First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.

From the Terminal, start off right.

sudo cp /etc/sshd_config /etc/sshd_config.bkup

sudo chown root /
sudo chmod 755 /
sudo mkdir -p /chroot/user/scratchpad
sudo chown -R root /chroot
sudo chown user /chroot/user/scratchpad
sudo chmod -R 755 /chroot

Every additional new user added will then be something along the lines of the following.

sudo mkdir -p /chroot/user2/scratchpad
sudo chown root /chroot/user2
sudo chown user2 /chroot/user2/scratchpad
sudo chmod -R 755 /chroot/user2

Every folder it the path to the chroot jail must be owned by root. I don’t think it matters what group the folder is in. What I did above was to

1. backup /etc/sshd_config
2. change ownership of the root directory to root
3. change permissions of the root directory to 755
4. create a chroot folder
5. create a user folder inside the chroot folder
6. create a folder inside the user folder that user can modify
7. set ownership and permissions

Now to edit /etc/sshd_config to the following.

#Subsystem  sftp    /usr/libexec/sftp-server
Subsystem   sftp    internal-sftp

Match User user
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    ChrootDirectory /chroot/user

This creates a chroot jail that when the user logs in will drop them into the folder /chroot/user, in that folder is a folder they can add things to /chroot/user/scratchpad.

If you want to create a Group in Workgroup Admin for ‘Chroot Users’ then add the new users that you created in Workgroup Admin to the Group you won’t have to keep editing the /etc/sshd_config file. Instead of the above, add the following. Make sure you add the ‘Chroot Users’ group to the SSH access ACL in Server Admin.

Match Group chrootusers
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    ChrootDirectory /chroot/%u

To test whether the above is working, issue the following from the terminal.

$ sftp user@domain.com
Password:
sftp>

Getting in is one thing. Now you have to mount the folder you want to use. Unfortunately you can’t use a symlink inside of a chroot jail. This is where MacPorts is your best friend. I don’t know why I’ve never seen fit to install this before. After installation just issue the following commands.

sudo port install fuse4x
sudo port install fuse4x bindfs

You might have to restart. Now with an empty folder created in /chroot/user you can mount --bind to a folder outside of the chroot jail. For example

sudo /opt/local/bin/bindfs -u user /Library/WebServer/Documents/mysite/yourfolder /chroot/user/scratchpad

So far this seems to work here.

Related posts:

1. Server-Side Email Filtering with Sieve Another post for the peripheral brain. When I first set...
2. WordPress Automatic Updates I think I finally have the automatic updates feature of...
3. Dovecot Permissions Well, I finally bit the bullet and installed OS X...

Related posts brought to you by Yet Another Related Posts Plugin.

I was looking for an elegant solution to this and finally figured out how to do it myself. What I’ve done is in the ipfw.conf file I’ve added a variable that will create a random number between 10000 and 12000 to use as the rule number.

The code is pretty simple.

echo $((RANDOM%2000+10000))

There needs to be an extra % in there for it to work. I think it has something to do with python. So far it seems to be working pretty good here. While it is possible that I could get a duplicate rule number, it’s unlikely.

I’ve modified my installation of Fail2ban significantly; but only by adding filters, jails, etc. Here’s a bundled version of all of my modifications. Here are instructions for using my modifications. So far everything seems to be working great. I’ve had to add a few items to ignoreregex so I don’t ban people using their iPhones on 3G or at home from certain dynamic IP cable providers.

What I’ve done is a host lookup on the IP that’s banned and if I find it’s a local ISP, like Verizon or Time Warner Cable, I add part of their host lookup to the ignoreregex list. So far it seems to be doing the trick.

Related posts:

1. Fail2ban on Leopard Server So here I am running my own server — for...
2. Checking Fail2ban regex I’ve just stumbled across a great command in Fail2ban to...

Related posts brought to you by Yet Another Related Posts Plugin.

From the command line.

fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/myfilter.conf regex_to_ignore

As an example.

fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/sshd.conf (myusername|myIPaddress)

This seems like a great way to test whether changes to your filters are correct, rather than just waiting to see if anything shows up in fail2ban.log.

Related posts:

1. Fail2ban Problems and Solutions If you use Fail2ban then you are probably aware of...
2. Fail2ban on Leopard Server So here I am running my own server — for...
3. Fail2ban and OS X Server, part deux As some of you might know I run my own...

Related posts brought to you by Yet Another Related Posts Plugin.

When I first set up my own server lo these years ago, I never really thought about email message filtering. After all, I had rules in Mail.app that would send my incoming message to wherever I wanted them. Besides, I was much more concerned with eliminating spam.

