First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.

From the Terminal, start off right.

sudo cp /etc/sshd_config /etc/sshd_config.bkup

sudo chown root /
sudo chmod 755 /
sudo mkdir -p /chroot/user/scratchpad
sudo chown -R root /chroot
sudo chown user /chroot/user/scratchpad
sudo chmod -R 755 /chroot

Every additional new user added will then be something along the lines of the following.

sudo mkdir -p /chroot/user2/scratchpad
sudo chown root /chroot/user2
sudo chown user2 /chroot/user2/scratchpad
sudo chmod -R 755 /chroot/user2

Every folder it the path to the chroot jail must be owned by root. I don’t think it matters what group the folder is in. What I did above was to

1. backup /etc/sshd_config
2. change ownership of the root directory to root
3. change permissions of the root directory to 755
4. create a chroot folder
5. create a user folder inside the chroot folder
6. create a folder inside the user folder that user can modify
7. set ownership and permissions

Now to edit /etc/sshd_config to the following.

#Subsystem  sftp    /usr/libexec/sftp-server
Subsystem   sftp    internal-sftp

Match User user
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    ChrootDirectory /chroot/user

This creates a chroot jail that when the user logs in will drop them into the folder /chroot/user, in that folder is a folder they can add things to /chroot/user/scratchpad.

If you want to create a Group in Workgroup Admin for ‘Chroot Users’ then add the new users that you created in Workgroup Admin to the Group you won’t have to keep editing the /etc/sshd_config file. Instead of the above, add the following. Make sure you add the ‘Chroot Users’ group to the SSH access ACL in Server Admin.

Match Group chrootusers
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    ChrootDirectory /chroot/%u

To test whether the above is working, issue the following from the terminal.

$ sftp user@domain.com
Password:
sftp>

Getting in is one thing. Now you have to mount the folder you want to use. Unfortunately you can’t use a symlink inside of a chroot jail. This is where MacPorts is your best friend. I don’t know why I’ve never seen fit to install this before. After installation just issue the following commands.

sudo port install fuse4x
sudo port install fuse4x bindfs

You might have to restart. Now with an empty folder created in /chroot/user you can mount --bind to a folder outside of the chroot jail. For example

sudo /opt/local/bin/bindfs -u user /Library/WebServer/Documents/mysite/yourfolder /chroot/user/scratchpad

So far this seems to work here.

Related posts:

1. Server-Side Email Filtering with Sieve Another post for the peripheral brain. When I first set...
2. WordPress Automatic Updates I think I finally have the automatic updates feature of...
3. Dovecot Permissions Well, I finally bit the bullet and installed OS X...

Related posts brought to you by Yet Another Related Posts Plugin.

I save all my added Squirrelmail plugins in /Users/Shared/squirrelmail_plugins/. Consequently if I need to reinstall any or all of them all I have to do is issue the following…

sudo cp -R /Users/Shared/squirrelmail_plugins/PLUGIN_FOLDER \
  /usr/share/squirrelmail/plugins
sudo /usr/share/squirrelmail/config/conf.pl

Activate the plugins, save, quit and you’re good to go.

Related posts:

1. Server-Side Email Filtering with Sieve Another post for the peripheral brain. When I first set...
2. Webmail Authentication OK, my problem with my webmail and my Thunderbird user...
3. False Positive Just a personal reminder to keep in the memory bank....

Related posts brought to you by Yet Another Related Posts Plugin.

Here’s what I did, YMMV.

1. From Server Admin, make new Web > Realm and set appropriate ACLs.
2. Create a folder in location/volume where data for Share is physically located.
3. Change permissions of folder to _www:admin (that’s what works for me)
4. Create a symlink to the share folder in the folder where your web server looks to for the domain’s data.

I know there probably a bit of information missing and if I showed images of the actual steps it might make things a bit clearer but I’m a little paranoid about my server and I don’t want to risk opening it up to further attack.

All this needs to be done before OS X will allow a "Connect to Server..." and mount your WebDAV share.

Related posts:

1. Setting up Snow Leopard iCal Server After scouring through the official documentation, and finding that lacking,...
2. chroot’d SFTP on Mac OS X server So here you are finding that you need to grant...
3. Fail2ban and OS X Server, part deux As some of you might know I run my own...

Related posts brought to you by Yet Another Related Posts Plugin.

sudo curl ftp://ftp.internic.net/domain/named.root -o /var/named/named.ca

Not sure how often this should be done.

I also added the following to /etc/named.conf to reduced the error logging. I got that tidbit from google groups

logging {
category lame-servers { null; };
category edns-disabled { null; };
};

Related posts:

1. Amavisd settings I run my own mail server on OS X Server....

Related posts brought to you by Yet Another Related Posts Plugin.

I was looking for an elegant solution to this and finally figured out how to do it myself. What I’ve done is in the ipfw.conf file I’ve added a variable that will create a random number between 10000 and 12000 to use as the rule number.

The code is pretty simple.

echo $((RANDOM%2000+10000))

There needs to be an extra % in there for it to work. I think it has something to do with python. So far it seems to be working pretty good here. While it is possible that I could get a duplicate rule number, it’s unlikely.

I’ve modified my installation of Fail2ban significantly; but only by adding filters, jails, etc. Here’s a bundled version of all of my modifications. Here are instructions for using my modifications. So far everything seems to be working great. I’ve had to add a few items to ignoreregex so I don’t ban people using their iPhones on 3G or at home from certain dynamic IP cable providers.

What I’ve done is a host lookup on the IP that’s banned and if I find it’s a local ISP, like Verizon or Time Warner Cable, I add part of their host lookup to the ignoreregex list. So far it seems to be doing the trick.

