A set of tiny scripts for permanently banning malicious offenders.
Uses MySQL database for collecting statistics on intruders or unsuccessful login attempts, ban IP after a certain amount of failures (10 by default).
- MySQL server
- Fail2ban
- Python 2.7
- MikroTik router
Clone the repository:
git clone [email protected]:mazay/fail2ban-mikrotik.gitInstall python requirements:
pip install -r requirements.txtPrepare the configuration file:
cp blacklist_db.cfg_example blacklist_db.cfgCreate the MySQL schema for storing statistics data:
CREATE DATABASE fail2ban CHARACTER SET utf8;
USE fail2ban;
CREATE TABLE `ban_history` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`ip_address` char(15) NOT NULL DEFAULT '',
`country_code` varchar(5) DEFAULT NULL,
`country_name` varchar(30) DEFAULT NULL,
`count` int(11) NOT NULL,
`type` varchar(30) DEFAULT NULL,
`last_attempt` datetime NOT NULL,
`first_attempt` datetime NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;Adjust the configuration file for your environment:
[general]
# Path to the log file - optional
log_file = blacklist_db.log
# MySQL connection string
mysql_ip = 10.10.10.10
mysql_user = fancy_username
mysql_password = secure_password
mysql_db = fail2ban
# Number of dailed attempts before permanent ban - optional, default = 10
ban_count = 10Edit fail2ban action files /etc/fail2ban/action.d/iptables-allports.conf, /etc/fail2ban/action.d/iptables-multiport.conf and /etc/fail2ban/action.d/iptables-new.conf. Original:
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>Edited:
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
/path/to/the/script/blacklist_db.py --ip <ip> --type <name>Create crontab schedule for generating MikroTik scripts:
*/15 * * * * /path/to/the/script/generate_mikrotik_script.py -o /path/to/the/output/dir > /dev/null 2>&1Setup web-server to host the generated file, eg. Nginx:
location /blacklists.rsc {
root /path/to/the/output/dir;
}Create script for downloading the backlist:
/system script add name="Download_blacklists" source={
/tool fetch url="http:https://example.com/blacklists.rsc" mode=http;
:log info "Downloaded blacklists.rsc";
}Create scheduler event for executing the script:
/system scheduler add comment="Download blacklists" interval=1h name="DownloadBlackLists" on-event=Download_blacklists start-date=jan/01/1970 start-time=01:05:00Create script for importing the backlist:
/system script add name="Update_blacklists" source={
/ip firewall address-list remove [/ip firewall address-list find comment="BLACKLIST"];
/import file-name=blacklists.rsc;
:log info "Removal old blacklists and add new";
}Create scheduler event for executing the import script:
/system scheduler add comment="Update BlackList" interval=1h name="InstallBlackLists" on-event=Update_blacklists start-date=jan/01/1970 start-time=01:15:00Create firewall rules for dropping connections originated from the blacklisted IPs, the rules should be placed before the allowing rules:
/ip firewall filter
add action=reject chain=forward comment="SIP: Reject Blacklisted IP addresses" dst-port=5060-5061 in-interface=INTERNET_IFACE protocol=udp src-address-list=ASTERISK_BLC
add action=reject chain=forward comment="SSH: Reject Blacklisted IP addresses" dst-port=22 in-interface=INTERNET_IFACE protocol=tcp src-address-list=SSH_BLCWhere ASTERISK_BLC is name of your filter plus _BLC and INTERNET_IFACE is name your external interface.