Hi,
I recently installed an ejabberd server.
I would like to be able to prevent brute-force attacks on this server : it should not be possible to try thousands different passwords without being kicked out.
There already exists a tool that does this kind of checks : fail2ban ( ).
This tool is able to monitor log files : if it finds too many authentication failures, the IP is temporarily banned (through iptables).
It works great on apache, ssh, etc. It also can be extended to other log formats (with regex matches).
I tried to make it work with ejabberd, but did not succeed because I faced 2 problems :
- fail2ban expects to have the IP of the client and the error message on the same line. But the ejabberd.log file creates two separate lines : an "Accepted connection", that gives the IP of the client, and a "Failed authentication", that is the monitored error message
- fail2ban expects to have a timestamp at the beginning of each line (see ). ejabberd.log has the timestamp on a separate line
Do you think it would be possible to make ejabberd generate a log file suitable for fail2ban?
mod_logsession ( http://www.ejabberd.im/node/2999 ) looks very close to that feature, but it does not seem to log the IP of the client (see ).
Another problem with mod_logsession is that it seems to require a recompile, which I would like to avoid, in order to benefit from the standard security upgrades of my distrib
Do you see another way to prevent brute force attacks? Maybe within ejabberd itself?
Thanks
I've modified mod_logsession
I've modified mod_logsession to log authentication failures, and report the IP address. The module can be compiled stand-alone.
However, I also had to modify ejabberd source code to run a new event, and that requires you to patch ejabberd and recompile one file.
If you use this module and you report it's useful, the patch could be proposed for inclusion in the next ejabberd versions. In that case, people would only need to compile mod_logsession, install and configure.