From 0cc71a7ebe95bec08960fbbd857bcd8385b4a903 Mon Sep 17 00:00:00 2001
From: pitchum <pitchum@users.noreply.chapril.org>
Date: Sat, 16 May 2020 15:22:35 +0200
Subject: [PATCH] Craft fail2ban rules to mitigate spambots attacks (#4461)

---
 fail2ban/README.md                   | 29 ++++++++++++++++++++++++++++
 fail2ban/filter.d/xmpp-flooders.conf | 10 ++++++++++
 fail2ban/jail.d/chapril-xmpp.conf    | 10 ++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 fail2ban/README.md
 create mode 100644 fail2ban/filter.d/xmpp-flooders.conf
 create mode 100644 fail2ban/jail.d/chapril-xmpp.conf

diff --git a/fail2ban/README.md b/fail2ban/README.md
new file mode 100644
index 0000000..fbdf24f
--- /dev/null
+++ b/fail2ban/README.md
@@ -0,0 +1,29 @@
+# fail2ban rules for XMPP
+
+fail2ban rules created to mitigate spambots acting since April 2020.
+Random accounts are created with different IPs (probably zombie machines)
+and then always the same 3 XMPP accounts (on other XMPP servers) are targeted.
+The new chapril account ask for presence subscription to those external JIDs
+and immediately send them random messages without waiting for an answer.
+
+ejabberd detects the suspicious fast presence subscriptions and logs something
+easy to capture:
+
+    grep Flooder /var/log/ejabberd/ejabberd.log
+
+So we use these log warnings to trigger IP ban.
+
+## Quickstart guide
+
+```
+cd /etc/fail2ban/filter.d
+ln -s /srv/xmpp.chapril.org/tools/fail2ban/filter.d/xmpp-flooders.conf
+cd /etc/fail2ban/jail.d
+ln -s /srv/xmpp.chapril.org/tools/fail2ban/jail.d/chapril-xmpp.conf
+systemctl restart fail2ban
+```
+
+Check that the jail is active:
+
+    fail2ban-client status
+    fail2ban-client status xmpp-c2s
diff --git a/fail2ban/filter.d/xmpp-flooders.conf b/fail2ban/filter.d/xmpp-flooders.conf
new file mode 100644
index 0000000..52abe34
--- /dev/null
+++ b/fail2ban/filter.d/xmpp-flooders.conf
@@ -0,0 +1,10 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^%(__prefix_line)s \[warning\] <[0-9\.]+>@mod_pres_counter:update:[0-9]+ Flooder detected: [a-zA-Z0-9\.@/-]+, on IP: <HOST> ignoring sent presence subscriptions$
+
+ignoreregex =
+
diff --git a/fail2ban/jail.d/chapril-xmpp.conf b/fail2ban/jail.d/chapril-xmpp.conf
new file mode 100644
index 0000000..da9dba9
--- /dev/null
+++ b/fail2ban/jail.d/chapril-xmpp.conf
@@ -0,0 +1,10 @@
+# :vi ft=dosini
+[xmpp-c2s]
+enabled = true
+filter  = xmpp-flooders
+port    = 5222,5223
+logpath = /var/log/ejabberd/ejabberd.log
+findtime = 1d
+maxretry = 1
+bantime = 2d
+