MikroTik

Community discussions
https://forum.mikrotik.com/

Fail2ban Scripts for RouterOS

https://forum.mikrotik.com/viewtopic.php?t=138455

Page 1 of 1

Fail2ban Scripts for RouterOS

Posted: Sat Aug 25, 2018 3:20 pm
by kurispo
#This's a System Scheduler Script.
#Fail2ban for Mik RouterOs . By xiaoD 27705090@qq.com

#define How many times login failed from same address will be ban.
:local maxtried 10

#define The baned addresses timeout.[1d: one day,30m: 30 minutes]
:local ban_time 3d

#define The exception address will not be ban.
:local ex_ip 1.2.3.4

#Begin Script.
#default Rules check and build
:if ([:len [/ip fi fi find comment=fail2ban]]=0) do={/ip fi fi add chain=input src-address-list=ban action=drop comment=fail2ban}
/log
:foreach i in=[find message~"login failure" ] do={
:local msg [get $i message]
:local theip [:pick $msg ([:find $msg "from "]+5) [:find $msg " via"]]
:if ($theip != $ex_ip) do={
:local timesban [:len [/ip fi addr find list=ban address=$theip]]
:if ($timesban = 0) do={
:local times [:len [/ip fi addr find list=login_failure address=$theip]]
:if ($times = 0) do={/ip fi addr add list=login_failure address=$theip timeout=1m comment=1} else={:local thecm [:tonum ([/ip fi addr get [find list=login_failure address=$theip] comment] + 1)];:if ($thecm > $maxtried ) do={[/ip fi addr add list=ban timeout=$ban_time address=$theip]} else={/ip fi addr set [find list=login_failure address=$theip] comment=$thecm}}
}
}
}
#End Script.

Re: Fail2ban Scripts for RouterOS

Posted: Fri Feb 14, 2020 10:24 am
by v00d00
Hello there,
Interested in your script.

Tried to test it but no results, no errors.

routeros version: 6.46.1.

Let me know if you can support.

Thank you.
Respectfully,
VD

Re: Fail2ban Scripts for RouterOS

Posted: Fri Apr 03, 2020 12:40 am
by ccp421
Remove all _ and it will work tested on 6.46.4 Also move the firewall rule to the top.

Awesome Script Thanks

Re: Fail2ban Scripts for RouterOS

Posted: Mon Apr 06, 2020 12:46 pm
by Jotne
I have cleaned up the script, but do not trust on this for outside access to your router. This is far from enough.

If you need to access tour router from a public site, do use:

1. VPN (best solution)

2. If VPN can not be used.
Use access list to limit to only certain IP
Do not use default port
Open only one needed port.
Use port knocking
Log all access to your router (to an external site/disk)
Use a good password

Code: Select all
# This's a System Scheduler Script.
# Fail2ban for MikroTik RouterOs . By xiaoD 27705090@qq.com

# Define how many times login failed from same address will be ban.
:local maxtried 10

# Define the baned addresses timeout.[1d: one day,30m: 30 minutes]
:local bantime 3d

# Define the exception address will not be ban.
:local exip 1.2.3.4

# Begin Script.
# Default rules check and build
:if ([:len [/ip fi fi find comment=fail2ban]]=0) do={
	/ip fi fi add chain=input src-address-list=ban action=drop comment=fail2ban
}

/log
:foreach i in=[find message~"login failure" ] do={
	:local msg [get $i message]
	:local theip [:pick $msg ([:find $msg "from "]+5) [:find $msg " via"]]
	:if ($theip != $exip) do={
		:local timesban [:len [/ip fi addr find list=ban address=$theip]]
		:if ($timesban = 0) do={
			:local times [:len [/ip fi addr find list=loginfailure address=$theip]]
			:if ($times = 0) do={
				/ip fi addr add list=loginfailure address=$theip timeout=1m comment=1
			} else={
				:local thecm [:tonum ([/ip fi addr get [find list=loginfailure address=$theip] comment] + 1)]
				:if ($thecm > $maxtried ) do={
					[/ip fi addr add list=ban timeout=$bantime address=$theip]
				} else={/ip fi addr set [find list=loginfailure address=$theip] comment=$thecm
				}
			}
		}
	}
}
# End Script.
PS see my Splunk project for logging. viewtopic.php?t=137338

Re: Fail2ban Scripts for RouterOS

Posted: Sat May 02, 2020 8:17 pm
by carlosgsca
Hi

Very good script. Two questions:

- What changes would it need to make it work with pptp failed access, like the sample bellow.
- How often do you run it in the scheduler? 1 minute?

Thanks!
Code: Select all
07:40:29 pptp,ppp,error <476>: user test1 authentication failed 
07:40:30 pptp,info TCP connection established from 92.63.194.41 
07:40:30 pptp,ppp,error <477>: user test authentication failed 
07:40:31 pptp,info TCP connection established from 92.63.194.42 
07:40:32 pptp,ppp,error <478>: user 111 authentication failed 
07:40:32 pptp,info TCP connection established from 92.63.194.58 
07:40:33 pptp,ppp,error <479>: user user1 authentication failed 
07:40:33 pptp,info TCP connection established from 92.63.194.26 
07:40:34 pptp,ppp,error <480>: user 1234 authentication failed 
07:40:34 pptp,info TCP connection established from 92.63.194.35 
07:40:35 pptp,ppp,error <481>: user admin authentication failed 
07:40:35 pptp,info TCP connection established from 92.63.194.40 
07:40:36 pptp,ppp,error <482>: user vpn authentication failed 
07:40:36 pptp,info TCP connection established from 92.63.194.41 
07:40:37 pptp,ppp,error <483>: user test authentication failed 
07:40:37 pptp,info TCP connection established from 92.63.194.42
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/