Surgical Diversions | My time out of the operating room.

Fail2ban and OS X Server, part deux

Posted on November 4, 2010 by Andy Fragen

As some of you might know I run my own installation of OS X Server. I’ve since updated it to Snow Leopard Server and I think I’ve got most of it running well. As I check my server logs frequently I find that there are all sorts of script kiddies attempting to log in to my server in various ways.

The traditional method was to simply try an ssh session with a username and password combination. Unfortunately now I see more attempts to log in via VNC or in attempts to check or send email. It’s amazing to see 10 - 15 login attempts in a second. There’s a real motivating force to stop that kind of attention my poor little server is getting.

As I’ve written before, I’ve found the Fail2ban scripts to to be a perfect solution. I have had to make a number of additions and improvements along the way and now I thought I’d share.

I’ve created a couple of new jails and improved upon a couple of the distribution jails so they work better with Snow Leopard. I’ve packaged up all my modifications. Here’s how to install them for yourself.

Download the modifications tarbell.

Then you’ll need to issue the following commands from Terminal.

sudo tar xzf install_fail2ban_mods.tar.gz

This will create a folder containing all the modifications. At this point you can manually put all the files in the proper folders or you can use my installation script. The installation script, install_fail2ban_mod.sh shouldn’t delete anything. I only use the cp command. If you already have a jail.local file that is backed up. You may also need to modify the jail.local file that I have.

Additionally, I’ve found that sometimes the fail2ban server might have hung or its process has stopped. I’ve also written a script and a couple of plists for /Library/LaunchDaemons/ that periodically check to make sure fail2ban continues to hum along. You’ll have to load these plists manually or simply restart.

The jails that I’ve added check for SMTP, POP, IMAP, VNC and non-existant web pages. These, in addition to monitoring SSH, seem to cover most of it. Please remember that some of these filters are somewhat specific to Snow Leopard so they check against a Dovecot mail server.

So far my only problem has been when a user has changed their password but not correctly transferred these changes to Mail.app. What happens is fail2ban sees them as a break-in attempt and bans their IP for 10 minutes or so. I’m sure it can be frustrating. Sorry, I’m doing my best to fix it for you.

By all means, let me know how you’ve improved Fail2ban for your server.

Posted in code, computer, osx-server | Tagged dovecot, fail2ban, osx-server, snow-leopard | 2 Comments

Customer Service

Posted on August 21, 2010 by Andy Fragen

I just had to pass along kudos to APC. I use one of their BackUPS battery backup systems. It’s been flawless for most of the past 3 years. In the past 3 days the overload light has tripped and it shuts off power to everything. Not what you want.

I called tech support. They picked up the phone after only 2-3 rings, ran me through some diagnostics, told me there was probably 18 days left on my warranty. Then they told me they were shipping me a new unit.

They are my customer service heroes.

Posted in computer | Tagged computer | Leave a comment

Tenet Healthcare and the iPhone

Posted on August 20, 2010 by Andy Fragen

Well, I finally broke down and started using Tenet’s Exchange Server. First, IS created an Exchange account for me then I tried adding it to my iPhone. After I got the settings right, from someone who’s using it with their iPhone everything works fine.

Here are the settings that aren’t obvious.

Server mail.etenet.com
Domain tenethealth

Then make sure SSL is on and you should be good to go with your email address, username and password.

Now, if I could just get this working on my Mac desktop. There are clearly some differences in the manner in which iOS 4 and the OS X 10.6.4, and particularly Mail.app, iCal and AddressBook, interact with the Exchange server. I’m still trying to find the secret incantation to make it work on the desktop. When I do a follow-up will be forthcoming.

BTW, the above settings should work just fine for your iPad too.

Update:
Make sure your username is not your full email address.

Posted in mac-osx | Tagged microsoft-exchange | 7 Comments

Setting up Snow Leopard iCal Server

Posted on August 11, 2010 by Andy Fragen

After scouring through the official documentation, and finding that lacking, Google has found the answers.

Make sure Wiki Server is set to 127.0.0.1 and that Use SSL is checked.

Here’s how I was finally able to get my groups into iCal SL/Lion client (no SSL)

userName
password
server.com/principals/__uids__/wiki-groupName/ (no http://)

To get this group calendar into iOS add the following as a CalDAV calendar.

username
password
server.com/principals/wikis/groupname/ (no http://)

Posted in mac-osx, osx-server | Tagged ical-server, mac-osx, osx-server | Leave a comment

Snow Leopard Sieve Rules

Posted on August 7, 2010 by Andy Fragen

How to edit sieve rules in Snow Leopard by hand. This is not really recommended especially because it seems that SL server does not utilize all the sieve rules and the ones that it does utilize are in a slightly different format than exists in Sieve documentation.

