summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/action.d/mikrotik.conf84
1 files changed, 84 insertions, 0 deletions
diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf
new file mode 100644
index 00000000..9343c86b
--- /dev/null
+++ b/config/action.d/mikrotik.conf
@@ -0,0 +1,84 @@
+# Fail2Ban configuration file
+#
+# Mikrotik routerOS action to add/remove address-list entries
+#
+# Author: Duncan Bellamy <dunk@denkimushi.com>
+# based on forum.mikrotik.com post by pakjebakmeel
+#
+# in the instructions:
+# (10.0.0.1 is ip of mikrotik router)
+# (10.0.0.2 is ip of fail2ban machine)
+#
+# on fail2ban machine:
+# sudo mkdir /var/lib/fail2ban/ssh
+# sudo chmod 700 /var/lib/fail2ban/ssh
+# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa
+# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/
+# ssh admin@10.0.0.1
+#
+# on mikrotik router:
+# /user add name=miki-f2b group=write address=10.0.0.2 password=""
+# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b
+# /quit
+#
+# on fail2ban machine:
+# (check password login fails)
+# ssh miki-f2b@10.0.0.1
+# (check private key works)
+# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1
+#
+# Then create rules on mikrorik router that use address
+# list(s) maintained by fail2ban eg in the forward chain
+# drop from address list, or in the forward chain drop
+# from address list to server
+#
+# example extract from jail.local overriding some defaults
+# action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"]
+#
+# ignoreip = 127.0.0.1/8 192.168.0.0/24
+
+# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa
+# muser = myuser
+# mhost = 192.168.0.1
+# mlist = BAD LIST
+
+[Definition]
+
+actionstart =
+
+actionstop = %(actionflush)s
+
+actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]"
+
+actioncheck =
+
+actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address=<ip> comment=%(comment)s"
+
+actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]"
+
+command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s
+
+# Option: user
+# Notes.: username to use when connecting to routerOS
+user =
+# Option: port
+# Notes.: port to use when connecting to routerOS
+port = 22
+# Option: keyfile
+# Notes.: ssh private key to use for connecting to routerOS
+keyfile =
+# Option: host
+# Notes.: hostname or ip of router
+host =
+# Option: list
+# Notes.: name of "address-list" to use on router
+list = Fail2Ban
+# Option: startcomment
+# Notes.: used as a prefix to all comments, and used to match for flushing rules
+startcomment = f2b-<name>
+# Option: comment
+# Notes.: comment to use on routerOS (must be unique as used for ip address removal)
+comment = %(startcomment)s-<ip>
+
+[Init]
+name="%(__name__)s"
View Lorry Controller Status