I run several systems spread across the Internet, and all are being probed by bad actors. The run services like fail2ban, which protect them, but looking at the logs are often targeted by the same attacking host. It would be useful to be pro-active and have an attack on one counted as an attack on any, and to be able to distribute this information more widely.
This describes the cobbled together system I have a present with plenty of room for improvement.
The XMPP Group.
This is a Chat Group, created from an Administrator account – using Gajim on an XMPP server under my control called (for example) secinfo@example.net
There are also XMPP users for each target host called secinfo-hostname@example.net – created by
prosodyctl adduser secinfo-hostname@example.netHaving created the accounts for the hosts the chat group owner should go into the account in Gajim, make the participating hosts members, and go into Group chat Configuration and tick Persistent, make sure the room is not included in public lists, and tick Only allow members to join.
Client-server software
The software implementation uses slixmpp, so
apt install --no-install-recommends python3-slixmppNote that slixmpp recommends several packages not required for this purpose, though they may be useful in other contexts. I have only tested with version 1.10
An initial version of the software can be found at https://gitlab.com/JohnLines/secinfo-xmpp.
Current state
At present the software reads from fail2ban, via a local rule which invokes
actionban = /etc/fail2ban/action.d/secinfo-xmpp.sh "v=1,t=f2b-b,j=<name>,i=<ip>"
actionunban = /etc/fail2ban/action.d/secinfo-xmpp.sh "v=1,t=f2b-u,j=<name>,i=<ip>"and sends the messages to the group. The ‘|| true’ prevents the action from failing if secinfo-xmpp is not running.
It reads messages from the group, and if they contain a ban action from another host then execute a ban action on the local host for the same jail and IP address, unless that IP address is already banned..