A couple of sources later and a couple of quick lines of code helps to figure out what file to edit.

u="username"; dscl /Search read Users/$u GeneratedUID | awk {'printf "/Library/EmailRules/sievescripts/"$2".sieve\n"'} | xargs -n1 -p sudo cat

u="username"; dscl /Search read Users/$u GeneratedUID | awk {'printf "/Library/EmailRules/sievescripts/"$2".sieve\n"'} | xargs -n1 -p sudo pico

Edit the command to make u equal to the username of the person and you can look at and edit the sieve files. I also don’t know why but I get the following error.

Received SIGHUP or SIGTERM

All you have to do is simply copy the command and it will work. Not sure why it doesn’t work the first time.

I’m quite certain if you go ahead and try to re-edit using the GUI your files might get screwed up. YMMV.

Some say running the following command helps. Also, see Update below. Again, YMMV.

sudo /usr/bin/wiki_sieve_manager

Finally a real solution to the above. Simply make sure you use the URL https://yourdomain.com/settings/username/emailrules/. Even if the website is not set up to use port 443 in Server Admin it seems you must use https.

Update
I discovered another secret. In order for the new rules to transfer you will need to add a new rule via the wiki, or at least go to the wiki and press the add rule button. This way the new rule is copied over to /var/spool/imap/dovecot/sieve-scripts/%u.

Posted in osx-server | Tagged dovecot, sieve | Leave a comment

Dovecot Permissions

Posted on August 7, 2010 by Andy Fragen

Well, I finally bit the bullet and installed OS X Snow Leopard Server. Most of what I absolutely need to get working is mail services. One of the peculiarities of Dovecot is that each users mail folder is owned by that user. I think in Cyrus they were all owned by mail or _cyrus.

Anyway, I found that a couple of my files didn’t have the correct permissions and I found out by trying to open in webmail. It gave me errors I’d never seen before. Where I found better errors was in mailaccess.log where I saw a dovecot service with a failed: Permission denied error.

I managed to find where the files lived and as I have quite a few mail users I didn’t want to go through individually so I figured out a script to do it.

sudo ls -lA /var/spool/imap/dovecot/mail | grep -v total | awk {'printf $3": /var/spool/imap/dovecot/mail/"$9"\n"'} | xargs -n2 -p sudo chown -R

The script will ask if you want to proceed with the chown command for each user.

If you find your logs reporting permissions issues with a specific account or your webmail users have errors opening mailboxes, then the following script when provided with the offending GeneratedUID will reset the permissions similar to the above. Simply replace the GUID in the script with the one listed in your logs.

dscl /LDAPv3/127.0.0.1 -list /Users GeneratedUID | grep GUID | awk {'printf $1": /var/spool/imap/dovecot/mail/"$2"\n"'} | xargs -n2 -p sudo chown -R

Posted in mac-osx, osx-server | Tagged dovecot, mac-osx, osx-server | 2 Comments

Verizon Thinks You’re a Spammer

Posted on June 29, 2010 by Andy Fragen

They must. Verizon now blocks port 25 and does not allow you to opt out. Why do I care? Well our hospital just opened up free WiFi everywhere and when I found I couldn’t send email I made a couple of trips to the Information Services folks.

They swore up and down that they weren’t blocking anything at the router. An epiphany later and we figured out it was the Verizon DSL they were using for the access points.

Well, the simple solution is to change email to accept SMTP on port 587. This was simple enough to fix on the server. Just uncomment the following line in /etc/postfix/master.cf

#submission inet n - n - - smtpd

Then sudo postfix reload and you’re good to go.

Of course I also had to change my iPhone SMTP to use port 587. The only tricky part was remembering that I have my router set to provide a basic hardware firewall, in addition to the server’s ipfw. I had to open a service and a rule on the router to let TCP traffic on port 587 through.

Posted in computer, osx-server | Tagged computer, osx-server | 2 Comments

WordPress Automatic Updates

Posted on June 18, 2010 by Andy Fragen

I think I finally have the automatic updates feature of WordPress working. Previously, when asked for my login info for the FTP connection I would get some vague connection error. It’s a permissions issue. Some permissions for files/folders need to be set for web server user, in my case Apache2, or _www on OS X Server.

