• Updating DNS settings

    Just to document. I’ve updated the settings in /etc/named/named.ca by using the following command and then restarting DNS.

    sudo curl ftp://ftp.internic.net/domain/named.root -o /var/named/named.ca

    Not sure how often this should be done.
    I also added the following to /etc/named.conf to reduced the error logging. I got that tidbit from google groups

    logging {
    category lame-servers { null; };
    category edns-disabled { null; };

  • Fail2ban Problems and Solutions

    If you use Fail2ban then you are probably aware of the fact that you must add a rule number to the ipfw deny rule for actionban in ipfw.conf. If you don’t add a rule number then there is no way for fail2ban to delete the rule after it expires. The problem lies in that you can easily set a different rule number for each filter but if the filter adds many rules within it’s ban time then when that first actionunban gets triggered all rules with the same number are removed, even if there full ban time has not transpired.
    I was looking for an elegant solution to this and finally figured out how to do it myself. What I’ve done is in the ipfw.conf file I’ve added a variable that will create a random number between 10000 and 12000 to use as the rule number.
    The code is pretty simple.

    echo $((RANDOM%2000+10000))

    There needs to be an extra % in there for it to work. I think it has something to do with python. So far it seems to be working pretty good here. While it is possible that I could get a duplicate rule number, it’s unlikely.
    I’ve modified my installation of Fail2ban significantly; but only by adding filters, jails, etc. Here’s a bundled version of all of my modifications. Here are instructions for using my modifications. So far everything seems to be working great. I’ve had to add a few items to ignoreregex so I don’t ban people using their iPhones on 3G or at home from certain dynamic IP cable providers.
    What I’ve done is a host lookup on the IP that’s banned and if I find it’s a local ISP, like Verizon or Time Warner Cable, I add part of their host lookup to the ignoreregex list. So far it seems to be doing the trick.

  • Checking Fail2ban regex

    I’ve just stumbled across a great command in Fail2ban to check whether or not your filter will actually score a hit from your log file.
    From the command line.
    [code lang=bash]
    $ fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/myfilter.conf regex_to_ignore
    As an example.
    [code lang=bash]
    $ fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/sshd.conf (myusername|myIPaddress)
    This seems like a great way to test whether changes to your filters are correct, rather than just waiting to see if anything shows up in fail2ban.log.

  • Printopia

    AirPrint is one of the most welcome additions of late to iOS 4.2. Unfortunately Apple removed the ability to print to shared printers. Fortunately, creative software developers such as Ecamm have created Printopia as a solution for those of us with networked or shared printers.
    The simplicity of this Preference Pane is amazing. It takes less than a minute to setup and use.
    The only problem I found was when installed on my server I had to open port 49195 in my firewall for it to work. Now all is well again. I can’t recommend this $10 piece of software enough.

  • Fail2ban and OS X Server, Part Deux

    As some of you might know I run my own installation of OS X Server. I’ve since updated it to Snow Leopard Server and I think I’ve got most of it running well. As I check my server logs frequently I find that there are all sorts of script kiddies attempting to log in to my server in various ways.
    The traditional method was to simply try an ssh session with a username and password combination. Unfortunately now I see more attempts to log in via VNC or in attempts to check or send email. It’s amazing to see 10 – 15 login attempts in a second. There’s a real motivating force to stop that kind of attention my poor little server is getting.
    As I’ve written before, I’ve found the Fail2ban scripts to to be a perfect solution. I have had to make a number of additions and improvements along the way and now I thought I’d share.
    I’ve created a couple of new jails and improved upon a couple of the distribution jails so they work better with Snow Leopard. I’ve packaged up all my modifications. Here’s how to install them for yourself.
    Download the modifications tarbell.
    Then you’ll need to issue the following commands from Terminal.

    sudo tar xzf install_fail2ban_mods.tar.gz

    This will create a folder containing all the modifications. At this point you can manually put all the files in the proper folders or you can use my installation script. The installation script, install_fail2ban_mod.sh shouldn’t delete anything. I only use the cp command. If you already have a jail.local file that is backed up. You may also need to modify the jail.local file that I have.
    Additionally, I’ve found that sometimes the fail2ban server might have hung or its process has stopped. I’ve also written a script and a couple of plists for /Library/LaunchDaemons/ that periodically check to make sure fail2ban continues to hum along. You’ll have to load these plists manually or simply restart.
    The jails that I’ve added check for SMTP, POP, IMAP, VNC and non-existant web pages. These, in addition to monitoring SSH, seem to cover most of it. Please remember that some of these filters are somewhat specific to Snow Leopard so they check against a Dovecot mail server.
    So far my only problem has been when a user has changed their password but not correctly transferred these changes to Mail.app. What happens is fail2ban sees them as a break-in attempt and bans their IP for 10 minutes or so. I’m sure it can be frustrating. Sorry, I’m doing my best to fix it for you.
    By all means, let me know how you’ve improved Fail2ban for your server.

  • Setting up Snow Leopard iCal Server

    After scouring through the official documentation, and finding that lacking, Google has found the answers.
    Make sure Wiki Server is set to and that Use SSL is checked.
    Here’s how I was finally able to get my groups into iCal SL/Lion client (no SSL)

    server.com/principals/__uids__/wiki-groupName/ (no http://)

    To get this group calendar into iOS add the following as a CalDAV calendar.

    server.com/principals/wikis/groupname/ (no http://)