Well, that was then and spam seems under control. I was prompted to look at server-side message filtering mostly to help out my mother, who seems determined to have every single store, travel and other consumer site that will happily take your email address and send you messages daily — or more often, have a more controllable experience on her iPhone. When we originally set up her iPhone she told me she didn’t want to use it for email. Silly me, I listened and set her up with a POP account. Well now she wants email. What’s a good son to do.

I changed her POP account to IMAP, copied over all her messages to her new IMAP folders and thought I’d need to solve her impending problem of 100 or so messages every other day choking her inbox.

After a bit of Googling I found Sieve. I’d actually heard of it before but never really thought about it. The Apple Discussion Forum had a nice start and pointed me on to sources I used to set it up.

Here are the salient points. From the terminal…

1. Add the following lines to /etc/services

   sudo pico /etc/services
   

   Insert the following lines.

   callbook 2000/udp # callbook
   callbook 2000/tcp # callbook
   + sieve 2000/udp # sieve mail filtering
   + sieve 2000/tcp # sieve mail filtering
   

   You can check to see if it’s running by running

   netstat -an | grep 2000
   

   with results

   tcp4 0 0 *.2000 *.* LISTEN
   tcp6 0 0 *.2000 *.* LISTEN
   

2. Create /usr/sieve

   sudo mkdir /usr/sieve
   sudo chown _cyrus:mail /usr/sieve
   

3. Restart mail services

   sudo serveradmin stop mail
   [ some stuff ]
   sudo serveradmin start mail
   [ some stuff ]
   

4. Since I’m using OS X Server and SquirrelMail is already running, next was installing and configuring avelsieve.

I really did try installing the latest development version — 1.9.9 alpha. That should have been a clue. After spending way too much time with it I installed the stable version - avelsieve 1.0.1. Once copied into /usr/share/squirrelmail/plugins run sudo perl /etc/squirrelmail/config/conf.pl and activate the plugin.

Then it’s back to the terminal. These instructions are from AFP548.

    cd /usr/share/squirrelmail/plugins/avelsieve
    sudo cp config-sample.php config.php

Now set the correct authentication matching SquirrelMail.
Edit /etc/squirrelmail/plugins/avelsieve/config.php and change:

$preferred_mech = "PLAIN";

to

$preferred_mech = "CRAM-MD5";

You should be running SquirrelMail with CRAM-MD5 authentication anyway.

Finally, edit the /etc/squirrelmail/plugins/avelsieve/lib/sieve-php.lib.php file.

Find the line:

fputs($this->fp, "PUTSCRIPT \"$scriptname\" \{$len+}\r\n"); 

and change it to :

fputs($this->fp, "PUTSCRIPT \"$scriptname\"".' {'."$len+".'}'."\r\n");

This fixes an error in the script allowing you to save your changes to the filters. Now go login to webmail and click on the Filter link to start creating your Sieve filters.

Related posts:

1. Squirrelmail Plugins Just an FYI post. I save all my added Squirrelmail...
2. Snow Leopard Sieve Rules How to edit sieve rules in Snow Leopard by hand....
3. Forwarding Email in Leopard Server OK, to put it mildly the Workgroup Manager and Email...

Related posts brought to you by Yet Another Related Posts Plugin.

To make a file or folder invisible issue the following from the CLI.

SetFile -a V path/to/fileOrFolder

To make it visible again…

SetFile -a v path/to/fileOrFolder

That’s it. This can be especially useful on shared drives to keep others out of specific folders, etc. BTW, the file or folder still shows up in ls, it’s just not visible in Finder.

Related posts:

1. VoodooPad Pro Blogging Please note that VoodooPad Pro has been renamed to VoodooPad....

Related posts brought to you by Yet Another Related Posts Plugin.

I wrote up a modified script like in the example and bundled it with a shell script, to install and uninstall the modification. You have to run this shell script using sudo from the CLI (Command Line Interface aka Terminal.app).

The zip file contains the shell script, the modified Mail.scpt AppleScript, and the original Mail.scpt AppleScript.

To install run “sudo /path/to/iCal_Reply_Send.sh install”
To uninstall run “sudo /path/to/iCal_Reply_Send.sh revert”
To check usage and status, run “/path/to/iCal_Reply_Send.sh”

If you don’t like messing with the CLI then there’s a great little shareware app, iCal Reply Checker that does it all, and more.

It seems that neither method interferes with the code signing of iCal as the script in question is not code signed.

Update
It appears that if you’re using an Exchange account in Mail.app that this script is being bypassed and this hint won’t work for you.

