diff options
| author | Sergey G. Brester <serg.brester@sebres.de> | 2023-04-13 19:10:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-13 19:10:30 +0200 |
| commit | 2b98f461bb93c6a1a1cec1481fa94b7a84342977 (patch) | |
| tree | 8d332b7509b70c40c55c3f699d95b39f961b31e0 | |
| parent | 27294c4b9ee5d5568a1d5f83af744ea39d5a1acb (diff) | |
| parent | e73748c4422196d7e40b9e3a1d5c6cf2e81d49c1 (diff) | |
| download | fail2ban-2b98f461bb93c6a1a1cec1481fa94b7a84342977.tar.gz | |
Merge pull request #2860 from a16bitsysop/mikrotik
Add action for mikrotik routerOS
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | config/action.d/mikrotik.conf | 84 |
2 files changed, 85 insertions, 0 deletions
@@ -19,6 +19,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition (value read from `/proc/sys/net/ipv6/conf/all/disable_ipv6`) if available, otherwise seeks over local IPv6 from network interfaces if available for platform and uses DNS to find local IPv6 as a fallback only * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) +* `action.d/mikrotik.conf` - new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860) * `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf new file mode 100644 index 00000000..9343c86b --- /dev/null +++ b/config/action.d/mikrotik.conf @@ -0,0 +1,84 @@ +# Fail2Ban configuration file +# +# Mikrotik routerOS action to add/remove address-list entries +# +# Author: Duncan Bellamy <dunk@denkimushi.com> +# based on forum.mikrotik.com post by pakjebakmeel +# +# in the instructions: +# (10.0.0.1 is ip of mikrotik router) +# (10.0.0.2 is ip of fail2ban machine) +# +# on fail2ban machine: +# sudo mkdir /var/lib/fail2ban/ssh +# sudo chmod 700 /var/lib/fail2ban/ssh +# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa +# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/ +# ssh admin@10.0.0.1 +# +# on mikrotik router: +# /user add name=miki-f2b group=write address=10.0.0.2 password="" +# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b +# /quit +# +# on fail2ban machine: +# (check password login fails) +# ssh miki-f2b@10.0.0.1 +# (check private key works) +# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1 +# +# Then create rules on mikrorik router that use address +# list(s) maintained by fail2ban eg in the forward chain +# drop from address list, or in the forward chain drop +# from address list to server +# +# example extract from jail.local overriding some defaults +# action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"] +# +# ignoreip = 127.0.0.1/8 192.168.0.0/24 + +# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa +# muser = myuser +# mhost = 192.168.0.1 +# mlist = BAD LIST + +[Definition] + +actionstart = + +actionstop = %(actionflush)s + +actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]" + +actioncheck = + +actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address=<ip> comment=%(comment)s" + +actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]" + +command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s + +# Option: user +# Notes.: username to use when connecting to routerOS +user = +# Option: port +# Notes.: port to use when connecting to routerOS +port = 22 +# Option: keyfile +# Notes.: ssh private key to use for connecting to routerOS +keyfile = +# Option: host +# Notes.: hostname or ip of router +host = +# Option: list +# Notes.: name of "address-list" to use on router +list = Fail2Ban +# Option: startcomment +# Notes.: used as a prefix to all comments, and used to match for flushing rules +startcomment = f2b-<name> +# Option: comment +# Notes.: comment to use on routerOS (must be unique as used for ip address removal) +comment = %(startcomment)s-<ip> + +[Init] +name="%(__name__)s" |