Setting up Fail2ban on Mac OS X 10.7+

Josh Billions -

Setting up Fail2ban on Mac OS X 10.7+

By Lucian Bontumasi

This procedure was tested on an iMac (24-inch Mid 2007) running Mac OS X 10.8.4. In this tutorial, all plaintext starting with a '$' should be run as a command in Terminal (do not type the '$'). All other plaintext refers to file contents, not commands.

Automated Installer

Robot Cloud has created an installer that automates the steps below. This is ideal if you are looking for the default setup of Fail2ban, or if you are still working on your command line skills. The installer is provided as-is with no additional support.

Download Fail2ban courtesy of Robot Cloud.

Manual Installation and Setup

1. Download the latest version of fail2ban (originally from SourceForge):

$ curl -O https://forgetcomputers.zendesk.com/attachments/token/xtikinzxkfjbkl7/?name=fail2ban-0.8.10.tar.gz

2. Unpack the tar package:

$ tar xfj fail2ban-0.8.10.tar.bz2

3. Install the software:

$ sudo python fail2ban-0.8.10/setup.py install

4. Make a file for the log:

$ sudo touch /var/log/fail2ban.log

5. Download the modifications package (originally from Andy Fragen's blog):

$ curl -O https://forgetcomputers.zendesk.com/attachments/token/ryslxdb2nwwig8u/?name=install_fail2ban_mods.tar.gz

6. Unpack this package:

$ tar xzf install_fail2ban_mods.tar.gz

7. Run the install script from the modifications package:

$ ./fail2ban_mods/install_fail2ban_mod.sh

8. Add the following two lines to /etc/pf.conf:

table <fail2ban> persist
block drop log quick from <fail2ban> to any

9. In /etc/fail2ban/jail.conf, modify the [ssh-ipfw] section as follows (be sure to change its title as shown):

[ssh-pf]

enabled	= true
filter	= sshd
action	= pf
logpath	= /var/log/system.log

10. In /etc/fail2ban/action.d/pf.conf, ensure that the following values are set:

actionban = /sbin/pfctl -t fail2ban -T add <ip>
actionunban = pfctl -t fail2ban -T delete `pfctl -t fail2ban -T show 2>/dev/null | grep <ip>`
[Init]
port = ssh
localhost = 127.0.0.1

11. Create a file, /etc/fail2ban/action.d/pf-drop-all.conf:

[Definition]
actionstart = /sbin/pfctl -a fail2ban -t fail2ban -Ts || /sbin/pfctl -a fail2ban -f /etc/fail2ban/pf-anchor.conf
actionstop = /sbin/pfctl -a fail2ban -F rules
actioncheck = /sbin/pfctl -s info | grep Enabled
actionban = /sbin/pfctl -a fail2ban -t fail2ban -T add  && /sbin/pfctl -k 
actionunban = /sbin/pfctl -a fail2ban -t fail2ban -T delete 
[Init]

12. Create a file called /etc/fail2ban/pf-anchor.conf:

table <fail2ban> counters
block drop log quick from <fail2ban> to any

13. Shutdown pf, tell it to reload its configuration, and start it again:

$ pfctl -d
$ pfctl -f /etc/pf.conf
$ pfctl -e

14. Stop the fail2ban daemon if it is already running, and start it:

$ fail2ban-client stop
$ fail2ban-client start

You should be good to go.

Testing the System

1. Open a terminal window and watch fail2ban's log (live-update):

$ tail -f /var/log/fail2ban.log

2. While keeping this terminal active on the server, SSH into the server from a client and watch the server's terminal output (username is arbitrary, since we are testing what will happen when an incorrect login is attempted; replace server_ip with the IP address or hostname of the server):

$ ssh username@server_ip

3. On the client machine, type the wrong password several times until you see a message in fail2ban's log that indicates that the client has been banned. This message will look something like this:

2013-08-01 13:26:35,834 fail2ban.actions: WARNING [ssh-pf] Ban 192.168.1.15

When you see this message, the client machine's IP has been banned. At this point, any future SSH attempts from this IP (within fail2ban's bantime period) should time-out and be unsuccessful.

Further Configuration

In the /etc/fail2ban/jail.conf file, there are several options that you may want to customize to suit your needs:

  • ignoreip: a list of IP addresses that fail2ban will not ban
  • bantime: the amount of time, in seconds, that a particular IP address will be banned for
  • maxretry: the number of login failures that can occur within findtime seconds before a host is banned

References:

Have more questions? Submit a request

6 Comments

  • 0
    Avatar
    Dan Eveland

    Who is "Robot Cloud" that made this installer? Where is their web site?

  • 0
    Avatar
    Josh Billions

    Hi Dan, you're on it! Robot Cloud is a product of Forget Computers : www.robotcloud.net

  • 0
    Avatar
    Michael J Kormendy

    I used homebrew to install fail2ban on OS X Lion, but when I attempt to install the modifications package, fail2ban in /etc/ was not a directory but an actual file.

    Homebrew installs fail2ban settings in a directory at an alternate location:

    /usr/local/etc/fail2ban/

    I modified Andy Fragen's .sh install file as well as the two plists (org.fail2ban.redo.plist, org.fail2ban.reset.plist) inside the lib-launchdaemons folder to reflect the fail2ban path.

    I also renamed the ipfw.conf file to pf.conf in the action.d folder. Then I installed shell script.

  • 0
    Avatar
    Tim

    Does the automated installer complete ALL of the steps above, or do I need to pick up with the instructions at some point before "testing" section? e.g. the /var/log/fail2ban.log file is present, but no activity when testing.

    Thanks!

  • 0
    Avatar
    Tim

    Using OSX 10.9.4 with latest OSX Server version

  • 0
    Avatar
    Tarald Holm Røste

    I had troubles with this, as the scripts installs a jail.local file which overrides the settings in jail.conf (and of course, the defaults are wrong for OS X). Took me a while to figure out :)

Please sign in to leave a comment.
Powered by Zendesk