Enable fail2ban to monitor openfire login logs

Luiz_G · January 31, 2009, 6:26pm

Is there a way enabling fail2ban to monitor openfire server for brute force attacks?

akrherz · February 1, 2009, 1:45am

Hi,

Is fail2ban a program that monitors access log files? If so, openfire does not generate those.

If you are on Linux and have iptables running, you can limit the number of connections per some time like so:

# IPTABLES
# Limit XMPP connections
# Limit number of new connections per IP to 20 per minute
-A INPUT -p tcp --dport 5222:5223 -m recent --rcheck --seconds 60 --hitcount 20 --name XMPP -j LOG --log-prefix "XMPP Rate Limiter "
-A INPUT -p tcp --dport 5222:5223 -m recent --update --seconds 60 --hitcount 20 --name XMPP -j DROP
-A INPUT -p tcp --dport 5222:5223 -m state --state NEW -m recent --set --name XMPP -j ACCEPT

The admin console has brute force protection, but that shouldn’t be exposed to the internet.

daryl

Konstantin4 · April 13, 2012, 2:21pm

Hello,

Since the question is not answered yet, I decided to contribute. It’s not perfect, but at least it works.

Openfire 3.7.1 is actually logging failed authorization requests to info.log, but we don’t get an IP by default.

I used this guide to import openfire sources into eclipse.

Then I’ve modified org.jivesoftware.openfire.net.SASLAuthentication,

before

 Line 288

  Log.info("User Login Failed. " + e.getMessage());

after

Log.info("User Login Failed. " + e.getMessage() + " " + session.getHostAddress());

//add try/catch around this line, because getHostAddress() might throw an exception

This will provide us with everything fail2ban needs - an IP address and the time

2012.04.13 15:40:44 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: test@192.168.253.5 IP: 192.168.253.10

Then just create a custom fail2ban definition, in my case I had to do the following:

**/usr/share/fail2ban/server/datedetector.py
**

Debian fail2ban doesn’t know the time format used by openfire log, so we need to define it

Definitions will start around line 44 and end around line 134, just paste this one before

finally:

self.__lock.release()

2012.08.16 10:01:20

template = DateStrptime()

template.setName(“Year.Month.Day Hour:Minute:Second”)

template.setRegex("^\d{4}.\d{2}.\d{2}\s\d{2}:\d{2}:\d{2}")

template.setPattern("%Y.%m.%d %H:%M:%S")

self.__templates.append(template)

/etc/fail2ban/jail.local (new file)

[openfire]

enabled = true

port = 5222,5223

protocol = tcp

filter = openfire

logpath = /var/log/openfire/info.log

bantime = 3600

maxretry = 7

/etc/fail2ban/filter.d/openfire.conf (new file)

[Definition]

failregex = org(.*)IP: $

ignoreregex =

akrherz · April 13, 2012, 2:25pm

Cool, thanks for contributing this! One thing to note, is that BOSH failed logins are not logged to info.log or elsewhere IIRC

giorgio_ruffa · May 18, 2012, 1:03pm

thank you very much @Konstantin.

Your solution worked perfectly on my debian box and now fail2ban is running properly.

Michael28 · January 15, 2013, 12:32pm

It would be nice if the logging addition would be active in 3.7.2. Perhaps a short Thread.sleep() after failed authentication might make brute force attacks less easy.

Ilya · February 27, 2015, 2:27pm

Is it possible to compile only one module? May be it is easier than compile everything? I am not sure that I understant how to do it

I’ve downloaded Eclipse (as it read from this), but it did not want run - something with Java… Do I need Java JRE or JDK (link)?

Robert28 · May 28, 2015, 5:25pm

Could someone add this to the next Version?