Fail2ban working with mikrotik

OK so it’s time to get fail2ban parsing mikrotik logs and start banning offending ip’s towards its services. As we already have rsyslog done and mikrotik sends logs to it all we have to do is get an filter for fail2ban and we should be done.

As i cannot write regex so i tried to search for a regex filter but could not find any that would match my log files with the command fail2ban-regex, no matches is found so i start more or less doing it my self and this is what i get and it matches to my log files. And yes you are free to use my mikrotik.conf if you like.

save this as /etc/fail2ban/filter.d/mikrotik.conf and then test the regex with the command:

You should see something like this (if you have failed logins already in the log file):

So now we know that the regex works and it find login failures we move on to the jail.local configuration for the mikrotik jail section.

With all this in place we just have to restart the fail2ban service (at this point i have removed my internal network from ignore ban ip range just for testing as mikrotik is not visible form the outside)

Ok so i will see the first message:

But i do not see the second or third failed login i only see:

And that is not good enough it seems so i have to make sure all lines are sent to my rsyslog. well atleast after some testing this does work if not repeat message is written to logs as i got banned with my laptop

gonna try and match the repeated log message also just in case.

So there we have it, regex done and matcher to both repeated messages and and the normal failed logins. But i still have to figure out not to sen repeated message, need mikrotik to send every failed login as it should.

in /etc/rsyslog.conf you will find a line that controls the repeat message filtering

Set that to off and every line is logged normally for every service. That will be good enough for now. Will come back to this issue later on if i need.

 

So now we have our server running with fail2ban, fail2sql with we statistics. rsyslog gathering logs from mikrotik and banning them, so next step is to make the IP blocking happen on the mikrotik from fail2ban on ubuntu server.

Leave a Reply

Your email address will not be published. Required fields are marked *