diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/action.d/mikrotik.conf | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf new file mode 100644 index 00000000..9343c86b --- /dev/null +++ b/config/action.d/mikrotik.conf @@ -0,0 +1,84 @@ +# Fail2Ban configuration file +# +# Mikrotik routerOS action to add/remove address-list entries +# +# Author: Duncan Bellamy <dunk@denkimushi.com> +# based on forum.mikrotik.com post by pakjebakmeel +# +# in the instructions: +# (10.0.0.1 is ip of mikrotik router) +# (10.0.0.2 is ip of fail2ban machine) +# +# on fail2ban machine: +# sudo mkdir /var/lib/fail2ban/ssh +# sudo chmod 700 /var/lib/fail2ban/ssh +# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa +# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/ +# ssh admin@10.0.0.1 +# +# on mikrotik router: +# /user add name=miki-f2b group=write address=10.0.0.2 password="" +# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b +# /quit +# +# on fail2ban machine: +# (check password login fails) +# ssh miki-f2b@10.0.0.1 +# (check private key works) +# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1 +# +# Then create rules on mikrorik router that use address +# list(s) maintained by fail2ban eg in the forward chain +# drop from address list, or in the forward chain drop +# from address list to server +# +# example extract from jail.local overriding some defaults +# action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"] +# +# ignoreip = 127.0.0.1/8 192.168.0.0/24 + +# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa +# muser = myuser +# mhost = 192.168.0.1 +# mlist = BAD LIST + +[Definition] + +actionstart = + +actionstop = %(actionflush)s + +actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]" + +actioncheck = + +actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address=<ip> comment=%(comment)s" + +actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]" + +command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s + +# Option: user +# Notes.: username to use when connecting to routerOS +user = +# Option: port +# Notes.: port to use when connecting to routerOS +port = 22 +# Option: keyfile +# Notes.: ssh private key to use for connecting to routerOS +keyfile = +# Option: host +# Notes.: hostname or ip of router +host = +# Option: list +# Notes.: name of "address-list" to use on router +list = Fail2Ban +# Option: startcomment +# Notes.: used as a prefix to all comments, and used to match for flushing rules +startcomment = f2b-<name> +# Option: comment +# Notes.: comment to use on routerOS (must be unique as used for ip address removal) +comment = %(startcomment)s-<ip> + +[Init] +name="%(__name__)s" |