15
2
Fork 0

Compare commits

...

1 Commits

  1. 29
      fail2ban/README.md
  2. 10
      fail2ban/filter.d/xmpp-flooders.conf
  3. 10
      fail2ban/jail.d/chapril-xmpp.conf

29
fail2ban/README.md

@ -0,0 +1,29 @@
# fail2ban rules for XMPP
fail2ban rules created to mitigate spambots acting since April 2020.
Random accounts are created with different IPs (probably zombie machines)
and then always the same 3 XMPP accounts (on other XMPP servers) are targeted.
The new chapril account ask for presence subscription to those external JIDs
and immediately send them random messages without waiting for an answer.
ejabberd detects the suspicious fast presence subscriptions and logs something
easy to capture:
grep Flooder /var/log/ejabberd/ejabberd.log
So we use these log warnings to trigger IP ban.
## Quickstart guide
```
cd /etc/fail2ban/filter.d
ln -s /srv/xmpp.chapril.org/tools/fail2ban/filter.d/xmpp-flooders.conf
cd /etc/fail2ban/jail.d
ln -s /srv/xmpp.chapril.org/tools/fail2ban/jail.d/chapril-xmpp.conf
systemctl restart fail2ban
```
Check that the jail is active:
fail2ban-client status
fail2ban-client status xmpp-c2s

10
fail2ban/filter.d/xmpp-flooders.conf

@ -0,0 +1,10 @@
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s \[warning\] <[0-9\.]+>@mod_pres_counter:update:[0-9]+ Flooder detected: [a-zA-Z0-9\.@/-]+, on IP: <HOST> ignoring sent presence subscriptions$
ignoreregex =

10
fail2ban/jail.d/chapril-xmpp.conf

@ -0,0 +1,10 @@
# :vi ft=dosini
[xmpp-c2s]
enabled = true
filter = xmpp-flooders
port = 5222,5223
logpath = /var/log/ejabberd/ejabberd.log
findtime = 1d
maxretry = 1
bantime = 2d
Loading…
Cancel
Save