fail2ban/config/action.d/mikrotik.conf

# Fail2Ban configuration file
#
# Mikrotik routerOS action to add/remove address-list entries
#
# Author: Duncan Bellamy <dunk@denkimushi.com>
# based on forum.mikrotik.com post by pakjebakmeel
#
# in the instructions:
# (10.0.0.1 is ip of mikrotik router)
# (10.0.0.2 is ip of fail2ban machine)
#
# on fail2ban machine:
# sudo mkdir /var/lib/fail2ban/ssh
# sudo chmod 700 /var/lib/fail2ban/ssh
# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa
# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/
# ssh admin@10.0.0.1
#
# on mikrotik router:
# /user add name=miki-f2b group=write address=10.0.0.2 password=""
# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b
# /quit
#
# on fail2ban machine:
# (check password login fails)
# ssh miki-f2b@10.0.0.1
# (check private key works)
# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1
#
# Then create rules on mikrorik router that use address
# list(s) maintained by fail2ban eg in the forward chain
# drop from address list, or in the forward chain drop
# from address list to server
#
# example extract from jail.local overriding some defaults
# action = mikrotik[mtikkeyfile="%(mkeyfile)s", mtikuser="%(muser)s", mtikhost="%(mhost)s", mtiklistname="%(mlistname)s"]
#
# ignoreip = 127.0.0.1/8 192.168.0.0/24

# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa
# muser = myuser
# mhost = 192.168.0.1
# mlistname = BAD LIST

[Definition]

actionstart =

actionstop =

actioncheck =

actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address=<ip> comment=%(mtikcomment)s"

actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]"

mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s

# Option: mktikuser
# Notes.: username to use when connecting to routerOS
mtikuser =
# Option: mtikport
# Notes.: port to use when connecting to routerOS
mtikport = 22
# Option: mtikkeyfile
# Notes.: ssh private key to use for connecting to routerOS
mtikkeyfile =
# Option: mtikhost
# Notes.: hostname or ip of router
mtikhost =
# Option: mtiklistname
# Notes.: name of "address-list" to use on router
mtiklistname = Auto Fail2Ban
# Option: mtikcomment
# Notes.: comment to use on routerOS (must be unique as used for ip address removal)
mtikcomment = AutoF2B-<name>-<ip>

[Init]
name="%(__name__)s"
Add action for mikrotik routerOS 2020-10-25 13:46:26 +00:00			`# Fail2Ban configuration file`
			`#`
			`# Mikrotik routerOS action to add/remove address-list entries`
			`#`
			`# Author: Duncan Bellamy <dunk@denkimushi.com>`
			`# based on forum.mikrotik.com post by pakjebakmeel`
			`#`
			`# in the instructions:`
			`# (10.0.0.1 is ip of mikrotik router)`
			`# (10.0.0.2 is ip of fail2ban machine)`
			`#`
			`# on fail2ban machine:`
			`# sudo mkdir /var/lib/fail2ban/ssh`
			`# sudo chmod 700 /var/lib/fail2ban/ssh`
			`# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa`
			`# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/`
			`# ssh admin@10.0.0.1`
			`#`
			`# on mikrotik router:`
			`# /user add name=miki-f2b group=write address=10.0.0.2 password=""`
			`# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b`
			`# /quit`
			`#`
			`# on fail2ban machine:`
			`# (check password login fails)`
			`# ssh miki-f2b@10.0.0.1`
			`# (check private key works)`
			`# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1`
			`#`
			`# Then create rules on mikrorik router that use address`
			`# list(s) maintained by fail2ban eg in the forward chain`
			`# drop from address list, or in the forward chain drop`
			`# from address list to server`
			`#`
			`# example extract from jail.local overriding some defaults`
			`# action = mikrotik[mtikkeyfile="%(mkeyfile)s", mtikuser="%(muser)s", mtikhost="%(mhost)s", mtiklistname="%(mlistname)s"]`
			`#`
			`# ignoreip = 127.0.0.1/8 192.168.0.0/24`

			`# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa`
			`# muser = myuser`
			`# mhost = 192.168.0.1`
			`# mlistname = BAD LIST`

			`[Definition]`

			`actionstart =`

			`actionstop =`

			`actioncheck =`

			`actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address=<ip> comment=%(mtikcomment)s"`

			`actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]"`

			`mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s`

			`# Option: mktikuser`
			`# Notes.: username to use when connecting to routerOS`
			`mtikuser =`
			`# Option: mtikport`
			`# Notes.: port to use when connecting to routerOS`
			`mtikport = 22`
			`# Option: mtikkeyfile`
			`# Notes.: ssh private key to use for connecting to routerOS`
			`mtikkeyfile =`
			`# Option: mtikhost`
			`# Notes.: hostname or ip of router`
			`mtikhost =`
			`# Option: mtiklistname`
			`# Notes.: name of "address-list" to use on router`
			`mtiklistname = Auto Fail2Ban`
			`# Option: mtikcomment`
			`# Notes.: comment to use on routerOS (must be unique as used for ip address removal)`
			`mtikcomment = AutoF2B-<name>-<ip>`

			`[Init]`
			`name="%(__name__)s"`