Fail2Ban with RabbitMQ

662 views
Skip to first unread message

Jamil Shamy

unread,
Jul 10, 2014, 11:25:34 PM7/10/14
to rabbitm...@googlegroups.com
Hi,

I am currently hosting an instance of RabbitMQ on an on-line server. I would like to detect if someone is constantly trying to login to the UI Management plugin web interface, or if someone is constantly trying to connect as a regular AMQP client.Thus detecting any brute force attack.

Usually for this kind of situation, I would use Fail2Ban which reads the log files of a programs (for example /var/log/auth.log in case of ssh), parse the contents of the logfile to detect any of possible attack, then adds a rule to the IPTables to ban an IP for a certain amount of time.

Has any one successfully implemented Fail2Ban with RabbitMQ, ? and does rabbit log the IP addresses of the clients that tries to login to it ? (this way Fail2Ban can read rabbit log files and act accordingly ) 

Your feedback would be appreciated

Jamil

Michael Klishin

unread,
Jul 11, 2014, 4:43:42 AM7/11/14
to rabbitm...@googlegroups.com, Jamil Shamy
On 11 July 2014 at 07:25:40, Jamil Shamy (jamil...@gmail.com) wrote:
> > Has any one successfully implemented Fail2Ban with RabbitMQ,
> ? and does rabbit log the IP addresses of the clients that tries
> to login to it ? (this way Fail2Ban can read rabbit log files and
> act accordingly )

It does log connection stings, including client IP for AMQP, MQTT and STOMP
connections but not HTTP requests.

If your RabbitMQ node happens to be accessible via public Internet, it is
generally a good idea to limit access to just your intranet using iptables
or similar. 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Simon MacMullen

unread,
Jul 11, 2014, 5:28:40 AM7/11/14
to Michael Klishin, rabbitm...@googlegroups.com, Jamil Shamy
On 11/07/2014 9:43AM, Michael Klishin wrote:
> It does log connection stings, including client IP for AMQP, MQTT and STOMP
> connections but not HTTP requests.

You can turn on HTTP logging:

http://www.rabbitmq.com/management.html#configuration

Cheers, Simon

Jamil Shamy

unread,
Jul 11, 2014, 10:13:48 PM7/11/14
to rabbitm...@googlegroups.com
Thanks Michael.

Jamil Shamy

unread,
Jul 11, 2014, 10:14:04 PM7/11/14
to rabbitm...@googlegroups.com, mkli...@gopivotal.com, jamil...@gmail.com
Thanks Simon

Nagaraj G

unread,
Jun 5, 2019, 10:06:39 AM6/5/19
to rabbitmq-users
Hello Jamil,

My use case is also similar to yours. May i know what kind of implementation you have done to block the attacker's source IP?

Luke Bakken

unread,
Jun 5, 2019, 1:57:48 PM6/5/19
to rabbitmq-users

Hello,

Please do not respond to old discussions. The chances of someone noticing your message are slight.

I can't find any information about configuring fail2ban with RabbitMQ, however you should be able to configure it by doing the following:

* Set up RabbitMQ
* Make an unauthorized connection to port 5672
* See what is logged

Using RabbitMQ 3.7.15, here is what is logged when a client connects with invalid credentials:

2019-06-05 10:53:23.899 [info] <0.532.0> accepting AMQP connection <0.532.0> (127.0.0.1:54820 -> 127.0.0.1:5672)
2019-06-05 10:53:23.901 [error] <0.532.0> Error on AMQP connection <0.532.0> (127.0.0.1:54820 -> 127.0.0.1:5672, state: starting):
PLAIN login refused: user 'foo' - invalid credentials
2019-06-05 10:53:23.902 [info] <0.532.0> closing AMQP connection <0.532.0> (127.0.0.1:54820 -> 127.0.0.1:5672)

Notice that the start and end of every connection attempt is logged. You can use this, along with the timestamp values, to come up with rules to exclude repeated connection attempts within a certain time window.

Here is what is logged if you connect to port 5672 but do not complete the AMQP handshake. If a malicious user is trying to find an open port this would be logged:

2019-06-05 10:55:43.176 [info] <0.544.0> accepting AMQP connection <0.544.0> ([::1]:54841 -> [::1]:5672)
2019-06-05 10:55:43.177 [error] <0.544.0> closing AMQP connection <0.544.0> ([::1]:54841 -> [::1]:5672):
{handshake_timeout,handshake}

HAProxy is an alternative:

http://www.loadbalancer.org/blog/simple-denial-of-service-dos-attack-mitigation-using-haproxy-2/

Thanks -
Luke

Nagaraj G

unread,
Jun 6, 2019, 1:55:29 AM6/6/19
to rabbitmq-users
Hi Luke,

Thanks for your suggestions.

In order to write a filter in fail2ban, the log line should contain the client host ip, then the filter will match the IP and give that to IPtables rule as an input. In the below log, line one and line two are not in a single line, 


2019-06-05 10:53:23.901 [error] <0.532.0> Error on AMQP connection <0.532.0> (127.0.0.1:54820 -> 127.0.0.1:5672, state: starting):
PLAIN login refused: user 'foo' - invalid credentials

I need to specify some delimiter first then match the host ip using <HOST. regex pattern.

For example: here is mysql log pattern and fila2ban filter

btw, i will try your haproxy solution in the meantime. 


Thanks in advance,
Nagaraj

MySQL log ---> 121227  8:44:21 [Warning] Access denied for user 'root'@'localhost' (using password: YES)

Fail2ban filter----> failregex = Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$.

Luke Bakken

unread,
Jun 6, 2019, 10:22:44 AM6/6/19
to rabbitmq-users
Hi Nagaraj,

Most regex libraries allow multi-line matches. I did a quick search using "fail2ban multiline regex" and was directed to this issue, which has examples:

Luke
Reply all
Reply to author
Forward
0 new messages