diff --git a/ChangeLog b/ChangeLog index 90cdae59..90bcfcb3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,10 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released rest api and web interface (gh-1223) - nginx-limit-req - ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module) + - murmur - ban hosts that repeatedly attempt to connect to + murmur/mumble-server with an invalid server password or certificate. + * New jails: + - murmur - bans TCP and UDP from the bad host on the default murmur port. * sshd filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8) diff --git a/config/filter.d/murmur.conf b/config/filter.d/murmur.conf new file mode 100644 index 00000000..3775a9d2 --- /dev/null +++ b/config/filter.d/murmur.conf @@ -0,0 +1,28 @@ +# Fail2Ban filter for murmur/mumble-server +# + +[INCLUDES] + +before = common.conf + + +[Definition] + +_daemon = murmurd + +# N.B. If you allow users to have usernames that include the '>' character you +# should change this to match the regex assigned to the 'username' +# variable in your server config file (murmur.ini / mumble-server.ini). +_usernameregex = [^>]+ + +_prefix = [\n\s]*(\.\d{3})?\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from :\d+: + +failregex = ^%(_prefix)s Invalid server password$ + ^%(_prefix)s Wrong certificate or password for existing user$ + +ignoreregex = + + +# DEV Notes: +# +# Author: Ross Brown diff --git a/config/jail.conf b/config/jail.conf index c98392ba..c8dc6d9c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -821,3 +821,12 @@ returntype = DROP bantime = 3600 maxretry = 1 findtime = 1 + + +[murmur] +# AKA mumble-server +port = 64738 +filter = murmur +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/mumble-server/mumble-server.log diff --git a/fail2ban/tests/files/logs/murmur b/fail2ban/tests/files/logs/murmur new file mode 100644 index 00000000..bc18b7ea --- /dev/null +++ b/fail2ban/tests/files/logs/murmur @@ -0,0 +1,5 @@ +# failJSON: { "time": "2015-11-29T16:38:01", "match": true , "host": "192.168.0.1" } +2015-11-29 16:38:01.818 1 => <4:testUsernameOne(-1)> Rejected connection from 192.168.0.1:29530: Invalid server password + +# failJSON: { "time": "2015-11-29T17:18:20", "match": true , "host": "192.168.1.2" } +2015-11-29 17:18:20.962 1 => <8:testUsernameTwo(-1)> Rejected connection from 192.168.1.2:29761: Wrong certificate or password for existing user