I’ve found how to run remote commands on the MikroTik board using SSH and a keyfile. I’m running fail2ban on my server in the DMZ, if someone tries to logon several time he/she is added the the server’s iptable and all connections are blocked from the offending IP.
Rather then blocking the hosts in the server’s IP Table I would like to use password-less SSH to have fail2ban add the offending IP to an address list on the MikroTik box. This shouldn’t be too hard.. However:
Those IP’s should not be permanent, is there any method to use the shell to add IP addresses to an address list with a time? I can do this:
add-dst-to-address-list - adds destination address to address-list
add-src-to-address-list - adds source address to address-list
address-list-timeout - specifies timeout address is added to the list.
But then I can only add the source/destination IP based on a firewall rule? I need to add offending IP’s from my Gentoo server’s fail2ban, but would prefer them to be dynamic. Would there be a solution around this? Would it not make sense to have the ability to add IP’s to address-lists with a timeout?
For this fail2ban purpose but also for “setting and forgetting”, in case you need to provide access for a period of time and not wanting to forget to remove the entry so you can leave it and it will delete itself >?
Would there be a solution around this? Would it not make sense to have the ability to add IP’s to address-lists with a timeout?
That is not a current feature. You’ll either have to write your code around it and manually delete items, or wait for it to get implemented (which may not happen).
Another option would be to use a custom rule on the firewall to trigger an event and add it to the address list.
Use something like Hping3 or scapy to send a custom packet through the router with options you should never see in real traffic (ie, a bogon address, or an invalid ICMP type, obscure or invalid TCP ports/options).
For this example, I am using ICMP 3:9 (DOD Host Prohibited), with a source IP of the attacker and a destination IP of a non-routable address (203.0.113.111 from the IANA example range).
hping3 -c 1-C 3 -K 9 -a <Attackers IP> 203.0.113.111
Then your write a custom rule in forward to pick up this packet and take some action
The only word of warning is this is for the most part a wide open way to cause the router to block things without authentication. By using a bogon IP as the destination, it prevents anyone from abusing this externally, but it doesn’t prevent anyone inside the LAN from spoofing a packet and adding anything they want to the evilhosts list. I would consider implementing some sort of whitelist or safeguard with the use of the remote_evilhosts to prevent known good sources from getting added (and inadvertently getting yourself locked out of the server for 24 hours).
This isn’t a perfect solution, but it gets the job done. It’s security through obscurity, so be careful with what you use it for. By changing around what options and payloads you are listening for, it can also be turned around and used as a portknocking implementation to grant remote access.
I’m also interested in making a (gentoo, what a coincidence ) fail2ban server interact with a mikrotik router/firewall.
I see how to add an address to a list, but not how to remove an address from a list. I only see how to remove a whole list.
Basic Idea would not be to use any timeout on mikrotik device (not really standard feature and really unlikely to be implemented) but to rely on fail2ban itself (which handle “ban” and “unban” events: so basically, on each event, triggering a ssh address-list management command on mikrotik firewall). All would be done by a fine fail2ban setup.
BTW, can you rename this thread title please? Like including fail2ban into it please?
If you are relying on the server to send the unban events, you may want to add the time/date stamp as a comment when you add the host to the list, so you can identify entries which didn’t get purged correctly. Optionally, consider having it purge the list every time the server reboots, or have the mikrotik purge the list once a week or so (same command as above, but without the address=x.x.x.x in the find). This way you don’t have to worry about hosts that get stuck in fail2ban due to a dropped ssh tunnel, or the server rebooting and forgetting to send the unban command.
i would go API path and create something along these lines:
router config:
in ip firewall filter there is rule that drops everything from address-list named “ban”
then on your server you create small tool that is capable of RouterOS API and something like sqlite. When you have IP to add to ban list, then through API you can add the address, as return you get .id value of the entry you just added, store that in sql with time when this has to be removed. And then just periodically check for the time outs in the table, when it is reached you already have .id value to remove.
a little hackish solution would be:
router config:
you have 2 firewall rules one that check list - to-ban and other as previously ban. rule that looks in to-ban looks for destination address to be in to-ban list and adds entry in ban list with add-dst-to-address-list where you can set time.
now your API tool creates entry on the router in to-ban list, and sends ICMP packet with required DST address. your firewall will catch it and add it to ban list. You can check from the tool if address is added into ban list by firewall, and then remove address from to-ban list
Well, I’m not the OP, I just joined the conversation
Owww, thank you very much, I was looking in /ip firewall filter section…
@janisk: luckily fail2ban already manage all these stuff internally (hosts storage, timers expiring, etc). Heavy artillery shouldn’t be necessary in this case
Right. FYI, fail2ban allows “easy” implementation of new service monitorings (well, not new in our case (ssh)) and new “actions” (command to run on events).
Are defined following events: actionstart, actionstop, actioncheck, actionban, actionunban.
If flushing when starting/stoping, this should be quite easy doying a proper fail2ban/rOS integration provided I can pass commands to routerboard via ssh (keys auth) without a problem.
Having a global behaviour juste like already written iptables events’ actions should be a good start (playing with a single address list instead of a single chain).
Restart Fail2Ban to load the new config. You can test the command line commands from bash first and check the address list in MikroTik to confirm that the list is actually updated.
When I start or stop the service all IP’s on the Fail2Ban address list are purged. When someone fails authentication too much times they are added to the address list and banned. When the unban command runs after an amount of time that you have configured only that IP is removed from the address list.
) fail2ban server interact with a mikrotik router/firewall.