Add action for mikrotik routerOS

2 files changed, 86 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index a2259e36..bf8d6e76 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -293,7 +293,14 @@ ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools
 * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791;
 * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
   prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh-2755)
+<<<<<<< HEAD
 
+=======
+* `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair
+   of sane environment (in case of recognized unsane state) would only occur on action errors (e. g.
+   if ban or unban operations are exiting with other code as 0)
+* new action for mikrotik routerOS, adds and removes entries from address lists on the router
+>>>>>>> Add action for mikrotik routerOS
 
 ver. 0.11.1 (2020/01/11) - this-is-the-way
 -----------
diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf
new file mode 100644
index 00000000..91e587aa
--- /dev/null
+++ b/config/action.d/mikrotik.conf
@@ -0,0 +1,79 @@
+# Fail2Ban configuration file
+#
+# Mikrotik routerOS action to add/remove address-list entries
+#
+# Author: Duncan Bellamy <dunk@denkimushi.com>
+# based on forum.mikrotik.com post by pakjebakmeel
+#
+# in the instructions:
+# (10.0.0.1 is ip of mikrotik router)
+# (10.0.0.2 is ip of fail2ban machine)
+#
+# on fail2ban machine:
+# sudo mkdir /var/lib/fail2ban/ssh
+# sudo chmod 700 /var/lib/fail2ban/ssh
+# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa
+# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/
+# ssh admin@10.0.0.1
+#
+# on mikrotik router:
+# /user add name=miki-f2b group=write address=10.0.0.2 password=""
+# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b
+# /quit
+#
+# on fail2ban machine:
+# (check password login fails)
+# ssh miki-f2b@10.0.0.1
+# (check private key works)
+# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1
+#
+# Then create rules on mikrorik router that use address
+# list(s) maintained by fail2ban eg in the forward chain
+# drop from address list, or in the forward chain drop
+# from address list to server
+#
+# example extract from jail.local overriding some defaults
+# action = mikrotik[mtikkeyfile="%(mkeyfile)s", mtikuser="%(muser)s", mtikhost="%(mhost)s", mtiklistname="%(mlistname)s"]
+#
+# ignoreip = 127.0.0.1/8 192.168.0.0/24
+
+# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa
+# muser = myuser
+# mhost = 192.168.0.1
+# mlistname = BAD LIST
+
+[Definition]
+
+actionstart =
+
+actionstop =
+
+actioncheck =
+
+actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address=<ip> comment=%(mtikcomment)s"
+
+actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]"
+
+mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s
+
+# Option: mktikuser
+# Notes.: username to use when connecting to routerOS
+mtikuser =
+# Option: mtikport
+# Notes.: port to use when connecting to routerOS
+mtikport = 22
+# Option: mtikkeyfile
+# Notes.: ssh private key to use for connecting to routerOS
+mtikkeyfile =
+# Option: mtikhost
+# Notes.: hostname or ip of router
+mtikhost =
+# Option: mtiklistname
+# Notes.: name of "address-list" to use on router
+mtiklistname = Auto Fail2Ban
+# Option: mtikcomment
+# Notes.: comment to use on routerOS (must be unique as used for ip address removal)
+mtikcomment = AutoF2B-<name>-<ip>
+
+[Init]
+name="%(__name__)s"