From 9997807fb329b6c850e9c5ecb5564a234050763d Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Sun, 25 Oct 2020 13:46:26 +0000 Subject: [PATCH 1/8] Add action for mikrotik routerOS --- ChangeLog | 7 ++++ config/action.d/mikrotik.conf | 79 +++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 config/action.d/mikrotik.conf diff --git a/ChangeLog b/ChangeLog index a2259e36..bf8d6e76 100644 --- a/ChangeLog +++ b/ChangeLog @@ -293,7 +293,14 @@ ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791; * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag prefix `` with all value of `` tags (gh-2755) +<<<<<<< HEAD +======= +* `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair + of sane environment (in case of recognized unsane state) would only occur on action errors (e. g. + if ban or unban operations are exiting with other code as 0) +* new action for mikrotik routerOS, adds and removes entries from address lists on the router +>>>>>>> Add action for mikrotik routerOS ver. 0.11.1 (2020/01/11) - this-is-the-way ----------- diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf new file mode 100644 index 00000000..91e587aa --- /dev/null +++ b/config/action.d/mikrotik.conf @@ -0,0 +1,79 @@ +# Fail2Ban configuration file +# +# Mikrotik routerOS action to add/remove address-list entries +# +# Author: Duncan Bellamy +# based on forum.mikrotik.com post by pakjebakmeel +# +# in the instructions: +# (10.0.0.1 is ip of mikrotik router) +# (10.0.0.2 is ip of fail2ban machine) +# +# on fail2ban machine: +# sudo mkdir /var/lib/fail2ban/ssh +# sudo chmod 700 /var/lib/fail2ban/ssh +# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa +# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/ +# ssh admin@10.0.0.1 +# +# on mikrotik router: +# /user add name=miki-f2b group=write address=10.0.0.2 password="" +# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b +# /quit +# +# on fail2ban machine: +# (check password login fails) +# ssh miki-f2b@10.0.0.1 +# (check private key works) +# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1 +# +# Then create rules on mikrorik router that use address +# list(s) maintained by fail2ban eg in the forward chain +# drop from address list, or in the forward chain drop +# from address list to server +# +# example extract from jail.local overriding some defaults +# action = mikrotik[mtikkeyfile="%(mkeyfile)s", mtikuser="%(muser)s", mtikhost="%(mhost)s", mtiklistname="%(mlistname)s"] +# +# ignoreip = 127.0.0.1/8 192.168.0.0/24 + +# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa +# muser = myuser +# mhost = 192.168.0.1 +# mlistname = BAD LIST + +[Definition] + +actionstart = + +actionstop = + +actioncheck = + +actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address= comment=%(mtikcomment)s" + +actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]" + +mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s + +# Option: mktikuser +# Notes.: username to use when connecting to routerOS +mtikuser = +# Option: mtikport +# Notes.: port to use when connecting to routerOS +mtikport = 22 +# Option: mtikkeyfile +# Notes.: ssh private key to use for connecting to routerOS +mtikkeyfile = +# Option: mtikhost +# Notes.: hostname or ip of router +mtikhost = +# Option: mtiklistname +# Notes.: name of "address-list" to use on router +mtiklistname = Auto Fail2Ban +# Option: mtikcomment +# Notes.: comment to use on routerOS (must be unique as used for ip address removal) +mtikcomment = AutoF2B-- + +[Init] +name="%(__name__)s" From 0e3e9b1d7f67443c7dc046997718cc6924c83ef4 Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Wed, 25 Nov 2020 18:53:43 +0000 Subject: [PATCH 2/8] Add flushaction Change unban to find by ip address not comment --- config/action.d/mikrotik.conf | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf index 91e587aa..cdf63bcb 100644 --- a/config/action.d/mikrotik.conf +++ b/config/action.d/mikrotik.conf @@ -4,7 +4,7 @@ # # Author: Duncan Bellamy # based on forum.mikrotik.com post by pakjebakmeel -# +## # in the instructions: # (10.0.0.1 is ip of mikrotik router) # (10.0.0.2 is ip of fail2ban machine) @@ -46,13 +46,15 @@ actionstart = -actionstop = +actionstop = %(actionflush)s + +actionflush = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment~\"%(startcomment)s*\"]" actioncheck = actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address= comment=%(mtikcomment)s" -actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]" +actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" address=]" mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s @@ -71,9 +73,12 @@ mtikhost = # Option: mtiklistname # Notes.: name of "address-list" to use on router mtiklistname = Auto Fail2Ban +# Option: startcomment +# Notes.: used as a prefix to all comments, and used to match for flushing rules +startcomment = AutoF2B # Option: mtikcomment # Notes.: comment to use on routerOS (must be unique as used for ip address removal) -mtikcomment = AutoF2B-- +mtikcomment = %(startcomment)s-- [Init] name="%(__name__)s" From ac2076ef4fac366fd62a10ec37964d51f23c803b Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Sun, 6 Dec 2020 10:53:21 +0000 Subject: [PATCH 3/8] change unban back to find comment so correct entry always deleted --- config/action.d/mikrotik.