30 lines
936 B
Markdown
30 lines
936 B
Markdown
|
# fail2ban rules for XMPP
|
||
|
|
|
||
|
|
fail2ban rules created to mitigate spambots acting since April 2020.
|
||
|
|
Random accounts are created with different IPs (probably zombie machines)
|
||
|
|
and then always the same 3 XMPP accounts (on other XMPP servers) are targeted.
|
||
|
|
The new chapril account ask for presence subscription to those external JIDs
|
||
|
|
and immediately send them random messages without waiting for an answer.
|
||
|
|
|
||
|
|
ejabberd detects the suspicious fast presence subscriptions and logs something
|
||
|
|
easy to capture:
|
||
|
|
|
||
|
|
grep Flooder /var/log/ejabberd/ejabberd.log
|
||
|
|
|
||
|
|
So we use these log warnings to trigger IP ban.
|
||
|
|
|
||
|
|
## Quickstart guide
|
||
|
|
|
||
|
|
```
|
||
|
|
cd /etc/fail2ban/filter.d
|
||
|
|
ln -s /srv/xmpp.chapril.org/tools/fail2ban/filter.d/xmpp-flooders.conf
|
||
|
|
cd /etc/fail2ban/jail.d
|
||
|
|
ln -s /srv/xmpp.chapril.org/tools/fail2ban/jail.d/chapril-xmpp.conf
|
||
|
|
systemctl restart fail2ban
|
||
|
|
```
|
||
|
|
|
||
|
|
Check that the jail is active:
|
||
|
|
|
||
|
|
fail2ban-client status
|
||
|
|
fail2ban-client status xmpp-c2s
|