Use Mikrotik as Fail2ban firewall
The Explanation
This tutorial is about how to configure Fail2ban to use Mikrotik as Firewall. Fail2ban is very halpfull application Its allows system administrators easily detect and prevent attack attempts. It's scaning log files (e.g. /var/log/auth.log) and bans IPs that show the malicious signs (too many password failures, seeking for exploits, etc..). By default Fail2ban using IPTables as firewall software but today I will show you how to configure system to put all firewall rules in one place.
P.S Fail2Ban comes with filters for various services (apache, curier, ssh, postfix, asterisk, etc).
OK lets start :-)
Preparing
Our first point must be generation SSH key for secure remote login
Note that RouterOS 2.9.13 and upper versions supporting SSH logins.
Note: New RouterOS versions v6 and up requires RSA keys
Use this command to generate keys.
admin@linux:/$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: b8:ea:79:ad:61:c4:e0:1a:66:46:5b:0e:70:b6:aa:38 user@example.org The key's randomart image is: +--[ DSA 1024]----+ |. o | | + . | | + o | | o * o . | |. * o + S | |o+ o . . | |E . +. | | . +... | | .+... | +---------+
DO NOT WRITE ANY PASSPHRASE. Now we need to upload and import id_dsa.pub key to mikrotik. File is located at /home/user/.ssh/id_dsa.pub if you are using root account then /root/.ssh/id_dsa.pub
Configuration on Mikrotik side
[admin@mikrotik] > user add name=linux address=LINUX-SERVER-IP-ADDRESS group=full
This command will add a user without password with full permissions login allowed from only your linux machine.
[admin@mikrotik]> user ssh-keys import public-key-file=id_dsa.pub user=linux
This command will import your uploaded id_dsa public key to key mikrotik store.
Configuration on Linux side
On Linux side we must create a file named mikrotik to /usr/bin/ dir.
touch /usr/bin/mikrotik
and put this bash script into this file.
#!/bin/bash ssh -l linux -p22 -i /root/.ssh/id_dsa MIKROTIK-IP-ADDRESS "$1"
OK.
now create a new file in /etc/fail2ban/action.d/ directory with name mikrotik.conf
nano /etc/fail2ban/action.d/mikrotik.conf
and put this text to that file.
# Fail2Ban configuration file # # Author: Ludwig Markosyan # Release 09/02/2013 # # $Version: 1.0 BETA $ # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = mikrotik ":ip firewall filter add action=drop chain=forward dst-address=<ip> comment=AutoFail2ban-<ip>" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = mikrotik ":ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"
Note: Instead of adding drop rule for each IP, you could use single drop rule and address list to save CPU resources
OK now we configured ban and unban actions
Then we must edit jail.conf file to tell Fail2ban to use mikrotik as ban action.
nano /etc/fail2ban/jail.conf
I will show you example for ASTERISK jail you can use any other as you want.
[ASTERISK] enabled = true filter = asterisk action = mikrotik sendmail-whois[name=ASTERISK, dest=me@ludnix.info, sender=fail2ban@ludnix.info] logpath = /var/log/asterisk/full maxretry = 10 bantime = 3600
OK It's all. I'm opened to listen any questions and remarks about this script. you can write me at "ludwig@markosyan.info'
Thanks for your interest.