diff --git a/ChangeLog b/ChangeLog index d13057c9..daf185ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition (value read from `/proc/sys/net/ipv6/conf/all/disable_ipv6`) if available, otherwise seeks over local IPv6 from network interfaces if available for platform and uses DNS to find local IPv6 as a fallback only * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) +* `action.d/mikrotik.conf` - new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860) * `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf new file mode 100644 index 00000000..9343c86b --- /dev/null +++ b/config/action.d/mikrotik.conf @@ -0,0 +1,84 @@ +# Fail2Ban configuration file +# +# Mikrotik routerOS action to add/remove address-list entries +# +# Author: Duncan Bellamy +# based on forum.mikrotik.com post by pakjebakmeel +# +# in the instructions: +# (10.0.0.1 is ip of mikrotik router) +# (10.0.0.2 is ip of fail2ban machine) +# +# on fail2ban machine: +# sudo mkdir /var/lib/fail2ban/ssh +# sudo chmod 700 /var/lib/fail2ban/ssh +# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa +# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/ +# ssh admin@10.0.0.1 +# +# on mikrotik router: +# /user add name=miki-f2b group=write address=10.0.0.2 password="" +# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b +# /quit +# +# on fail2ban machine: +# (check password login fails) +# ssh miki-f2b@10.0.0.1 +# (check private key works) +# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1 +# +# Then create rules on mikrorik router that use address +# list(s) maintained by fail2ban eg in the forward chain +# drop from address list, or in the forward chain drop +# from address list to server +# +# example extract from jail.local overriding some defaults +# action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"] +# +# ignoreip = 127.0.0.1/8 192.168.0.0/24 + +# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa +# muser = myuser +# mhost = 192.168.0.1 +# mlist = BAD LIST + +[Definition] + +actionstart = + +actionstop = %(actionflush)s + +actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]" + +actioncheck = + +actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address= comment=%(comment)s" + +actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]" + +command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s + +# Option: user +# Notes.: username to use when connecting to routerOS +user = +# Option: port +# Notes.: port to use when connecting to routerOS +port = 22 +# Option: keyfile +# Notes.: ssh private key to use for connecting to routerOS +keyfile = +# Option: host +# Notes.: hostname or ip of router +host = +# Option: list +# Notes.: name of "address-list" to use on router +list = Fail2Ban +# Option: startcomment +# Notes.: used as a prefix to all comments, and used to match for flushing rules +startcomment = f2b- +# Option: comment +# Notes.: comment to use on routerOS (must be unique as used for ip address removal) +comment = %(startcomment)s- + +[Init] +name="%(__name__)s"