidbit from google groups

logging {
category lame-servers { null; };
category edns-disabled { null; };
};

Amavisd settings I run my own mail server on OS X Server....

Related posts brought to you by Yet Another Related Posts Plugin.

Fail2ban Problems and Solutions

Andy Fragen — Wed, 01 Dec 2010 21:13:34 +0000

If you use Fail2ban then you are probably aware of the fact that you must add a rule number to the ipfw deny rule for actionban in ipfw.conf. If you don’t add a rule number then there is no way for fail2ban to delete the rule after it expires. The problem lies in that you can easily set a different rule number for each filter but if the filter adds many rules within it’s ban time then when that first actionunban gets triggered all rules with the same number are removed, even if there full ban time has not transpired.

I was looking for an elegant solution to this and finally figured out how to do it myself. What I’ve done is in the ipfw.conf file I’ve added a variable that will create a random number between 10000 and 12000 to use as the rule number.

The code is pretty simple.

echo $((RANDOM%2000+10000))

There needs to be an extra % in there for it to work. I think it has something to do with python. So far it seems to be working pretty good here. While it is possible that I could get a duplicate rule number, it’s unlikely.

I’ve modified my installation of Fail2ban significantly; but only by adding filters, jails, etc. Here’s a bundled version of all of my modifications. Here are instructions for using my modifications. So far everything seems to be working great. I’ve had to add a few items to ignoreregex so I don’t ban people using their iPhones on 3G or at home from certain dynamic IP cable providers.

What I’ve done is a host lookup on the IP that’s banned and if I find it’s a local ISP, like Verizon or Time Warner Cable, I add part of their host lookup to the ignoreregex list. So far it seems to be doing the trick.

Fail2ban on Leopard Server So here I am running my own server — for...
Checking Fail2ban regex I’ve just stumbled across a great command in Fail2ban to...

Related posts brought to you by Yet Another Related Posts Plugin.

Checking Fail2ban regex

Andy Fragen — Tue, 30 Nov 2010 22:14:54 +0000

I’ve just stumbled across a great command in Fail2ban to check whether or not your filter will actually score a hit from your log file.

From the command line.

fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/myfilter.conf regex_to_ignore

As an example.

fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/sshd.conf (myusername|myIPaddress)

This seems like a great way to test whether changes to your filters are correct, rather than just waiting to see if anything shows up in fail2ban.log.

Fail2ban Problems and Solutions If you use Fail2ban then you are probably aware of...
Fail2ban on Leopard Server So here I am running my own server — for...
Fail2ban and OS X Server, part deux As some of you might know I run my own...

Related posts brought to you by Yet Another Related Posts Plugin.