Community discussions

MikroTik App
 
kurispo
just joined
Topic Author
Posts: 1
Joined: Thu Aug 07, 2014 2:29 pm

Fail2ban Scripts for RouterOS

Sat Aug 25, 2018 3:20 pm

#This's a System Scheduler Script.
#Fail2ban for Mik RouterOs . By xiaoD 27705090@qq.com

#define How many times login failed from same address will be ban.
:local maxtried 10

#define The baned addresses timeout.[1d: one day,30m: 30 minutes]
:local ban_time 3d

#define The exception address will not be ban.
:local ex_ip 1.2.3.4

#Begin Script.
#default Rules check and build
:if ([:len [/ip fi fi find comment=fail2ban]]=0) do={/ip fi fi add chain=input src-address-list=ban action=drop comment=fail2ban}
/log
:foreach i in=[find message~"login failure" ] do={
:local msg [get $i message]
:local theip [:pick $msg ([:find $msg "from "]+5) [:find $msg " via"]]
:if ($theip != $ex_ip) do={
:local timesban [:len [/ip fi addr find list=ban address=$theip]]
:if ($timesban = 0) do={
:local times [:len [/ip fi addr find list=login_failure address=$theip]]
:if ($times = 0) do={/ip fi addr add list=login_failure address=$theip timeout=1m comment=1} else={:local thecm [:tonum ([/ip fi addr get [find list=login_failure address=$theip] comment] + 1)];:if ($thecm > $maxtried ) do={[/ip fi addr add list=ban timeout=$ban_time address=$theip]} else={/ip fi addr set [find list=login_failure address=$theip] comment=$thecm}}
}
}
}
#End Script.
 
User avatar
v00d00
newbie
Posts: 35
Joined: Wed Nov 16, 2005 11:56 am
Location: Romania

Re: Fail2ban Scripts for RouterOS

Fri Feb 14, 2020 10:24 am

Hello there,
Interested in your script.

Tried to test it but no results, no errors.

routeros version: 6.46.1.

Let me know if you can support.

Thank you.
Respectfully,
VD
 
ccp421
just joined
Posts: 2
Joined: Sat Mar 25, 2017 6:16 am

Re: Fail2ban Scripts for RouterOS

Fri Apr 03, 2020 12:40 am

Remove all _ and it will work tested on 6.46.4 Also move the firewall rule to the top.

Awesome Script Thanks
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1805
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Fail2ban Scripts for RouterOS

Mon Apr 06, 2020 12:46 pm

I have cleaned up the script, but do not trust on this for outside access to your router. This is far from enough.

If you need to access tour router from a public site, do use:

1. VPN (best solution)

2. If VPN can not be used.
Use access list to limit to only certain IP
Do not use default port
Open only one needed port.
Use port knocking
Log all access to your router (to an external site/disk)
Use a good password

# This's a System Scheduler Script.
# Fail2ban for MikroTik RouterOs . By xiaoD 27705090@qq.com

# Define how many times login failed from same address will be ban.
:local maxtried 10

# Define the baned addresses timeout.[1d: one day,30m: 30 minutes]
:local bantime 3d

# Define the exception address will not be ban.
:local exip 1.2.3.4

# Begin Script.
# Default rules check and build
:if ([:len [/ip fi fi find comment=fail2ban]]=0) do={
	/ip fi fi add chain=input src-address-list=ban action=drop comment=fail2ban
}

/log
:foreach i in=[find message~"login failure" ] do={
	:local msg [get $i message]
	:local theip [:pick $msg ([:find $msg "from "]+5) [:find $msg " via"]]
	:if ($theip != $exip) do={
		:local timesban [:len [/ip fi addr find list=ban address=$theip]]
		:if ($timesban = 0) do={
			:local times [:len [/ip fi addr find list=loginfailure address=$theip]]
			:if ($times = 0) do={
				/ip fi addr add list=loginfailure address=$theip timeout=1m comment=1
			} else={
				:local thecm [:tonum ([/ip fi addr get [find list=loginfailure address=$theip] comment] + 1)]
				:if ($thecm > $maxtried ) do={
					[/ip fi addr add list=ban timeout=$bantime address=$theip]
				} else={/ip fi addr set [find list=loginfailure address=$theip] comment=$thecm
				}
			}
		}
	}
}
# End Script.
PS see my Splunk project for logging. viewtopic.php?t=137338
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
carlosgsca
just joined
Posts: 1
Joined: Sat May 02, 2020 8:12 pm

Re: Fail2ban Scripts for RouterOS

Sat May 02, 2020 8:17 pm

Hi

Very good script. Two questions:

- What changes would it need to make it work with pptp failed access, like the sample bellow.
- How often do you run it in the scheduler? 1 minute?

Thanks!
07:40:29 pptp,ppp,error <476>: user test1 authentication failed 
07:40:30 pptp,info TCP connection established from 92.63.194.41 
07:40:30 pptp,ppp,error <477>: user test authentication failed 
07:40:31 pptp,info TCP connection established from 92.63.194.42 
07:40:32 pptp,ppp,error <478>: user 111 authentication failed 
07:40:32 pptp,info TCP connection established from 92.63.194.58 
07:40:33 pptp,ppp,error <479>: user user1 authentication failed 
07:40:33 pptp,info TCP connection established from 92.63.194.26 
07:40:34 pptp,ppp,error <480>: user 1234 authentication failed 
07:40:34 pptp,info TCP connection established from 92.63.194.35 
07:40:35 pptp,ppp,error <481>: user admin authentication failed 
07:40:35 pptp,info TCP connection established from 92.63.194.40 
07:40:36 pptp,ppp,error <482>: user vpn authentication failed 
07:40:36 pptp,info TCP connection established from 92.63.194.41 
07:40:37 pptp,ppp,error <483>: user test authentication failed 
07:40:37 pptp,info TCP connection established from 92.63.194.42

Who is online

Users browsing this forum: No registered users and 25 guests