Surgical Diversions | My time out of the operating room.

Fail2ban on Leopard Server

Posted on September 24, 2009 by Andy Fragen

So here I am running my own server — for almost 2 years now. It’s been a real learning experience and I’ve tried to share. My latest add-on has been fail2ban. I got tired of looking into my logs and seeing where script kiddies or bots were trying to take control of my server. Fortunately, none have.

After a bit of googling, I found fail2ban. It’s a collection of python scripts.

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

There are a few tricks I’ve discovered along the way to make it work on my installation and likely on Mac OS X Server in general.

First is that fail2ban creates a PID and socket file in a directory that it fails to create. Yeah, that’s a bug. Since I didn’t want to mess around with the actual scripts in the program, I created a plist that issues the mkdir /var/run/fail2ban command. I placed this in /System/Library/LaunchDaemons and set it to Run at Load. Lingon is your friend, but’s now inactive.

After creating the file you have to use the command line to move it to the /System/Library/LaunchDaemons directory. I also created another launchd plist to reload fail2ban every day. I did this because I run multiple virtual websites and the error logs for those sites get rotated and the names have some time code or something tacked on the end of the filename.

OK, problem 1 solved. Next I discovered that since fail2ban is really running on a multitude of linux boxes all the different methods of IP tracking, sorting etc. were really useless on my OS X Server. I run ipfw firewall and fortunately there’s a module for that in fail2ban. Unfortunately it’s not quite set up correctly, at least it wasn’t for me. I had to tweak it a bit.

What this means is that your action is always going to be ipfw. I tweaked the ipfw.conf file a bit. Now it does the following.

Logs it’s action to ipfw.log
Adds a rulenum to the ipfw command. I did this because some other rule in my setup was allowing the IP before my deny could take effect. By lowering the rulenum my deny now fires off first.
Abstracted the protocol (tcp, udp) to pass as a variable. Just in case something you want to block isn’t tcp.

I also created another filter as I found many times some machine would excessively hit my Apache server looking for nonexistent files. Since it sounds like something a bot would do I decided to ban it. This was the simple creation of a new filter.

I created a jail.local file to hold all my prefs and through trial and error discovered that the examples of how to call for a jail weren’t working for me. Perhaps I just didn’t understand the examples. I soon discovered that parameters for the jail action needed to be passed inside of square brackets in the prefs.

I’m sure, if you’ve gotten this far that you’re either very confused by this whole post or that you’ve had an epiphany. To further the epiphany along I’ve uploaded my file changes.

You should be able to figure out what file goes where from the folder structure of the upload.

A couple of things in summary to remember. First, turn on your server’s firewall. Then make sure you change your server’s local IP address in the files to match your own. That’s the setting for localhost.

Good luck. If you have any questions leave a comment.

Posted in code, osx-server | Tagged code, fail2ban, osx-server | 7 Comments

Snailjacked

Posted on May 12, 2009 by Andy Fragen

Well, I’ve found out that someone is hijacking my posts with no attribution and no permission. I’m not even sure I understand the logic as there isn’t even any advertising there — yet.

If you’re seeing anything on the domain computersoftware.snailjack.com, it’s a rip off from somewhere else. Do me a favor and don’t click on any links, don’t support there advertising and just don’t go on their site.

Other than restricting my RSS feed I’m not sure what I can do to stop it.

Don’t support anything from the domain SNAILJACK.COM!

Tagged blogging | Leave a comment

VoodooPad Pro Blogging

Posted on May 7, 2009 by Andy Fragen

Please note that VoodooPad Pro has been renamed to VoodooPad.

It’s time to package up all my VoodooPad blogging scripts and assorted web export plugins so that I can

Remember what the heck I was thinking.
Remember what all these pieces were supposed to accomplish as a whole.
Provide some sort of reference to others interested in this stuff.

Concept: To use VoodooPad as a CMS for a web site, allowing for static sites and inclusion of blog-style concatenated page. The blog-style page was originally intended as a “News” page of a static business site. SEO optimization necessitating the addition of a page with re-newing content. Google likes it more.

Disclaimer: I like Markdown and built these scripts around the fact that the VP document is essentially always formatted in plain text. Images need to be added using links.

I will include a sample package that contains a VP document, a web export plugin and several script plugins. The site the sample is based upon is at.

VoodooPad is a requirement as the meta data and triggers are necessary in the creation of the files. My workflow is as follows.

Create new page/post.
Run script plugin Blog > Meta Markup - HomepageMeta on new page.
Run script plugin Blog > Make Homepage and Feed
Run web export.
FTP files up to site. I use Transmit. It’s also a great app.

