[FAIL2BAN] add banned IP's to addr list on remote RouterOS

pakjebakmeel · Wed Aug 24, 2011 12:02 pm

Hi all,

I've found how to run remote commands on the MikroTik board using SSH and a keyfile. I'm running fail2ban on my server in the DMZ, if someone tries to logon several time he/she is added the the server's iptable and all connections are blocked from the offending IP.

Rather then blocking the hosts in the server's IP Table I would like to use password-less SSH to have fail2ban add the offending IP to an address list on the MikroTik box. This shouldn't be too hard.. However:

Those IP's should not be permanent, is there any method to use the shell to add IP addresses to an address list with a time? I can do this:

/ip firewall address-list add address=x.x.x.x list=remote_evilhosts

What I would like too see:

/ip firewall address-list add address=x.x.x.x list=remote_evilhosts timeout=24h

or:

/ip firewall address-list add address=x.x.x.x list=remote_evilhosts dynamic=24h

Something like that, can it be done?

Wed Aug 24, 2011 12:17 pm

/ip firewall filter gives you action=

add-dst-to-address-list - adds destination address to address-list
add-src-to-address-list - adds source address to address-list
address-list-timeout - specifies timeout address is added to the list.

pakjebakmeel · Wed Aug 24, 2011 12:22 pm

But then I can only add the source/destination IP based on a firewall rule? I need to add offending IP's from my Gentoo server's fail2ban, but would prefer them to be dynamic. Would there be a solution around this? Would it not make sense to have the ability to add IP's to address-lists with a timeout?

For this fail2ban purpose but also for "setting and forgetting", in case you need to provide access for a period of time and not wanting to forget to remove the entry so you can leave it and it will delete itself >?

fewi · Wed Aug 24, 2011 12:57 pm

Would there be a solution around this? Would it not make sense to have the ability to add IP's to address-lists with a timeout?

That is not a current feature. You'll either have to write your code around it and manually delete items, or wait for it to get implemented (which may not happen).

CCDKP · Thu Aug 25, 2011 7:31 pm

Another option would be to use a custom rule on the firewall to trigger an event and add it to the address list.

Use something like Hping3 or scapy to send a custom packet through the router with options you should never see in real traffic (ie, a bogon address, or an invalid ICMP type, obscure or invalid TCP ports/options).
For this example, I am using ICMP 3:9 (DOD Host Prohibited), with a source IP of the attacker and a destination IP of a non-routable address (203.0.113.111 from the IANA example range).

 hping3 -c 1-C 3 -K 9 -a <Attackers IP> 203.0.113.111

Then your write a custom rule in forward to pick up this packet and take some action

add chain=forward dst-address=203.0.113.111 protocol=icmp icmp-options=3:9 action=add-src-to-address-list address-list-timeout=24h address-list=remote_evilhosts comment="Secret message from server, block for 24h"
add chain=forward dst-address=203.0.113.111 protocol=icmp icmp-options=3:9 action=drop comment="Keep secrets secret"

The only word of warning is this is for the most part a wide open way to cause the router to block things without authentication. By using a bogon IP as the destination, it prevents anyone from abusing this externally, but it doesn't prevent anyone inside the LAN from spoofing a packet and adding anything they want to the evilhosts list. I would consider implementing some sort of whitelist or safeguard with the use of the remote_evilhosts to prevent known good sources from getting added (and inadvertently getting yourself locked out of the server for 24 hours).

This isn't a perfect solution, but it gets the job done. It's security through obscurity, so be careful with what you use it for. By changing around what options and payloads you are listening for, it can also be turned around and used as a portknocking implementation to grant remote access.

--CC_DKP

Edit: Cleaning up typos.

elgo · Fri Aug 26, 2011 12:42 pm

I'm also interested in making a (gentoo, what a coincidence

) fail2ban server interact with a mikrotik router/firewall.
I see how to add an address to a list, but not how to remove an address from a list. I only see how to remove a whole list.

Basic Idea would not be to use any timeout on mikrotik device (not really standard feature and really unlikely to be implemented) but to rely on fail2ban itself (which handle "ban" and "unban" events: so basically, on each event, triggering a ssh address-list management command on mikrotik firewall). All would be done by a fine fail2ban setup.

BTW, can you rename this thread title please? Like including fail2ban into it please?

CCDKP · Fri Aug 26, 2011 4:37 pm

I see how to add an address to a list, but not how to remove an address from a list. I only see how to remove a whole list.

Basic Idea would not be to use any timeout on mikrotik device (not really standard feature and really unlikely to be implemented) but to rely on fail2ban itself (which handle "ban" and "unban" events: so basically, on each event, triggering a ssh address-list management command on mikrotik firewall). All would be done by a fine fail2ban setup.

Well why didn't you say you could have fail2ban run an "unban" event.

/ip firewall address-list remove [find address=X.X.X.X list=remote_evilhosts]

If you are relying on the server to send the unban events, you may want to add the time/date stamp as a comment when you add the host to the list, so you can identify entries which didn't get purged correctly. Optionally, consider having it purge the list every time the server reboots, or have the mikrotik purge the list once a week or so (same command as above, but without the address=x.x.x.x in the find). This way you don't have to worry about hosts that get stuck in fail2ban due to a dropped ssh tunnel, or the server rebooting and forgetting to send the unban command.

