From a2c77429b9cd29e653a792463c6cf4fda6a0fbfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Kabele?= Date: Tue, 28 Feb 2023 07:34:16 +0100 Subject: [PATCH] New filter: routeros-auth.conf (Closes #3469) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add filter to detect failed login attempts in the log produced by MikroTik RouterOS. - Add the filter to jail.conf - Add testcase for the filter Signed-off-by: Vít Kabele --- config/filter.d/routeros-auth.conf | 10 ++++++++++ config/jail.conf | 3 +++ fail2ban/tests/files/logs/routeros-auth | 15 +++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 config/filter.d/routeros-auth.conf create mode 100644 fail2ban/tests/files/logs/routeros-auth diff --git a/config/filter.d/routeros-auth.conf b/config/filter.d/routeros-auth.conf new file mode 100644 index 00000000..090296d4 --- /dev/null +++ b/config/filter.d/routeros-auth.conf @@ -0,0 +1,10 @@ +# Fail2Ban filter for failure attempts in MikroTik RouterOS +# +# + +[Definition] + +failregex = ^\s*\S+ system,error,critical login failure for user .*? from via \S+$ + +# Author: Vit Kabele + diff --git a/config/jail.conf b/config/jail.conf index f4990e09..741f62ee 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -958,6 +958,9 @@ port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s +[routeros-auth] +port = ssh,http,https +logpath = /var/log/MikroTik/router.log [zoneminder] # Zoneminder HTTP/HTTPS web interface auth diff --git a/fail2ban/tests/files/logs/routeros-auth b/fail2ban/tests/files/logs/routeros-auth new file mode 100644 index 00000000..6b861c7b --- /dev/null +++ b/fail2ban/tests/files/logs/routeros-auth @@ -0,0 +1,15 @@ +# RouterOS v7.5 +# failJSON: { "time": "2005-02-15T11:25:46", "match": true , "host": "192.168.88.6", "user": "admin" } +Feb 15 11:25:46 gw.local system,error,critical login failure for user admin from 192.168.88.6 via web + +# RouterOS v7.5 +# failJSON: { "match": false } +Feb 15 11:26:15 gw.local system,info log rule changed by admin + +# RouterOS v7.5 +# failJSON: { "time": "2005-02-15T11:57:42", "match": true , "host": "2001:470:1:c84::24", "user": "" } +Feb 15 11:57:42 1234.hostname.cz system,error,critical login failure for user from 2001:470:1:c84::24 via ssh + +# RouterOS v7.5 +# failJSON: { "time": "2005-03-02T09:09:46", "match": true , "host": "1.2.3.4", "user": "user with space" } +Mar 2 09:09:46 gw.local system,error,critical login failure for user user with space from 1.2.3.4 via ssh