ejabberd and fail2ban · uwot.eu
another meaningless subtitle

ejabberd and fail2ban

· by fabio · Read in about 1 min · (184 Words)
CentOS CentOS 6.5 ejabberd fail2ban iptables

Fail2ban is a useful tool capable of mitigating brute force attacks performed against a multitude of services (ejabberd in our case).
Configuration is split between a multitude of files; jail.conf defines which filters are active while the filters scripts are placed in ./filter.d directory.

[root@CentOS ~]# vi /etc/fail2ban/jail.conf
---
bantime  = 1200
findtime  = 1200
maxretry = 10

backend = auto

[ejabberd-auth]
enabled = true
port    = 5222,5280,7777
action = iptables-multiport[name=ejabberd, port="5222,5269,5280,777", protocol=tcp]
logpath = /var/log/ejabberd/ejabberd.log
---

[root@CentOS ~]# vi /etc/fail2ban/filter.d/ejabberd-auth.conf
---
[Definition]

failregex = ^=INFO REPORT====  ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$
                ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$
                ^.* Failed authentication for \S+ from <HOST>$
                ^.* from <<"<HOST>">> failed with error: <<"inexistent-account">>$
                ^.* from <<"<HOST>">> failed with error: <<"bad-password">>$
                ^.* from <<"<HOST>">> failed with error: <<"badformed-jid">>$

ignoreregex =

[Init]

journalmatch =
---

The first two regular expressions are for user authentication while the others are for administration panel login.
Other useful commands are:

### list all iptables rules
iptables -L -n
### delete the selected rule
iptables -D f2b-ejabberd -s banned_ip -j REJECT