Enable fail2ban to monitor openfire login logs

Is there a way enabling fail2ban to monitor openfire server for brute force attacks?


Is fail2ban a program that monitors access log files? If so, openfire does not generate those.

If you are on Linux and have iptables running, you can limit the number of connections per some time like so:

# Limit XMPP connections
# Limit number of new connections per IP to 20 per minute
-A INPUT -p tcp --dport 5222:5223 -m recent --rcheck --seconds 60 --hitcount 20 --name XMPP -j LOG --log-prefix "XMPP Rate Limiter "
-A INPUT -p tcp --dport 5222:5223 -m recent --update --seconds 60 --hitcount 20 --name XMPP -j DROP
-A INPUT -p tcp --dport 5222:5223 -m state --state NEW -m recent --set --name XMPP -j ACCEPT

The admin console has brute force protection, but that shouldn’t be exposed to the internet.



Since the question is not answered yet, I decided to contribute. It’s not perfect, but at least it works.

Openfire 3.7.1 is actually logging failed authorization requests to info.log, but we don’t get an IP by default.

I used this guide to import openfire sources into eclipse.

Then I’ve modified org.jivesoftware.openfire.net.SASLAuthentication,


 Line 288

  Log.info("User Login Failed. " + e.getMessage());


Log.info("User Login Failed. " + e.getMessage() + " " + session.getHostAddress());

//add try/catch around this line, because getHostAddress() might throw an exception

This will provide us with everything fail2ban needs - an IP address and the time

2012.04.13 15:40:44 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: test@ IP:

Then just create a custom fail2ban definition, in my case I had to do the following:


Debian fail2ban doesn’t know the time format used by openfire log, so we need to define it

Definitions will start around line 44 and end around line 134, just paste this one before



2012.08.16 10:01:20

template = DateStrptime()

template.setName(“Year.Month.Day Hour:Minute:Second”)


template.setPattern("%Y.%m.%d %H:%M:%S")


/etc/fail2ban/jail.local (new file)


enabled = true

port = 5222,5223

protocol = tcp

filter = openfire

logpath = /var/log/openfire/info.log

bantime = 3600

maxretry = 7

/etc/fail2ban/filter.d/openfire.conf (new file)


failregex = org(.*)IP: $

ignoreregex =

1 Like

Cool, thanks for contributing this! One thing to note, is that BOSH failed logins are not logged to info.log or elsewhere IIRC

thank you very much @Konstantin.

Your solution worked perfectly on my debian box and now fail2ban is running properly.

It would be nice if the logging addition would be active in 3.7.2. Perhaps a short Thread.sleep() after failed authentication might make brute force attacks less easy.

Is it possible to compile only one module? May be it is easier than compile everything? I am not sure that I understant how to do it

I’ve downloaded Eclipse (as it read from this), but it did not want run - something with Java… Do I need Java JRE or JDK (link)?

Could someone add this to the next Version?