fail2mtblock - Linux 0 tolerance blocking script for MikroTik

urbinek · August 15, 2016, 10:07am

Hello there!

I’ve created little Linux script, that is blocking at MikroTi’s firewall failed login attempts made on Linux servers

This script will parse secure/auth logs from local (or remote) system and based on fail login attempts will:

create unwanted IP list,
download already blocked list from MikroTik,
compare both lists,
add new unwanted IP to Mikrotik block list
Naturally initial run of this script will require some time and resources to parse (which can be avoided, se below), each next run require minimum amount of effort to finish. To best performance using logrotate is advised.

Additionally because blocking is maintained by MikroTik router all servers are protected.

I want to avoid copying to much text so please check my github

https://github.com/urbinek/fail2mtblock

also some suggestions in improvement would be nice

pe1chl · August 15, 2016, 11:44am

You could consider putting the blocklist in a DNS name and loading it from there.
This means you don’t need scripts on the MikroTik, only on the server that pinpoints the attackers.
When there already is a DNS server on that system it may be easier to put the addresses in a zone
like blocklist.yourdomain.local and put that in the MikroTik.
(of course assuming that the DNS resolving will be done by that server)

urbinek · August 15, 2016, 1:19pm

Well, script is on server and it is only downloading/sending IP to MikroTik

It seems to be easier that using DNS zones