Related posts:

1. iCal - Exchange Time Zone Fix As any Mac user who deals with Microsoft Exchange invites...
2. iCal - Exchange Time Zone Fix - Chapter 3 I’ve updated the iCal-Invite-Fix script again. This time to allow...
3. iCal - Exchange Time Zone Fix - part 2 I’ve come across a problem with the original MailExchange2iCal-TZ-fix script....

Related posts brought to you by Yet Another Related Posts Plugin.

After a bit of googling, I found fail2ban. It’s a collection of python scripts.

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

There are a few tricks I’ve discovered along the way to make it work on my installation and likely on Mac OS X Server in general.

First is that fail2ban creates a PID and socket file in a directory that it fails to create. Yeah, that’s a bug. Since I didn’t want to mess around with the actual scripts in the program, I created a plist that issues the mkdir /var/run/fail2ban command. I placed this in /System/Library/LaunchDaemons and set it to Run at Load. Lingon is your friend, but’s now inactive.

After creating the file you have to use the command line to move it to the /System/Library/LaunchDaemons directory. I also created another launchd plist to reload fail2ban every day. I did this because I run multiple virtual websites and the error logs for those sites get rotated and the names have some time code or something tacked on the end of the filename.

OK, problem 1 solved. Next I discovered that since fail2ban is really running on a multitude of linux boxes all the different methods of IP tracking, sorting etc. were really useless on my OS X Server. I run ipfw firewall and fortunately there’s a module for that in fail2ban. Unfortunately it’s not quite set up correctly, at least it wasn’t for me. I had to tweak it a bit.

What this means is that your action is always going to be ipfw. I tweaked the ipfw.conf file a bit. Now it does the following.

1. Logs it’s action to ipfw.log
2. Adds a rulenum to the ipfw command. I did this because some other rule in my setup was allowing the IP before my deny could take effect. By lowering the rulenum my deny now fires off first.
3. Abstracted the protocol (tcp, udp) to pass as a variable. Just in case something you want to block isn’t tcp.

I also created another filter as I found many times some machine would excessively hit my Apache server looking for nonexistent files. Since it sounds like something a bot would do I decided to ban it. This was the simple creation of a new filter.

I created a jail.local file to hold all my prefs and through trial and error discovered that the examples of how to call for a jail weren’t working for me. Perhaps I just didn’t understand the examples. I soon discovered that parameters for the jail action needed to be passed inside of square brackets in the prefs.

I’m sure, if you’ve gotten this far that you’re either very confused by this whole post or that you’ve had an epiphany. To further the epiphany along I’ve uploaded my file changes.

You should be able to figure out what file goes where from the folder structure of the upload.

A couple of things in summary to remember. First, turn on your server’s firewall. Then make sure you change your server’s local IP address in the files to match your own. That’s the setting for localhost.

Good luck. If you have any questions leave a comment.

Related posts:

1. Fail2ban Problems and Solutions If you use Fail2ban then you are probably aware of...
2. Fail2ban and OS X Server, part deux As some of you might know I run my own...
3. Checking Fail2ban regex I’ve just stumbled across a great command in Fail2ban to...

Related posts brought to you by Yet Another Related Posts Plugin.

It’s time to package up all my VoodooPad blogging scripts and assorted web export plugins so that I can

1. Remember what the heck I was thinking.
2. Remember what all these pieces were supposed to accomplish as a whole.
3. Provide some sort of reference to others interested in this stuff.

Concept: To use VoodooPad as a CMS for a web site, allowing for static sites and inclusion of blog-style concatenated page. The blog-style page was originally intended as a “News” page of a static business site. SEO optimization necessitating the addition of a page with re-newing content. Google likes it more.

Disclaimer: I like Markdown and built these scripts around the fact that the VP document is essentially always formatted in plain text. Images need to be added using links.

I will include a sample package that contains a VP document, a web export plugin and several script plugins. The site the sample is based upon is at.

VoodooPad is a requirement as the meta data and triggers are necessary in the creation of the files. My workflow is as follows.

1. Create new page/post.
2. Run script plugin Blog > Meta Markup - HomepageMeta on new page.
3. Run script plugin Blog > Make Homepage and Feed
4. Run web export.
5. FTP files up to site. I use Transmit. It’s also a great app.

The script will move all the created files into a folder structure so that the file structure on the computer will match the web site structure.

VoodooPad document Item meta data is contained in the HomepageMeta page of the document. This is where most of the personalized info on the site is contained.

In the VP document, tags are used to create a pseudo-folder structure. This means that a page may only have one tag. Some pages are not exported but are used as reference, ie. links in the sidebar or the HomepageMeta page. Pages that are to be rendered at the root level of the site are tagged main.

