Hello
I have a router with a public ip and l2tp and pptp vpn on it ( i know it is not secure , etc - will be upgrading soon )
I am facing a lot of failed authentications from unknown ip so i was thinking about fail2ban
Would anyone direct me ? is this a script ? is there any settings in the router for it cause i am not seeing it
Thank you
Just a tons of topic about this, use search…
I searched and couldn't find anything that suit my case - they are mainly talking about SSH
thank you for your "valuable" contribution
ssh, winbox, anything, all failed attempts are on same logs section, until you do not remove or modify this.
and about “valuable”, I have already provided the script, modify it for your case…
are present also some “valuable” instructions on what must be modified…
http://forum.mikrotik.com/t/script-to-add-ip-to-list-based-on-log-help-needed/156344/1
Make all services available only from LAN and VPN subnet and you don`t need to make any fail2ban.
This is example of classic 3rd floor defense.
16 ;;; SSH blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3
address-list=ssh_blacklist address-list-timeout=1w3d dst-port=2217 ;;; SSH 3rd stage
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2
address-list=ssh_stage3 address-list-timeout=1m dst-port=2218 ;;; SSH 2nd stage
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1
address-list=ssh_stage2 address-list-timeout=1m dst-port=2219 ;;; SSH 1st stage
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1
address-list-timeout=1m dst-port=22
is better drop-all and use a strong VPN instead of a bounce of firewall roules and address lists…
the router internet interface is only the vpn and all other services are lan locked .
You see !!! i told you it's valuable 
but this is a bit much for me , i guess i am slow this morning .. can i contact you privately ?
100% right but not in my budget .. i have a sophos XG though maybe i can use it instead
Not, sorry, I do help for free only on my spare time, and on other time I must help myself… 
BUT
if you post on forum the results of /log print on terminal (removing useless lines) of wanted fail2ban log fail lines I can modify the script for you
what do you mean ? i just post the lines where authentication failed appears ?
well… the sense is that… for making personalized rules…
06:01:07 pptp,info TCP connection established from 78.128.113.66
06:01:08 pptp,ppp,error <2856>: user mm authentication failed
06:10:24 pptp,info TCP connection established from 91.191.209.235
06:10:25 pptp,ppp,error <2857>: user guest authentication failed
06:20:43 pptp,info TCP connection established from 78.128.113.68
06:20:44 pptp,ppp,error <2858>: user test authentication failed
06:59:35 pptp,info TCP connection established from 91.191.209.236
06:59:36 pptp,ppp,error <2859>: user sd authentication failed
07:20:52 pptp,info TCP connection established from 91.191.209.235
07:20:53 pptp,ppp,error <2860>: user vpn authentication failed
07:20:59 pptp,info TCP connection established from 78.128.113.70
07:21:00 pptp,ppp,error <2861>: user admin authentication failed
08:01:08 pptp,info TCP connection established from 78.128.113.67
08:01:09 pptp,ppp,error <2862>: user zz authentication failed
08:11:23 pptp,info TCP connection established from 78.128.113.66
08:11:24 pptp,ppp,error <2863>: user asd authentication failed
08:50:00 pptp,info TCP connection established from 78.128.113.68
08:50:01 pptp,ppp,error <2864>: user qq authentication failed
09:13:21 pptp,info TCP connection established from 91.191.209.236
09:13:22 pptp,ppp,error <2865>: user 001 authentication failed
09:49:49 pptp,info TCP connection established from 78.128.113.70
09:49:49 pptp,ppp,error <2866>: user 8888 authentication failed
09:52:26 pptp,info TCP connection established from 91.191.209.234
09:52:27 pptp,ppp,error <2867>: user 333 authentication failed
09:53:14 pptp,info TCP connection established from 78.128.113.66
09:53:15 pptp,ppp,error <2868>: user 111 authentication failed
10:28:05 pptp,info TCP connection established from 91.191.209.235
10:28:05 pptp,ppp,error <2869>: user home authentication failed
10:31:21 pptp,info TCP connection established from 78.128.113.67
10:31:22 pptp,ppp,error <2870>: user aaa authentication failed
10:44:21 pptp,info TCP connection established from 185.76.176.192
11:31:40 pptp,info TCP connection established from 91.191.209.236
11:31:41 pptp,ppp,error <2877>: user vpn01 authentication failed
11:32:56 pptp,info TCP connection established from 78.128.113.66
11:32:57 pptp,ppp,error <2878>: user 123456 authentication failed
11:55:20 pptp,info TCP connection established from 91.191.209.235
11:55:21 pptp,ppp,error <2879>: user vpntest authentication failed
12:07:52 pptp,info TCP connection established from 78.128.113.67
12:07:53 pptp,ppp,error <2880>: user user1 authentication failed
12:37:35 pptp,info TCP connection established from 91.191.209.234
12:37:36 pptp,ppp,error <2881>: user 888 authentication failed
mmm…
Is unadequate because the log I used for the script report on same line the IP and if failed or success.
examples:
SYSTEM: user admin logged in from 100.64.0.33 via winbox
login failure for user admin from 100.64.0.33 via winbox
on your log, is not on same line and probably must be enabled debug logging for see also if for example
pptp,ppp,error <2867>: user 333 authentication failed
what IP is used to establilish pptp connection with sessionid <2867>
The first step is to move SSH to another port. You wouldn’t believe how many of these bogus attempts this simple step will cut off, all by itself. Script kiddies and attack bots are lazy and stupid, respectively. They don’t try all possible ports for SSH; unless your threat model is “Mossad”, your attackers will only be trying port 22.
i was thinking about fail2ban
While it is possible to use fail2ban with RouterOS, it is far from trivial. You must first redirect your router logs to a host capable of running fail2ban, then script it to make calls back to the affected router to issue the block/unblock commands it’s based on.
I don’t know of anyone that has done that and packaged the solution for others to use in cookie-cutter fashion.
Therefore, the first question you should ask is, “Am I capable of being the one to do that work?”
As for your multi-line matching problem, it is possible to get around that with fail2ban, but it’ll require custom scripting.
And no, before you ask, I won’t write the fail2ban code for you. 
the first line is the source ip of the attack
09:52:26 pptp,info TCP connection established from 91.191.209.234
09:52:27 pptp,ppp,error <2867>: user 333 authentication failed
yes, but is hard if inbetween another log is present something like (not true line)
09:52:26 pptp,info TCP connection established from 91.191.209.234
09:52:26 error winbox access denied
09:52:27 pptp,ppp,error <2867>: user 333 authentication failed
or like
09:52:26 pptp,info TCP connection established from 91.191.209.234
09:52:26 pptp,info TCP connection established from 77.191.92.24
09:52:27 pptp,ppp,error <2837>: user 333 authentication failed
09:52:27 pptp,ppp,error <2844>: user 666 authentication failed
or worst like
09:52:26 pptp,info TCP connection established from 91.191.209.234
09:52:26 pptp,info TCP connection established from 77.191.92.24
09:52:27 pptp,ppp,error <2812>: user rex successful authentication
09:52:27 pptp,ppp,error <2844>: user 666 authentication failed
is there anything that can be done in my case ?
yes, but only if the remote connection come everytime from same pool:
drop all incoming pptp except from that pool / address list
Others users on this topic have a good hints, but all are doable if you have some knowledge and time…