The script will move all the created files into a folder structure so that the file structure on the computer will match the web site structure.

VoodooPad document Item meta data is contained in the HomepageMeta page of the document. This is where most of the personalized info on the site is contained.

In the VP document, tags are used to create a pseudo-folder structure. This means that a page may only have one tag. Some pages are not exported but are used as reference, ie. links in the sidebar or the HomepageMeta page. Pages that are to be rendered at the root level of the site are tagged main.

Triggers can be used to include certain information into specific pages or info on every page. I use this for things like Google Analytics which needs to be on every page or the analytics confirmation that is only on the index.html page.

The Web Export Plugin Some customization of these files will be necessary for your specific site.

> Images are kept in the web export plugin. Files like robots.txt that need to be at the root level are kept in a root folder inside the web export plugin.

preflight.sh - creates the actual folder hierarchy, the folders are created in the preflight.sh script. The preflight.sh script also copies files like images to the export folder.
postflight.sh - can be used to rename pages that may be PHP based from .html to .php
deleteVPExtra.sh - deletes the extra pages that VoodooPad creates during a web export. No changes to this file are needed.
fixRelativePaths.sh - fixes the relative URLs that occur inside of nested pages. No changes to this file are needed.
parseMetaXml.rb - Parses the meta.xml file that VoodooPad creates and uses that infomation to move files into their correct folder structure on the disk and to create a valid sitemap.xml file for use with Google Sitemaps. It also creates and parses the vpDocMeta.xml file for variables.
Info.plist - This file was edited to call these scripts during the web export process.
vpDocMeta.xml - This file resides inside the root folder of the Web Export Plugin. It is created by the parseMetaXml.rb script. It contains the following data points.
root - default value is main. This is the name of the tag of rendered pages that belong at the root level of the folder structure.
baseUrl - This is the base URL for the site for creation of the sitemap.xml file.
isHomeIndex - default value is false. This is only used if the the page name in VP for the index page of the site is home. This is true if the main page is a blog-style homepage.
noIndex - default value is private. This is the name of a directory whose files you don’t want included in sitemap.xml.

Script Plugins These are placed in the ~/Library/Application Support/VoodooPad/Script PlugIns/ folder. No changes should be required in these scripts. They will be viewable from the Plugin > Blog menu in VoodooPad.

meta_markup_HomepageMeta.lua - Takes the data from the page HomepageMeta in the VP doc and adds specific item meta data to the frontmost page.
meta_markup_update.lua - Propagates changes made to the HomepageMeta page to all the item meta data of all pages that require them. This is only just the pages used for the blog-style page.
blog_home_atom.lua - Creates the blog-style page now called home in the VP document and also creates a valid atom.xml feed in the output directory.

Comments and questions are welcome. If some enterprising person wants to wrap this all up in the new plugin architecture that would be cool. I’m happy to help if I can.

Posted in code, mac-osx | Tagged blogging, code, mac-osx | 2 Comments

Amavisd settings

Posted on March 16, 2009 by Andy Fragen

I run my own mail server on OS X Server. For the most part I have my SpamAssassin settings tweaked pretty well. Unfortunately, there is some spam that seems to have malformed or incomplete MIME boundaries and these messages don’t seem to be getting passed off from Amavisd to SpamAssassin. As such, they seem to be getting through to the recipient with a null value for the spam score.

After a little Googling I found Amavisd critical settings and I think the $final_bad_header_destiny is the key. The default setting is set to D_PASS. I’ve changed mine to D_REJECT now I’ll see what the logs say and see how much non-spam gets caught. Obviously, if enough good stuff doesn’t get through then I’ll have to think of something else.

But the obvoious question remains, Why doesn’t SpamAssassin score these messages?

Posted in computer, osx-server | Tagged computer, osx-server, spamassassin | Leave a comment

Backblaze Backup

Posted on March 13, 2009 by Andy Fragen

I have an invite or two to distribute for the Backblaze online backup service for OS X. Price is $5 a month per machine for unlimited data. Attached disks are recognized, but not yet network attached storage. My opinion is once they allow for NAS backup it’ll be great.

Leave a comment if you want a link to the beta.

Posted in computer, mac-osx | Tagged computer, mac-osx | Leave a comment

Nationalized Healthcare and the Free Market

Posted on March 5, 2009 by Andy Fragen

Nationalized/Universal healthcare will happen. Obama ran on it and he intends to deliver. What’s more, I can see a manner in which the country will flock to it under the current free market insurance system.

First, the federal government will expand Medicaid to cover the unemployed and uninsured. Second, the Congress will pass some law that mandates employers to provide health insurance for not only full-time employees, but part-time employees too.