Triggers can be used to include certain information into specific pages or info on every page. I use this for things like Google Analytics which needs to be on every page or the analytics confirmation that is only on the index.html page.

The Web Export Plugin Some customization of these files will be necessary for your specific site.

> Images are kept in the web export plugin. Files like robots.txt that need to be at the root level are kept in a root folder inside the web export plugin.

• preflight.sh - creates the actual folder hierarchy, the folders are created in the preflight.sh script. The preflight.sh script also copies files like images to the export folder.

• postflight.sh - can be used to rename pages that may be PHP based from .html to .php

• deleteVPExtra.sh - deletes the extra pages that VoodooPad creates during a web export. No changes to this file are needed.

• fixRelativePaths.sh - fixes the relative URLs that occur inside of nested pages. No changes to this file are needed.

• parseMetaXml.rb - Parses the meta.xml file that VoodooPad creates and uses that infomation to move files into their correct folder structure on the disk and to create a valid sitemap.xml file for use with Google Sitemaps. It also creates and parses the vpDocMeta.xml file for variables.

• Info.plist - This file was edited to call these scripts during the web export process.

• vpDocMeta.xml - This file resides inside the root folder of the Web Export Plugin. It is created by the parseMetaXml.rb script. It contains the following data points.

• root - default value is main. This is the name of the tag of rendered pages that belong at the root level of the folder structure.
• baseUrl - This is the base URL for the site for creation of the sitemap.xml file.
• isHomeIndex - default value is false. This is only used if the the page name in VP for the index page of the site is home. This is true if the main page is a blog-style homepage.
• noIndex - default value is private. This is the name of a directory whose files you don’t want included in sitemap.xml.

Script Plugins These are placed in the ~/Library/Application Support/VoodooPad/Script PlugIns/ folder. No changes should be required in these scripts. They will be viewable from the Plugin > Blog menu in VoodooPad.

• meta_markup_HomepageMeta.lua - Takes the data from the page HomepageMeta in the VP doc and adds specific item meta data to the frontmost page.

• meta_markup_update.lua - Propagates changes made to the HomepageMeta page to all the item meta data of all pages that require them. This is only just the pages used for the blog-style page.

• blog_home_atom.lua - Creates the blog-style page now called home in the VP document and also creates a valid atom.xml feed in the output directory.

Comments and questions are welcome. If some enterprising person wants to wrap this all up in the new plugin architecture that would be cool. I’m happy to help if I can.

Related posts:

1. VoodooPad Automation I’ve finally gotten it working. I’ve now got a Ruby...
2. VoodooPad Web Export Goodness As laziness is the mother of invention, or something like...
3. VoodooPad Blogging Well, it’s not really VoodooPad blogging but it’s pretty close....

Related posts brought to you by Yet Another Related Posts Plugin.

As the image above shows there are now only 2 properties, both of which are lists. These lists work together as an array; which means the order of the list items is crucial.

• exchange_fragment contains unique fragments of the TZID that the Exchange server sends.
• ical_tzid contains the tzid info that iCal expects to see.

If you have any problems setting it up let me know. This post has all the info for the script.

Download the iCal-Invite-Fix script.

Related posts:

1. iCal - Exchange Time Zone Fix - Chapter 2 It was a few months ago that I originally wrote...
2. iCal - Exchange Time Zone Fix - part 2 I’ve come across a problem with the original MailExchange2iCal-TZ-fix script....
3. iCal - Exchange Time Zone Fix As any Mac user who deals with Microsoft Exchange invites...

Related posts brought to you by Yet Another Related Posts Plugin.

Version 1.0 of SaveAttachments2Aperture is now available. It’s currently very simple with little error checking. It works multiple attachments per message and imports all attachments of a selected message into a new Aperture project.

It could be used in a Mail rule though I prefer to select it manually from the Script menu. I have it saved in ~/Library/Scripts/Applications/Mail/.

A thanks goes out to Automating Aperture where I got some of the Aperture scripting.

Comments welcome.

Update Now at version 1.1. I added some simple logic to only import certain file types. You might need to add to this list. If I’m missing some let me know, especially with Raw images.

v1.2 - add a bunch of the usual camera raw file types

Related posts:

1. Switching to Mail.app I’ve recently switched to Mail.app. I never really used it...
2. iCal - Exchange Time Zone Fix - Chapter 2 It was a few months ago that I originally wrote...
3. Server-Side Email Filtering with Sieve Another post for the peripheral brain. When I first set...

Related posts brought to you by Yet Another Related Posts Plugin.