From 106c3eab9ab62828e6562ee1f0aa421e5af0312f Mon Sep 17 00:00:00 2001
From: Ross Brown <rbrownwsws@googlemail.com>
Date: Sun, 29 Nov 2015 15:56:56 +0000
Subject: [PATCH 1/6] Added filter and jail for murmur/mumble-server.

---
 config/filter.d/murmur.conf | 21 +++++++++++++++++++++
 config/jail.conf            |  9 +++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 config/filter.d/murmur.conf

diff --git a/config/filter.d/murmur.conf b/config/filter.d/murmur.conf
new file mode 100644
index 00000000..cc47f022
--- /dev/null
+++ b/config/filter.d/murmur.conf
@@ -0,0 +1,21 @@
+# Fail2Ban filter for murmur/mumble-server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+
+[Definition]
+
+_daemon = murmurd
+
+failregex = Rejected connection from <HOST>:\d+: Invalid server password$
+            Rejected connection from <HOST>:\d+: Wrong certificate or password for existing user$
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# Author: Ross Brown
diff --git a/config/jail.conf b/config/jail.conf
index c98392ba..c8dc6d9c 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -821,3 +821,12 @@ returntype   = DROP
 bantime      = 3600
 maxretry     = 1
 findtime     = 1
+
+
+[murmur]
+# AKA mumble-server
+port     = 64738
+filter   = murmur
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
+logpath  = /var/log/mumble-server/mumble-server.log

From 4c837f033323fbbfd8bccd98a462e2139b3183e6 Mon Sep 17 00:00:00 2001
From: Ross Brown <rbrownwsws@googlemail.com>
Date: Sun, 29 Nov 2015 16:28:47 +0000
Subject: [PATCH 2/6] Added sample log file for 'murmur' filter.

---
 fail2ban/tests/files/logs/murmur | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 fail2ban/tests/files/logs/murmur

diff --git a/fail2ban/tests/files/logs/murmur b/fail2ban/tests/files/logs/murmur
new file mode 100644
index 00000000..0b738853
--- /dev/null
+++ b/fail2ban/tests/files/logs/murmur
@@ -0,0 +1,5 @@
+# failJSON: { "time": "2015-11-29T16:38:01", "match": true , "host": "192.168.0.1" }
+<W>2015-11-29 16:38:01.818 1 => <4:test(-1)> Rejected connection from 192.168.0.1:29530: Invalid server password
+
+# failJSON: { "time": "2015-11-29T17:18:20", "match": true , "host": "192.168.1.2" }
+<W>2015-11-29 17:18:20.962 1 => <8:test(-1)> Rejected connection from 192.168.1.2:29761: Wrong certificate or password for existing user

From ba535826a83136032c9e6f993804356f2890068e Mon Sep 17 00:00:00 2001
From: Ross Brown <rbrownwsws@googlemail.com>
Date: Tue, 15 Dec 2015 21:46:35 +0000
Subject: [PATCH 3/6] Updated ChangeLog to include new murmur filter.

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 20b708a8..03bed0cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
        rest api and web interface (gh-1223)
      - nginx-limit-req - ban hosts, that were failed through nginx by limit
        request processing rate (ngx_http_limit_req_module)
+     - murmur - ban hosts that repeatedly attempt to connect to
+       murmur/mumble-server with an invalid server password or certificate.
 
 - Enhancements:
    * Do not rotate empty log files

From fd36b058cee39dac4524cef32a66931de017c6dd Mon Sep 17 00:00:00 2001
From: Ross Brown <rbrownwsws@googlemail.com>
Date: Tue, 15 Dec 2015 21:54:41 +0000
Subject: [PATCH 4/6] Changed usernames in sample log file for 'murmur' filter.

---
 fail2ban/tests/files/logs/murmur | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fail2ban/tests/files/logs/murmur b/fail2ban/tests/files/logs/murmur
index 0b738853..bc18b7ea 100644
--- a/fail2ban/tests/files/logs/murmur
+++ b/fail2ban/tests/files/logs/murmur
@@ -1,5 +1,5 @@
 # failJSON: { "time": "2015-11-29T16:38:01", "match": true , "host": "192.168.0.1" }
-<W>2015-11-29 16:38:01.818 1 => <4:test(-1)> Rejected connection from 192.168.0.1:29530: Invalid server password
+<W>2015-11-29 16:38:01.818 1 => <4:testUsernameOne(-1)> Rejected connection from 192.168.0.1:29530: Invalid server password
 
 # failJSON: { "time": "2015-11-29T17:18:20", "match": true , "host": "192.168.1.2" }
-<W>2015-11-29 17:18:20.962 1 => <8:test(-1)> Rejected connection from 192.168.1.2:29761: Wrong certificate or password for existing user
+<W>2015-11-29 17:18:20.962 1 => <8:testUsernameTwo(-1)> Rejected connection from 192.168.1.2:29761: Wrong certificate or password for existing user

From ead2d509dc0101807f0cad53e896963a5498e47b Mon Sep 17 00:00:00 2001
From: Ross Brown <rbrownwsws@googlemail.com>
Date: Thu, 17 Dec 2015 17:45:24 +0000
Subject: [PATCH 5/6] Updated 'murmur' filter to use new double-anchored regex
 based on @yarikoptic's suggestions.

---
 config/filter.d/murmur.conf | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/murmur.conf b/config/filter.d/murmur.conf
index cc47f022..3775a9d2 100644
--- a/config/filter.d/murmur.conf
+++ b/config/filter.d/murmur.conf
@@ -10,8 +10,15 @@ before = common.conf
 
 _daemon = murmurd
 
-failregex = Rejected connection from <HOST>:\d+: Invalid server password$
-            Rejected connection from <HOST>:\d+: Wrong certificate or password for existing user$
+# N.B. If you allow users to have usernames that include the '>' character you
+#      should change this to match the regex assigned to the 'username'
+#      variable in your server config file (murmur.ini / mumble-server.ini).
+_usernameregex = [^>]+
+
+_prefix = <W>[\n\s]*(\.\d{3})?\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
+
+failregex = ^%(_prefix)s Invalid server password$
+            ^%(_prefix)s Wrong certificate or password for existing user$
 
 ignoreregex =
 

From 16aa2fa13e387b8eb539349192879fb9af9170b3 Mon Sep 17 00:00:00 2001
From: Ross Brown <rbrownwsws@googlemail.com>
Date: Thu, 17 Dec 2015 17:57:45 +0000
Subject: [PATCH 6/6] Updated ChangeLog to include new murmur jail.

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 03bed0cd..20ca6def 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
        request processing rate (ngx_http_limit_req_module)
      - murmur - ban hosts that repeatedly attempt to connect to
        murmur/mumble-server with an invalid server password or certificate.
+   * New jails:
+     - murmur - bans TCP and UDP from the bad host on the default murmur port.
 
 - Enhancements:
    * Do not rotate empty log files