Use Mikrotik as Fail2ban firewall

From MikroTik Wiki
Jump to: navigation, search

The Explanation

This tutorial is about how to configure Fail2ban to use Mikrotik as Firewall. Fail2ban is very halpfull application Its allows system administrators easily detect and prevent attack attempts. It's scaning log files (e.g. /var/log/auth.log) and bans IPs that show the malicious signs (too many password failures, seeking for exploits, etc..). By default Fail2ban using IPTables as firewall software but today I will show you how to configure system to put all firewall rules in one place.

P.S Fail2Ban comes with filters for various services (apache, curier, ssh, postfix, asterisk, etc).

OK lets start :-)

Preparing

Our first point must be generation SSH key for secure remote login

Note that RouterOS 2.9.13 and upper versions supporting SSH logins.

Icon-note.png

Note: New RouterOS versions v6 and up requires RSA keys


Use this command to generate keys.

admin@linux:/$ ssh-keygen -t dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
b8:ea:79:ad:61:c4:e0:1a:66:46:5b:0e:70:b6:aa:38 user@example.org
The key's randomart image is:
+--[ DSA 1024]----+
|. o        |
| + .        |
|  + o        |
| o * o .         |
|. * o + S    |
|o+ o . .         |
|E .   +.      |
| .   +...         |
|   .+...       |
+---------+

DO NOT WRITE ANY PASSPHRASE. Now we need to upload and import id_dsa.pub key to mikrotik. File is located at /home/user/.ssh/id_dsa.pub if you are using root account then /root/.ssh/id_dsa.pub

Configuration on Mikrotik side

[admin@mikrotik] > user add name=linux address=LINUX-SERVER-IP-ADDRESS group=full

This command will add a user without password with full permissions login allowed from only your linux machine.

[admin@mikrotik]> user ssh-keys import public-key-file=id_dsa.pub user=linux

This command will import your uploaded id_dsa public key to key mikrotik store.

Configuration on Linux side

On Linux side we must create a file named mikrotik to /usr/bin/ dir.

touch /usr/bin/mikrotik

and put this bash script into this file.

#!/bin/bash
ssh -l linux -p22 -i /root/.ssh/id_dsa MIKROTIK-IP-ADDRESS "$1"

OK.

now create a new file in /etc/fail2ban/action.d/ directory with name mikrotik.conf

nano /etc/fail2ban/action.d/mikrotik.conf 

and put this text to that file.

# Fail2Ban configuration file
#
# Author: Ludwig Markosyan
# Release 09/02/2013
#
# $Version: 1.0 BETA $
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = mikrotik ":ip firewall filter add action=drop chain=forward dst-address=<ip> comment=AutoFail2ban-<ip>"


# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#

actionunban =  mikrotik ":ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"
Icon-note.png

Note: Instead of adding drop rule for each IP, you could use single drop rule and address list to save CPU resources


OK now we configured ban and unban actions

Then we must edit jail.conf file to tell Fail2ban to use mikrotik as ban action.

 nano /etc/fail2ban/jail.conf


I will show you example for ASTERISK jail you can use any other as you want.

[ASTERISK]
enabled  = true
filter   = asterisk
action = mikrotik
          sendmail-whois[name=ASTERISK, dest=me@ludnix.info, sender=fail2ban@ludnix.info]
logpath  = /var/log/asterisk/full
maxretry = 10
bantime = 3600

OK It's all. I'm opened to listen any questions and remarks about this script. you can write me at "ludwig@markosyan.info'


Thanks for your interest.