mikrotik-fwban

command module

v0.0.0-...-96df7c6 Latest Latest Go to latest Published: Oct 7, 2023 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/middelink/mikrotik-fwban

README ¶

Mikrotik-fwban

TL;DR

mikrotik-fwban acts as a syslog receiver and tries to extract an IP address out of the messages received. It then adds the IPs to the banlist on the configured Mikrotiks. In essence it is a Fail2Ban done the lazy way. Since it leverages the filtering mechanisms of rsyslog to do the pre-filtering, it should be able to handle large sets of publicly accessable machines (famous last words, I know).
It handles both IPv4 and IPv6 addresses and banlists.
It can handle multiple Mikrotiks, keeping the banned IPs in their respective banlists in sync.

Config file

Seems kind of self explanatory so I'm not going to explain every item in it.

Remember you can use the same configurations in the central settings as on the Command Line.

It is possible to administer more than one Mikrotik by using separate sections for each one. Perfect if you want to manage all Mikrotiks for your family, remote office locations or customers. You can still use different permanent whitelists and blacklists for each Mikrotik.

The section called "regexps" needs a little bit more explaining, you can define your own regular expressions, which will be used to match log lines and extract the user and ip address from it. For these extractions, we use named capturing groups. (?P<IP>...).

Command Line Flags

--blocktime: Set the life time for dynamically managed entries. The MikroTik will be told to remove the entry from the blacklist after this many hours. If autodelete is true mikrotik-fwban will take care of the deletion. Default is 1 week.
--configchange: Exit process when config file changes.
--filename: Path of the configuration file to read. Default is /etc/mikrotik-fwban.cfg.
--port: UDP port we listen on for syslog formatted messages. Default is 10514.
--autodelete: Autodelete entries when they expire. Aka, don't trust Mikrotik to do it for us. Default is true.
--verbose: Be more verbose in our logging. Default is false.
--debug: Be absolutely staggering in our logging. Default is false.
-version: output version information and exit.

Installation

I presume you have a working experiance with go, a system with systemd and rsyslogd and in general some sys admin knowledge as I am not able to support you with questions on every conveivable way to build, install and start this daemon at startup.

Building the binary

Clone, download, copy/paste the source files onto your local disk.
Execute go build . to create the mikrotik-fwban binary.
Copy the binary to /usr/local/sbin.

Mikrotik changes

Create a group (apis) on your mikrotik (system > users; groups) and give it at least the read, write and api policies.
Create a user on your mikrotik (system > users; users) and have it belong to the group you just created.
Make sure you have rules in your mikrotik (input AND forward) to drop traffic coming from src ips in the banlist addresslist.

Setup your system.

Copy mikrotik-fwban.cfg to /etc/ and edit to your liking.
Copy mikrotik-fwban.service to /etc/systemd/system/
Execute systemctl daemon-reload.
Execute systemctl enable mikrotik-fwban to enable the daemon at startup.
Execute systemctl start mikrotik-fwban to start the daemon right now.
Check your /var/log/messages for possible errors and fix them.
(If you want to receive syslog messages from other than the local machine, don't forget to open your firewall on the configured port.)

Sending syslog information its way.

Add a snippet to /etc/rsyslog.d to (re)send interesting messages to the mikrotik port, best thing is to filter on error conditions containing an IP you want to block. Example for rsyslog below:
```
if re_match($msg, "failed for '[0-9a-f:.]*' - Wrong password") then
  action(type="omfwd" target="<mikrotik-fwban-ip>" port="<mikrotik-fwban-port>" template="RSYSLOG_SyslogProtocol23Format")
```
Remember to put in the target IP address and port of your Mikrotik-fwban's host.
Restart your rsyslogd to make sure it loaded the fragment.
You can do this on every Unix system in your network if you feel so inclined. Again, don't forget to open the firewall on the Mikrotik-fwban's host if you do.

Credits

Mikrotik-fwban uses go-gcfg, syslogparser, routeros

License

Documentation ¶

Rendered for

Overview ¶

Command mikrotik-fwban acts as a syslog receiver and tries to extract an IP address out of the messages received. It then adds the IPs to the banlist on the configured Mikrotiks. In essence it is a Fail2Ban done the lazy way. Since it leverages the filtering mechanisms of rsyslog to do the pre-filtering, it should be able to handle large sets of publicly accessible machines (famous last words, I know).

It handles both IPv4 and IPv6 addresses and banlists.

It can handle multiple Mikrotiks, keeping the banned IPs in their respective banlists in sync.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL