Skip to content

aziraphale/Router-Log-Check

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
README.md
 
 
index.php
 
 
start.sh
 
 
MikroTik Router SSH Login Failure Banning Script Requirements Configuration Notes

README.md

MikroTik Router SSH Login Failure Banning Script

I wrote this script because MikroTik routers don't have a fail2ban-type system whereby IP addresses who repeatedly fail SSH logins are temporarily banned from making further connections. Due to the high numbers of SSH brute-force attacks that our main router is hit by on a daily basis, this script was written to monitor the router's log file and automatically ban IP addresses which suffer too many login failures in a short space of time, thus improving security and reducing the spam in our log file.

Requirements

  • PHP, MikroTik router, all the obvious stuff...
  • The PHP SSH2 extension
    • On Ubuntu this is simply sudo apt-get install libssh2-php
    • On other distributions you may have to install via PECL (pecl install ssh2, although it's only in beta at the moment, so PECL will want you to specify a version, e.g. pecl install channel://pecl.php.net/ssh2-0.12). Note that installing via PECL will require that you first have the libssh2 library installed.

Configuration

In addition to changing the (fully-documented) configuration variables at the top of the script, your router must have a few firewall rules in place to facilitate the blocking process (add these to ip/firewall/filter):

  • The first rule causes the router to add an IP address to the "inbound-blacklist" address list when a connection is made to it on a special port number (so that, for example, this script can initiate a connection to 1.2.3.4:31337, which will cause the address 1.2.3.4 to be added to the inbound-blacklist address list:

     chain=forward action=add-dst-to-address-list protocol=tcp \
     address-list=inbound-blacklist address-list-timeout=1d dst-port=31337

  • The other two rules drop all inbound traffic from an IP address on the blacklist:

     chain=input     action=drop   src-address-list=inbound-blacklist
 chain=forward   action=drop   src-address-list=inbound-blacklist

Notes

Yes, this script should support IPv6 as well as IPv4, however the above firewall rules will need adding to. Specifically, the same sort of rules should be added to the IPv6 firewall (ipv6/firewall/filter). Note that this has not been tested, as we have yet to have any SSH hack attempts coming from IPv6 addresses, so it's a very low priority for us.

About

Monitors the log of MikroTik routers and temporarily bans IP addresses that repeatedly fail login attempts

Resources

Readme

Stars

7 stars

Watchers

5 watching

Forks

0 forks

Releases

No releases published

Packages

No packages published

Languages