Craft fail2ban rules to mitigate spambots attacks (#4461)

This commit is contained in:
pitchum 2020-05-16 15:22:35 +02:00 committed by root
parent b58bc5dd94
commit 0cc71a7ebe
3 changed files with 49 additions and 0 deletions

29
fail2ban/README.md Normal file
View File

@ -0,0 +1,29 @@
# fail2ban rules for XMPP
fail2ban rules created to mitigate spambots acting since April 2020.
Random accounts are created with different IPs (probably zombie machines)
and then always the same 3 XMPP accounts (on other XMPP servers) are targeted.
The new chapril account ask for presence subscription to those external JIDs
and immediately send them random messages without waiting for an answer.
ejabberd detects the suspicious fast presence subscriptions and logs something
easy to capture:
grep Flooder /var/log/ejabberd/ejabberd.log
So we use these log warnings to trigger IP ban.
## Quickstart guide
```
cd /etc/fail2ban/filter.d
ln -s /srv/xmpp.chapril.org/tools/fail2ban/filter.d/xmpp-flooders.conf
cd /etc/fail2ban/jail.d
ln -s /srv/xmpp.chapril.org/tools/fail2ban/jail.d/chapril-xmpp.conf
systemctl restart fail2ban
```
Check that the jail is active:
fail2ban-client status
fail2ban-client status xmpp-c2s

View File

@ -0,0 +1,10 @@
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s \[warning\] <[0-9\.]+>@mod_pres_counter:update:[0-9]+ Flooder detected: [a-zA-Z0-9\.@/-]+, on IP: <HOST> ignoring sent presence subscriptions$
ignoreregex =

View File

@ -0,0 +1,10 @@
# :vi ft=dosini
[xmpp-c2s]
enabled = true
filter = xmpp-flooders
port = 5222,5223
logpath = /var/log/ejabberd/ejabberd.log
findtime = 1d
maxretry = 1
bantime = 2d