Oh, by the way, the federal government will also make available a government-sponsored insurance plan to compete with the other available HMO and PPO choices. Of course the government plan will cost you (the employer) 40-50% less than the next most expensive plan.

You (the employer) will offer your employees the government plan as per the terms of the new law and they (the employees) will have the option of spending almost twice as much for a different commercial plan. I don’t really expect many employees to avail themselves of the opportunity to spend more money for little perceived increase in services.

Soon 80-90% of the country will be on the government plan and physicians and hospitals will effectively have a single payor.

Welcome to nationalized/universal healthcare.

Posted in medicine | Tagged medicine, politics | 2 Comments

iPhone Stand

Posted on March 4, 2009 by Andy Fragen

While looking for an iPhone stand I came across the simplest solution. A binder clip.

Tagged iPhone | 2 Comments

Appendiceal Duplication

Posted on February 13, 2009 by Andy Fragen

I had a very interesting case the other evening. First, for the uninitiated, it’s usually a bad sign when the surgeon says it was a very interesting case. Generally routine is best.

Anyway, nice 50ish year old female with few days of diffuse abdominal pain now localizing to RLQ. Nausea and vomiting. Anorexia. Acute peritoneal finding in RLQ with percussion. Outside CT reportedly showing acute appendicitis.

I look at the patient. Story is great. Almost sounds like she’s read Cope. I take her to the OR. I feel a mass on exam after induction. Sorry guys I do open appys. 3 cm McBurney incison and mobile the cecum. There’s a 5cm mass but seems to be mobilizing from the superior aspect of ascending colon not inferiorly. Anyway, I deliver what appears to be an appendiceal phlegmon into the wound and fire a GIA-55 across its base. The base is along a tinea adjacent to the ileocecal valve. Doesn’t look like there’s any free perforation so I irrigate and start to close.

I’ve got a couple of clamps on the peritoneum and then I see a relatively normal looking appendix starting at me. Naturally it comes out.

Patient home in less than 24 hours.

Path report shows:

appendix - acute appendicitis
pericecal diverticulum and phlegmon - appendiceal duplication with acute perforating and gangrenous appendicitis

Comment on path report is duplication based upon the presence of circular muscle around the diverticulum, its location and gross appearance.

I’ve never seen that one before. All I can say is I’m glad I saw what I considered to be a relatively normal appearing appendix prior to closure.

Posted in medicine | Tagged medicine | Leave a comment

iCal - Exchange Time Zone Fix - Chapter 3

Posted on December 28, 2008 by Andy Fragen

I’ve updated the iCal-Invite-Fix script again. This time to allow for adding multiple Exchange servers to the script so that you should only need a single script. The set-up is slightly more complex.

As the image above shows there are now only 2 properties, both of which are lists. These lists work together as an array; which means the order of the list items is crucial.

exchange_fragment contains unique fragments of the TZID that the Exchange server sends.
ical_tzid contains the tzid info that iCal expects to see.

If you have any problems setting it up let me know. This post has all the info for the script.

Download the iCal-Invite-Fix script.

Posted in AppleScript, code, mac-osx | Tagged AppleScript, code, mac-osx | 6 Comments

Subscribing to Delegated Calendars

Posted on December 19, 2008 by Andy Fragen

OK, I’m fortunate or crazy enough to run my own server using Apple’s OS X Leopard Server software. It has been, at times, very simple and very complex to set everything up. One of the options that I use is the iCal Server so that I can have shared calendars. Once I got it up and running with all the permissions worked out it’s been terrific. By terrific I mean that I haven’t had to do a single thing to keep it up and running.

Here’s the problem. My wife and I both have iPhone’s. I’d like to see one of her calendar’s on my iPhone and I want here to see one of mine on her iPhone. On our respective computers these calendars show up in iCal as Delegates. That’s how there’re suppose to show up. The problem is that only local calendars and subscribed calendars are listed in iTunes for syncing to the iPhone.

After a bit of googling, the answer appeared in the Apple Discussions Board. If I do a get info on the Delegate calendar and copy the CalDAV URL I can then subscribe to this URL, the calendar will show up in my Subscriptions list. I can then sync it to the iPhone. It is perhaps the simplest workaround that I’ve found. Your user must log out and log back in for iTunes to see the newly subscribed calendar.

However, it’s still a kludge and I await the day Apple fixes iTunes to allow for syncing any viewable calendar iCal to your iPhone.

Posted in mac-osx, osx-server | Tagged Apple, iPhone, mac-osx, osx-server | Leave a comment

Tags

Recent Comments