- mikrotik-fwban acts as a syslog receiver and tries to extract an IP address out of the messages received. It then adds the IPs to the banlist on the configured Mikrotiks. In essence it is a Fail2Ban done the lazy way. Since it leverages the filtering mechanisms of rsyslog to do the pre-filtering, it should be able to handle large sets of publicly accessable machines (famous last words, I know).
- It handles both IPv4 and IPv6 addresses and banlists.
- It can handle multiple Mikrotiks, keeping the banned IPs in their respective banlists in sync.
Seems kind of self explanatory so I'm not going to explain every item in it.
Remember you can use the same configurations in the central settings as on the Command Line.
It is possible to administer more than one Mikrotik by using separate sections for each one. Perfect if you want to manage all Mikrotiks for your family, remote office locations or customers. You can still use different permanent whitelists and blacklists for each Mikrotik.
The section called "regexps" needs a little bit more explaining, you
can define your own regular expressions, which will be used to match
log lines and extract the user and ip address from it. For these
extractions, we use named capturing groups. (?P<IP>...)
.
--blocktime
: Set the life time for dynamically managed entries. The MikroTik will be told to remove the entry from the blacklist after this many hours. If autodelete is true mikrotik-fwban will take care of the deletion. Default is 1 week.--configchange
: Exit process when config file changes.--filename
: Path of the configuration file to read. Default is /etc/mikrotik-fwban.cfg.--port
: UDP port we listen on for syslog formatted messages. Default is 10514.--autodelete
: Autodelete entries when they expire. Aka, don't trust Mikrotik to do it for us. Default is true.--verbose
: Be more verbose in our logging. Default is false.--debug
: Be absolutely staggering in our logging. Default is false.
I presume you have a working experiance with go, a system with systemd and rsyslogd and in general some sys admin knowledge as I am not able to support you with questions on every conveivable way to build, install and start this daemon at startup.
- Clone, download, copy/paste the source files onto your local disk.
- Execute
go build .
to create the mikrotik-fwban binary. - Copy the binary to /usr/local/sbin.
- Create a group (
apis
) on your mikrotik (system > users; groups) and give it at least theread
,write
andapi
policies. - Create a user on your mikrotik (system > users; users) and have it belong to the group you just created.
- Make sure you have rules in your mikrotik (input AND forward) to drop
traffic coming from src ips in the
banlist
addresslist.
- Copy
mikrotik-fwban.cfg
to /etc/ and edit to your liking. - Copy
mikrotik-fwban.service
to /etc/systemd/system/ - Execute
systemctl daemon-reload
. - Execute
systemctl enable mikrotik-fwban
to enable the daemon at startup. - Execute
systemctl start mikrotik-fwban
to start the daemon right now. - Check your /var/log/messages for possible errors and fix them.
- (If you want to receive syslog messages from other than the local machine, don't forget to open your firewall on the configured port.)
-
Add a snippet to /etc/rsyslog.d to (re)send interesting messages to the mikrotik port, best thing is to filter on error conditions containing an IP you want to block. Example for rsyslog below:
if re_match($msg, "failed for '[0-9a-f:.]*' - Wrong password") then action(type="omfwd" target="<mikrotik-fwban-ip>" port="<mikrotik-fwban-port>" template="RSYSLOG_SyslogProtocol23Format")
Remember to put in the target IP address and port of your Mikrotik-fwban's host.
-
Restart your rsyslogd to make sure it loaded the fragment.
-
You can do this on every Unix system in your network if you feel so inclined. Again, don't forget to open the firewall on the Mikrotik-fwban's host if you do.
Mikrotik-fwban uses go-gcfg, syslogparser, routeros