Use fail2ban with unrealircd

If you have trouble on your server with spam, drones/zombies/bots or proxies

Moderator: Supporters

Locked
CrazyCat
Posts: 214
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Use fail2ban with unrealircd

Post by CrazyCat »

Hi there,

The "freenodegate" attack is back, and I'm really fed up with it. I use spamfilter and dnsbl to block them, but even if they can't connect to my IRC after being zlined, they came to my server.
So I decide to create iptables rules each time a zline is added, with fail2ban.

filter.d/unrealircd.conf

Code: Select all

# Fail2Ban filter for unrealircd zline
#

[Definition]
failregex = ^.+Z:line added for \*@<HOST>.+$
ignoreregex =
# Author: CrazyCat
Note that any Zline will activate it, you can choose to be more precise

jail.local

Code: Select all

[unrealircd]
enabled = true
port = 6667
filter = unrealircd
banaction = iptables-allports
bantime = 604800
findtime = 86400
logpath   = /home/server/unrealircd/logs/ircd.log
maxretry  = 1
action = %(action_mwl)s
Some examples of the mail I received (proof the iptables rules is added):
after dronebl detection

Code: Select all

Hi,

The IP 88.230.42.120 has just been banned by Fail2Ban after
1 attempts against unrealircd.

Lines containing IP:88.230.42.120 in /home/server/unrealircd/logs/ircd.log

[Sun Mar  3 21:50:56 2019] - [Blacklist] IP 88.230.42.120 matches blacklist DroneBL (dnsbl.dronebl.org/reply=3)
[Sun Mar  3 21:50:56 2019] - Global Z:line added for *@88.230.42.120 on Sun Mar  3 20:50:56 2019 GMT (from my.server.net to expire at Sun Mar 10 20:50:56 2019 GMT: You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=88.230.42.120&network=network)
After spamfilter action

Code: Select all

Hi,

The IP 181.114.139.27 has just been banned by Fail2Ban after
1 attempts against unrealircd.

Lines containing IP:181.114.139.27 in /home/server/unrealircd/logs/ircd.log

[Sun Mar  3 16:14:51 2019] - Global Z:line added for *@181.114.139.27 on Sun Mar  3 15:14:51 2019 GMT (from my.server.net to expire at Sun Mar 10 15:14:51 2019 GMT: No spamming here)
Hope it'll help you :)
Locked