I run several systems spread across the Internet, and all are being probed by bad actors. The run services like fail2ban, which protect them, but looking at the logs are often targeted by the same attacking host. It would be useful to be pro-active and have an attack on one counted as an attack on any, and to be able to distribute this information more widely.
This describes the cobbled together system I have a present with plenty of room for improvement.
The XMPP Group.
This is a Chat Group, created from an Administrator account – using Gajim on an XMPP server under my control called (for example) secinfo@example.net
There are also XMPP users for each target host called secinfo-hostname@example.net – created by
prosodyctl adduser secinfo-hostname@example.netClient-server software
The software implementation uses slixmpp, so
apt install --no-install-recommends python3-slixmppNote that slixmpp recommends several packages not required for this purpose, though they may be useful in other contexts. I have only tested with version 1.10
An initial version of the software can be found at https://gitlab.com/JohnLines/secinfo-xmpp
Current state
At present the software reads from fail2ban, via a local rule which invokes
actionban = printf %%b "v=1,t=f2b-b,s=,i=" | nc localhost 28222
actionunban = printf %%b "v=1,t=f2b-u,s=,i=" | nc localhost 28222and sends the messages to the group.
It reads messages from the group, but does not yet respond to them.