Merge pull request #1264 from rbrownwsws/master

Added filter and jail for murmur/mumble-server.
2015-12-18 09:20:45 -05:00 · 2015-12-18 09:20:45 -05:00 · edcbdf6eab
parent 39d202b623 8d12dba245
commit edcbdf6eab
4 changed files with 46 additions and 0 deletions
--- a/4
+++ b/4
@ -41,6 +41,10 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
       rest api and web interface (gh-1223)
     - nginx-limit-req - ban hosts, that were failed through nginx by limit
       request processing rate (ngx_http_limit_req_module)
+     - murmur - ban hosts that repeatedly attempt to connect to
+       murmur/mumble-server with an invalid server password or certificate.
+   * New jails:
+     - murmur - bans TCP and UDP from the bad host on the default murmur port.
   * sshd filter got new failregex to match "maximum authentication
     attempts exceeded" (introduced in openssh 6.8)

--- a/config/filter.d/murmur.conf
+++ b/config/filter.d/murmur.conf
@ -0,0 +1,28 @@
+# Fail2Ban filter for murmur/mumble-server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+
+[Definition]
+
+_daemon = murmurd
+
+# N.B. If you allow users to have usernames that include the '>' character you
+#      should change this to match the regex assigned to the 'username'
+#      variable in your server config file (murmur.ini / mumble-server.ini).
+_usernameregex = [^>]+
+
+_prefix = <W>[\n\s]*(\.\d{3})?\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
+
+failregex = ^%(_prefix)s Invalid server password$
+            ^%(_prefix)s Wrong certificate or password for existing user$
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# Author: Ross Brown
--- a/config/jail.conf
+++ b/config/jail.conf
@ -821,3 +821,12 @@ returntype   = DROP
 bantime      = 3600
 maxretry     = 1
 findtime     = 1
+
+
+[murmur]
+# AKA mumble-server
+port     = 64738
+filter   = murmur
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
+logpath  = /var/log/mumble-server/mumble-server.log
--- a/fail2ban/tests/files/logs/murmur
+++ b/fail2ban/tests/files/logs/murmur
@ -0,0 +1,5 @@
+# failJSON: { "time": "2015-11-29T16:38:01", "match": true , "host": "192.168.0.1" }
+<W>2015-11-29 16:38:01.818 1 => <4:testUsernameOne(-1)> Rejected connection from 192.168.0.1:29530: Invalid server password
+
+# failJSON: { "time": "2015-11-29T17:18:20", "match": true , "host": "192.168.1.2" }
+<W>2015-11-29 17:18:20.962 1 => <8:testUsernameTwo(-1)> Rejected connection from 192.168.1.2:29761: Wrong certificate or password for existing user