Craft fail2ban rules to mitigate spambots attacks (#4461)

fail2ban/README.md

@@ -0,0 +1,29 @@
+# fail2ban rules for XMPP
+
+fail2ban rules created to mitigate spambots acting since April 2020.
+Random accounts are created with different IPs (probably zombie machines)
+and then always the same 3 XMPP accounts (on other XMPP servers) are targeted.
+The new chapril account ask for presence subscription to those external JIDs
+and immediately send them random messages without waiting for an answer.
+
+ejabberd detects the suspicious fast presence subscriptions and logs something
+easy to capture:
+
+    grep Flooder /var/log/ejabberd/ejabberd.log
+
+So we use these log warnings to trigger IP ban.
+
+## Quickstart guide
+
+```
+cd /etc/fail2ban/filter.d
+ln -s /srv/xmpp.chapril.org/tools/fail2ban/filter.d/xmpp-flooders.conf
+cd /etc/fail2ban/jail.d
+ln -s /srv/xmpp.chapril.org/tools/fail2ban/jail.d/chapril-xmpp.conf
+systemctl restart fail2ban
+```
+
+Check that the jail is active:
+
+    fail2ban-client status
+    fail2ban-client status xmpp-c2s

fail2ban/filter.d/xmpp-flooders.conf

@@ -0,0 +1,10 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^%(__prefix_line)s \[warning\] <[0-9\.]+>@mod_pres_counter:update:[0-9]+ Flooder detected: [a-zA-Z0-9\.@/-]+, on IP: <HOST> ignoring sent presence subscriptions$
+
+ignoreregex =
+

fail2ban/jail.d/chapril-xmpp.conf

@@ -0,0 +1,10 @@
+# :vi ft=dosini
+[xmpp-c2s]
+enabled = true
+filter  = xmpp-flooders
+port    = 5222,5223
+logpath = /var/log/ejabberd/ejabberd.log
+findtime = 1d
+maxretry = 1
+bantime = 2d
+