Craft fail2ban rules to mitigate spambots attacks (#4461)
This commit is contained in:
parent
b58bc5dd94
commit
0cc71a7ebe
|
@ -0,0 +1,29 @@
|
|||
# fail2ban rules for XMPP
|
||||
|
||||
fail2ban rules created to mitigate spambots acting since April 2020.
|
||||
Random accounts are created with different IPs (probably zombie machines)
|
||||
and then always the same 3 XMPP accounts (on other XMPP servers) are targeted.
|
||||
The new chapril account ask for presence subscription to those external JIDs
|
||||
and immediately send them random messages without waiting for an answer.
|
||||
|
||||
ejabberd detects the suspicious fast presence subscriptions and logs something
|
||||
easy to capture:
|
||||
|
||||
grep Flooder /var/log/ejabberd/ejabberd.log
|
||||
|
||||
So we use these log warnings to trigger IP ban.
|
||||
|
||||
## Quickstart guide
|
||||
|
||||
```
|
||||
cd /etc/fail2ban/filter.d
|
||||
ln -s /srv/xmpp.chapril.org/tools/fail2ban/filter.d/xmpp-flooders.conf
|
||||
cd /etc/fail2ban/jail.d
|
||||
ln -s /srv/xmpp.chapril.org/tools/fail2ban/jail.d/chapril-xmpp.conf
|
||||
systemctl restart fail2ban
|
||||
```
|
||||
|
||||
Check that the jail is active:
|
||||
|
||||
fail2ban-client status
|
||||
fail2ban-client status xmpp-c2s
|
|
@ -0,0 +1,10 @@
|
|||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
failregex = ^%(__prefix_line)s \[warning\] <[0-9\.]+>@mod_pres_counter:update:[0-9]+ Flooder detected: [a-zA-Z0-9\.@/-]+, on IP: <HOST> ignoring sent presence subscriptions$
|
||||
|
||||
ignoreregex =
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# :vi ft=dosini
|
||||
[xmpp-c2s]
|
||||
enabled = true
|
||||
filter = xmpp-flooders
|
||||
port = 5222,5223
|
||||
logpath = /var/log/ejabberd/ejabberd.log
|
||||
findtime = 1d
|
||||
maxretry = 1
|
||||
bantime = 2d
|
||||
|
Loading…
Reference in New Issue