OK so it’s time to get fail2ban parsing mikrotik logs and start banning offending ip’s towards its services. As we already have rsyslog done and mikrotik sends logs to it all we have to do is get an filter for fail2ban and we should be done.
As i cannot write regex so i tried to search for a regex filter but could not find any that would match my log files with the command fail2ban-regex, no matches is found so i start more or less doing it my self and this is what i get and it matches to my log files. And yes you are free to use my mikrotik.conf if you like.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# Fail2Ban configuration file for Mikrotik RouterBoard with remote logging capabilities # # Author: Jani Pesonen # # Version 0.1 # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = ^.*MikroTik login failure for user .* from <HOST> via web |
save this as /etc/fail2ban/filter.d/mikrotik.conf and then test the regex with the command:
1 |
fail2ban-regex /var/log/mtgw.log /etc/fail2ban/filter.d/mikrotik.conf |
You should see something like this (if you have failed logins already in the log file):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Running tests ============= Use failregex file : /etc/fail2ban/filter.d/mikrotik.conf Use log file : /var/log/mtgw.log Results ======= Failregex: 8 total |- #) [# of hits] regular expression | 1) [8] ^.*MikroTik login failure for user .* from <HOST> via web `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [4257] MONTH Day Hour:Minute:Second `- Lines: 4257 lines, 0 ignored, 8 matched, 4249 missed Missed line(s):: too many to print. Use --print-all-missed to print all 4249 lines |
So now we know that the regex works and it find login failures we move on to the jail.local configuration for the mikrotik jail section.
1 2 3 4 5 6 7 |
[mikrotik] # Default ports for mikrotik routerboard services: 8728,8729,21,22,23,8291,80,443 but for this i will only use 80 as its the only service open at the moment enabled = true port = 80 filter = mikrotik logpath = /var/log/mtgw.log maxretry = 6 |
With all this in place we just have to restart the fail2ban service (at this point i have removed my internal network from ignore ban ip range just for testing as mikrotik is not visible form the outside)
1 |
service fail2ban restart |
Ok so i will see the first message:
1 |
MikroTik login failure for user admin from 192.168.0.2 via web |
But i do not see the second or third failed login i only see:
1 |
MikroTik login message repeated 3 times: [ failure for user admin from 192.168.0.2 via web] |
And that is not good enough it seems so i have to make sure all lines are sent to my rsyslog. well atleast after some testing this does work if not repeat message is written to logs as i got banned with my laptop
1 |
2015-06-04 20:26:24,952 fail2ban.actions: WARNING [mikrotik] Ban 192.168.81.20 |
gonna try and match the repeated log message also just in case.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# Fail2Ban configuration file for Mikrotik RouterBoard with remote logging capabilities # # Author: Jani Pesonen # # $Revision$ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = ^.*MikroTik login failure for user *.* from <HOST> via web ^.*MikroTik login message repeated *.* times: \[ failure for user *.* from <HOST> via web\] # failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = |
So there we have it, regex done and matcher to both repeated messages and and the normal failed logins. But i still have to figure out not to sen repeated message, need mikrotik to send every failed login as it should.
in /etc/rsyslog.conf you will find a line that controls the repeat message filtering
1 2 |
# Filter duplicated messages $RepeatedMsgReduction off |
Set that to off and every line is logged normally for every service. That will be good enough for now. Will come back to this issue later on if i need.
So now we have our server running with fail2ban, fail2sql with we statistics. rsyslog gathering logs from mikrotik and banning them, so next step is to make the IP blocking happen on the mikrotik from fail2ban on ubuntu server.