--@CC_DKP

janisk · Mon Aug 29, 2011 10:01 am

i would go API path and create something along these lines:

router config:

in ip firewall filter there is rule that drops everything from address-list named "ban"

then on your server you create small tool that is capable of RouterOS API and something like sqlite. When you have IP to add to ban list, then through API you can add the address, as return you get .id value of the entry you just added, store that in sql with time when this has to be removed. And then just periodically check for the time outs in the table, when it is reached you already have .id value to remove.

a little hackish solution would be:
router config:
you have 2 firewall rules one that check list - to-ban and other as previously ban. rule that looks in to-ban looks for destination address to be in to-ban list and adds entry in ban list with add-dst-to-address-list where you can set time.

now your API tool creates entry on the router in to-ban list, and sends ICMP packet with required DST address. your firewall will catch it and add it to ban list. You can check from the tool if address is added into ban list by firewall, and then remove address from to-ban list

elgo · Tue Aug 30, 2011 12:17 pm

Well why didn't you say you could have fail2ban run an "unban" event.

Well, I'm not the OP, I just joined the conversation

/ip firewall address-list remove [find address=X.X.X.X list=remote_evilhosts]

Owww, thank you very much, I was looking in /ip firewall filter section...

@janisk: luckily fail2ban already manage all these stuff internally (hosts storage, timers expiring, etc). Heavy artillery shouldn't be necessary in this case

Optionally, consider having it purge the list every time the server reboots

Right. FYI, fail2ban allows "easy" implementation of new service monitorings (well, not new in our case (ssh)) and new "actions" (command to run on events).
Are defined following events: actionstart, actionstop, actioncheck, actionban, actionunban.
If flushing when starting/stoping, this should be quite easy doying a proper fail2ban/rOS integration provided I can pass commands to routerboard via ssh (keys auth) without a problem.
Having a global behaviour juste like already written iptables events' actions should be a good start (playing with a single address list instead of a single chain).

I'll look into it when I've some time.

Thanks for your help guys.

pakjebakmeel · Tue Aug 30, 2011 2:55 pm

That all sounds hopeful. Thanks for the help so far. I hope I can find the time to do some testing with the provided options this weekend.

pakjebakmeel · Wed Aug 31, 2011 4:43 pm

WHOOHOO!

Success! A quick guide:

1. Get DSA authentication on the MikroTik box: http://wiki.mikrotik.com/wiki/Use_SSH_t ... y_login%29
2. Install Fail2Ban on an internal or DMZ server and configure some jails in jail.conf. Mine looks like this for SSH and FTPS (relevant portion only):

[ssh-MikroTik]

enabled  = true
filter   = sshd
action   = MikroTik
logpath  = /var/log/messages
maxretry = 5

[proftpd-MikroTik]

enabled  = true
filter   = proftpd
action   = MikroTik
logpath  = /var/log/messages
maxretry = 5

Note that the action is "MikroTik".

3. Create the action file MikroTik.conf:

[Definition]

actionstart = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list remove [find list=Fail2Ban]"
actionstop = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list remove [find list=Fail2Ban]"

actioncheck = ""
actionban = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list add list=Fail2Ban address=<ip> comment=<time>"
actionunban = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list remove [find address=<ip> list=Fail2Ban]"

4. Restart Fail2Ban to load the new config. You can test the command line commands from bash first and check the address list in MikroTik to confirm that the list is actually updated.

When I start or stop the service all IP's on the Fail2Ban address list are purged. When someone fails authentication too much times they are added to the address list and banned. When the unban command runs after an amount of time that you have configured only that IP is removed from the address list.

SWEET!

janisk · Thu Sep 01, 2011 8:20 am

@janisk: luckily fail2ban already manage all these stuff internally (hosts storage, timers expiring, etc). Heavy artillery shouldn't be necessary in this case

When all you have is a hammer, everything looks like a nail.

pakjebakmeel · Wed Sep 28, 2011 9:43 am

This is still working like a charm and I haven't had any issues with it yet. All the records are properly purged over a reboot or deamon restart.

Just FYI.

pincio · Wed Sep 14, 2016 12:16 pm

Hi guys,

if you want to implement a fail2ban interaction with Router OS by API, i have write an action script.

https://github.com/pincioc/fail2ban_mikrotik

It's also include a nagios plugin for monitoring the elements in address-list.

pincio

Sanalturkey · Wed Dec 04, 2019 1:19 pm

Bump

I couldn't solve this problem. Where am I making a mistake.

2019-12-04 14:07:59,331 fail2ban.actions        [14467]: NOTICE  [ssh] Ban 128.199.154.237
2019-12-04 14:07:59,342 fail2ban.utils          [14467]: Level 39 7efe001068b0 -- exec: mikrotik "/ip firewall address-list add list=Fail2Ban address=128.199.154.237 comment=1575457678.0"
2019-12-04 14:07:59,342 fail2ban.utils          [14467]: ERROR   7efe001068b0 -- stderr: '/usr/bin/mikrotik: line 2: /usr/bin/ssh: Permission denied'
2019-12-04 14:07:59,342 fail2ban.utils          [14467]: ERROR   7efe001068b0 -- returned 126

Thanks.

[FAIL2BAN] add banned IP's to addr list on remote RouterOS

[FAIL2BAN] add banned IP's to addr list on remote RouterOS

Re: Remote SSH commands

Re: Remote SSH commands

Re: Remote SSH commands

Re: Remote SSH commands

Re: Remote SSH commands

Re: Remote SSH commands

Re: Remote SSH commands

Re: Remote SSH commands

Re: [FAIL2BAN] add banned IP's to addr list on remote Router

Re: [FAIL2BAN] add banned IP's to addr list on remote Router

Re: Remote SSH commands

Re: [FAIL2BAN] add banned IP's to addr list on remote Router

Re: [FAIL2BAN] add banned IP's to addr list on remote RouterOS

Re: [FAIL2BAN] add banned IP's to addr list on remote RouterOS

Who is online