Related posts:

1. Fail2ban on Leopard Server So here I am running my own server — for...
2. Checking Fail2ban regex I’ve just stumbled across a great command in Fail2ban to...

Related posts brought to you by Yet Another Related Posts Plugin.

From the command line.

fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/myfilter.conf regex_to_ignore

As an example.

fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/sshd.conf (myusername|myIPaddress)

This seems like a great way to test whether changes to your filters are correct, rather than just waiting to see if anything shows up in fail2ban.log.

Related posts:

1. Fail2ban Problems and Solutions If you use Fail2ban then you are probably aware of...
2. Fail2ban on Leopard Server So here I am running my own server — for...
3. Fail2ban and OS X Server, part deux As some of you might know I run my own...

Related posts brought to you by Yet Another Related Posts Plugin.

The simplicity of this Preference Pane is amazing. It takes less than a minute to setup and use.

The only problem I found was when installed on my server I had to open port 49195 in my firewall for it to work. Now all is well again. I can’t recommend this $10 piece of software enough.

Related posts:

1. Subscribing to Delegated Calendars OK, I’m fortunate or crazy enough to run my own...
2. False Positive Just a personal reminder to keep in the memory bank....

Related posts brought to you by Yet Another Related Posts Plugin.

The traditional method was to simply try an ssh session with a username and password combination. Unfortunately now I see more attempts to log in via VNC or in attempts to check or send email. It’s amazing to see 10 - 15 login attempts in a second. There’s a real motivating force to stop that kind of attention my poor little server is getting.

As I’ve written before, I’ve found the Fail2ban scripts to to be a perfect solution. I have had to make a number of additions and improvements along the way and now I thought I’d share.

I’ve created a couple of new jails and improved upon a couple of the distribution jails so they work better with Snow Leopard. I’ve packaged up all my modifications. Here’s how to install them for yourself.

Download the modifications tarbell.

Then you’ll need to issue the following commands from Terminal.

sudo tar xzf install_fail2ban_mods.tar.gz

This will create a folder containing all the modifications. At this point you can manually put all the files in the proper folders or you can use my installation script. The installation script, install_fail2ban_mod.sh shouldn’t delete anything. I only use the cp command. If you already have a jail.local file that is backed up. You may also need to modify the jail.local file that I have.

Additionally, I’ve found that sometimes the fail2ban server might have hung or its process has stopped. I’ve also written a script and a couple of plists for /Library/LaunchDaemons/ that periodically check to make sure fail2ban continues to hum along. You’ll have to load these plists manually or simply restart.

The jails that I’ve added check for SMTP, POP, IMAP, VNC and non-existant web pages. These, in addition to monitoring SSH, seem to cover most of it. Please remember that some of these filters are somewhat specific to Snow Leopard so they check against a Dovecot mail server.

So far my only problem has been when a user has changed their password but not correctly transferred these changes to Mail.app. What happens is fail2ban sees them as a break-in attempt and bans their IP for 10 minutes or so. I’m sure it can be frustrating. Sorry, I’m doing my best to fix it for you.

By all means, let me know how you’ve improved Fail2ban for your server.

Related posts:

1. Checking Fail2ban regex I’ve just stumbled across a great command in Fail2ban to...
2. Fail2ban on Leopard Server So here I am running my own server — for...
3. Fail2ban Problems and Solutions If you use Fail2ban then you are probably aware of...

Related posts brought to you by Yet Another Related Posts Plugin.

Make sure Wiki Server is set to 127.0.0.1 and that Use SSL is checked.

Here’s how I was finally able to get my groups into iCal SL/Lion client (no SSL)

userName
password
server.com/principals/__uids__/wiki-groupName/ (no http://)

To get this group calendar into iOS add the following as a CalDAV calendar.

username
password
server.com/principals/wikis/groupname/ (no http://)

Related posts:

1. Snow Leopard Sieve Rules How to edit sieve rules in Snow Leopard by hand....
2. Subscribing to Delegated Calendars OK, I’m fortunate or crazy enough to run my own...
3. iCal - Exchange Time Zone Fix - part 2 I’ve come across a problem with the original MailExchange2iCal-TZ-fix script....

Related posts brought to you by Yet Another Related Posts Plugin.

Anyway, I found that a couple of my files didn’t have the correct permissions and I found out by trying to open in webmail. It gave me errors I’d never seen before. Where I found better errors was in mailaccess.log where I saw a dovecot service with a failed: Permission denied error.

I managed to find where the files lived and as I have quite a few mail users I didn’t want to go through individually so I figured out a script to do it.

sudo ls -lA /var/spool/imap/dovecot/mail | grep -v total | awk {'printf $3": /var/spool/imap/dovecot/mail/"$9"\n"'} | xargs -n2 -p sudo chown -R

The script will ask if you want to proceed with the chown command for each user.

If you find your logs reporting permissions issues with a specific account or your webmail users have errors opening mailboxes, then the following script when provided with the offending GeneratedUID will reset the permissions similar to the above. Simply replace the GUID in the script with the one listed in your logs.

dscl /LDAPv3/127.0.0.1 -list /Users GeneratedUID | grep GUID | awk {'printf $1": /var/spool/imap/dovecot/mail/"$2"\n"'} | xargs -n2 -p sudo chown -R

Related posts:

1. Fail2ban and OS X Server, part deux As some of you might know I run my own...
2. Server-Side Email Filtering with Sieve Another post for the peripheral brain. When I first set...
3. Fixing cyrus Yeah, I did something stupid and had to reinstall my...

Related posts brought to you by Yet Another Related Posts Plugin.