Skip to content

Instantly share code, notes, and snippets.

@rogersguedes

rogersguedes/Fail2ban Mosquitto filter

Forked from francescor93/Fail2ban Mosquitto filter
Created October 29, 2024 01:48
Show Gist options
  • Save rogersguedes/b6cdf1e8ae688fca0907399720d12b10 to your computer and use it in GitHub Desktop.
Save rogersguedes/b6cdf1e8ae688fca0907399720d12b10 to your computer and use it in GitHub Desktop.
Download ZIP
Simple fail2ban jail for Mosquitto authentication
Raw
Fail2ban Mosquitto filter
Following is a simple fail2ban jail for Mosquitto authentication.
When an authentication attempt fails, Mosquitto writes three lines like these to his log file:
---
<TIMESTAMP>: New connection from <HOST> on port <PORT>.
<TIMESTAMP>: Sending CONNACK to <HOST>
<TIMESTAMP>: Socket error on client <unknown>, disconnecting.
---
This filter looks for these three lines to get the host and allow you to ban it.
Instructions:
1. Paste the jail.local content at the bottom of your /etc/fail2ban/jail.local file
2. Save the mosquitto-auth.conf file to the /etc/fail2ban/filter.d folder
3. Restart the fail2ban server and check if it works. Fit it according to your needs.
Raw
jail.local
[mosquitto-auth]
port = 1883,8883
enabled = true
filter = mosquitto-auth
logpath = /var/log/mosquitto/mosquitto.log
Raw
mosquitto-auth.conf
# Fail2Ban filter for unsuccesful Mosquitto authentication attempts
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Init]
maxlines = 3
[Definition]
failregex = .+ New connection from <HOST> on port \d+\.\n.+\n.+ Socket error on client <unknown>, disconnecting.
ignoreregex =
# Author: Francesco Rega
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment