936 B

fail2ban rules for XMPP

fail2ban rules created to mitigate spambots acting since April 2020. Random accounts are created with different IPs (probably zombie machines) and then always the same 3 XMPP accounts (on other XMPP servers) are targeted. The new chapril account ask for presence subscription to those external JIDs and immediately send them random messages without waiting for an answer.

ejabberd detects the suspicious fast presence subscriptions and logs something easy to capture:

grep Flooder /var/log/ejabberd/ejabberd.log

So we use these log warnings to trigger IP ban.

Quickstart guide

cd /etc/fail2ban/filter.d
ln -s /srv/xmpp.chapril.org/tools/fail2ban/filter.d/xmpp-flooders.conf
cd /etc/fail2ban/jail.d
ln -s /srv/xmpp.chapril.org/tools/fail2ban/jail.d/chapril-xmpp.conf
systemctl restart fail2ban

Check that the jail is active:

fail2ban-client status
fail2ban-client status xmpp-c2s