The answer mostly comes from looking for why WordPress asks for connection information. Be sure to read the comments. Definitely add the following to wp-config.php.

define('FS_METHOD', 'direct');

So far, my solution seems to be something like the following, from the wordpress directory.

sudo chown -R _www ./wp-content*
sudo chown _www ./wp-admin/update*

It seems to work, however, the information about what should be happening with the update seems to be in an endless loop. I let it run for a bit and when I check to see if the plugin or theme is updated it seems to have the newer version, but I’ve no real way to check or to know how long to let the process run.

Very confusing.

When I encounter more updates I’ll see if this really does work. BTW, updated to WordPress 3.0 for all the new goodness.

Update
This works fine for plugins and themes but not for the actual WP updates. Also, I just let it run until the browser doesn’t seem to be loading the page any longer and the updates are done. Something’s clearly not working as expected with this and OS X Server but I don’t know what it is.

Update 2
Thanks epor for the missing piece.

Posted in osx-server | Tagged computer, osx-server, wordpress | 3 Comments

Not on My Watch

Posted on May 18, 2010 by Andy Fragen

OK, I was sent a nice, likely canned, email asking if I’d point to Kimberly-Clark Health Care’s Healthcare-Associated Infection website. It seems to have a bunch of information.

Remember to use your Kleenex™.

Posted in medicine | Tagged medicine | Leave a comment

Server-Side Email Filtering with Sieve

Posted on May 14, 2010 by Andy Fragen

Another post for the peripheral brain.

When I first set up my own server lo these years ago, I never really thought about email message filtering. After all, I had rules in Mail.app that would send my incoming message to wherever I wanted them. Besides, I was much more concerned with eliminating spam.

Well, that was then and spam seems under control. I was prompted to look at server-side message filtering mostly to help out my mother, who seems determined to have every single store, travel and other consumer site that will happily take your email address and send you messages daily — or more often, have a more controllable experience on her iPhone. When we originally set up her iPhone she told me she didn’t want to use it for email. Silly me, I listened and set her up with a POP account. Well now she wants email. What’s a good son to do.

I changed her POP account to IMAP, copied over all her messages to her new IMAP folders and thought I’d need to solve her impending problem of 100 or so messages every other day choking her inbox.

After a bit of Googling I found Sieve. I’d actually heard of it before but never really thought about it. The Apple Discussion Forum had a nice start and pointed me on to sources I used to set it up.

Here are the salient points. From the terminal…

Add the following lines to /etc/services

sudo pico /etc/services

Insert the following lines.

callbook 2000/udp # callbook
callbook 2000/tcp # callbook
+ sieve 2000/udp # sieve mail filtering
+ sieve 2000/tcp # sieve mail filtering

You can check to see if it’s running by running

netstat -an | grep 2000

with results

tcp4 0 0 *.2000 *.* LISTEN
tcp6 0 0 *.2000 *.* LISTEN

Create /usr/sieve

sudo mkdir /usr/sieve
sudo chown _cyrus:mail /usr/sieve

Restart mail services

sudo serveradmin stop mail
[ some stuff ]
sudo serveradmin start mail
[ some stuff ]

Since I’m using OS X Server and SquirrelMail is already running, next was installing and configuring avelsieve.

I really did try installing the latest development version — 1.9.9 alpha. That should have been a clue. After spending way too much time with it I installed the stable version - avelsieve 1.0.1. Once copied into /usr/share/squirrelmail/plugins run sudo perl /etc/squirrelmail/config/conf.pl and activate the plugin.

Then it’s back to the terminal. These instructions are from AFP548.

    cd /usr/share/squirrelmail/plugins/avelsieve
    sudo cp config-sample.php config.php

Now set the correct authentication matching SquirrelMail.
Edit /etc/squirrelmail/plugins/avelsieve/config.php and change:

$preferred_mech = "PLAIN";

$preferred_mech = "CRAM-MD5";

You should be running SquirrelMail with CRAM-MD5 authentication anyway.

Finally, edit the /etc/squirrelmail/plugins/avelsieve/lib/sieve-php.lib.php file.

Find the line:

fputs($this->fp, "PUTSCRIPT \"$scriptname\" \{$len+}\r\n");

and change it to :

fputs($this->fp, "PUTSCRIPT \"$scriptname\"".' {'."$len+".'}'."\r\n");

This fixes an error in the script allowing you to save your changes to the filters. Now go login to webmail and click on the Filter link to start creating your Sieve filters.

Posted in code, mac-osx, osx-server | Tagged Apple, code, iPhone, mac-osx, osx-server, sieve | Leave a comment

Tags

Recent Comments