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf index cdf63bcb..0f029af5 100644 --- a/config/action.d/mikrotik.conf +++ b/config/action.d/mikrotik.conf @@ -4,7 +4,7 @@ # # Author: Duncan Bellamy # based on forum.mikrotik.com post by pakjebakmeel -## +# # in the instructions: # (10.0.0.1 is ip of mikrotik router) # (10.0.0.2 is ip of fail2ban machine) @@ -54,7 +54,7 @@ actioncheck = actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address= comment=%(mtikcomment)s" -actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" address=]" +actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]" mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s From 5781675a7d8a8b9c48074d68ab9acd5964fc2368 Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Tue, 29 Dec 2020 13:17:41 +0000 Subject: [PATCH 4/8] change startcomment and comment so correct rules are flushed --- config/action.d/mikrotik.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf index 0f029af5..300fde20 100644 --- a/config/action.d/mikrotik.conf +++ b/config/action.d/mikrotik.conf @@ -75,10 +75,10 @@ mtikhost = mtiklistname = Auto Fail2Ban # Option: startcomment # Notes.: used as a prefix to all comments, and used to match for flushing rules -startcomment = AutoF2B +startcomment = f2b- # Option: mtikcomment # Notes.: comment to use on routerOS (must be unique as used for ip address removal) -mtikcomment = %(startcomment)s-- +mtikcomment = %(startcomment)s- [Init] name="%(__name__)s" From d46ec3a5550daabcf040cac65ff71b5721d51333 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 29 Dec 2020 15:30:32 +0100 Subject: [PATCH 5/8] add jail boundary to flush command for more precise targeting of jail (if some name may be equal to prefix of other name) --- config/action.d/mikrotik.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf index 300fde20..96262587 100644 --- a/config/action.d/mikrotik.conf +++ b/config/action.d/mikrotik.conf @@ -48,7 +48,7 @@ actionstart = actionstop = %(actionflush)s -actionflush = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment~\"%(startcomment)s*\"]" +actionflush = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment~\"%(startcomment)s-*\"]" actioncheck = From b892133d516d1389a647a287a1a3b58e2eece65f Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Wed, 8 Mar 2023 09:20:51 +0000 Subject: [PATCH 6/8] move new comment in changelog --- ChangeLog | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index bf8d6e76..bc92243c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition (value read from `/proc/sys/net/ipv6/conf/all/disable_ipv6`) if available, otherwise seeks over local IPv6 from network interfaces if available for platform and uses DNS to find local IPv6 as a fallback only * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) +* new action for mikrotik routerOS, adds and removes entries from address lists on the router ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm @@ -293,14 +294,7 @@ ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791; * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag prefix `` with all value of `` tags (gh-2755) -<<<<<<< HEAD -======= -* `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair - of sane environment (in case of recognized unsane state) would only occur on action errors (e. g. - if ban or unban operations are exiting with other code as 0) -* new action for mikrotik routerOS, adds and removes entries from address lists on the router ->>>>>>> Add action for mikrotik routerOS ver. 0.11.1 (2020/01/11) - this-is-the-way ----------- From 9b1417a16912562f15b5e1e252f16d6b1360fa41 Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Wed, 8 Mar 2023 09:29:03 +0000 Subject: [PATCH 7/8] apply suggestions --- config/action.d/mikrotik.conf | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf index 96262587..30e9bac5 100644 --- a/config/action.d/mikrotik.conf +++ b/config/action.d/mikrotik.conf @@ -33,14 +33,14 @@ # from address list to server # # example extract from jail.local overriding some defaults -# action = mikrotik[mtikkeyfile="%(mkeyfile)s", mtikuser="%(muser)s", mtikhost="%(mhost)s", mtiklistname="%(mlistname)s"] +# action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"] # # ignoreip = 127.0.0.1/8 192.168.0.0/24 # mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa # muser = myuser # mhost = 192.168.0.1 -# mlistname = BAD LIST +# mlist = BAD LIST [Definition] @@ -48,35 +48,35 @@ actionstart = actionstop = %(actionflush)s -actionflush = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment~\"%(startcomment)s-*\"]" +actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]" actioncheck = -actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address= comment=%(mtikcomment)s" +actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address= comment=%(comment)s" -actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]" +actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]" -mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s +mtikcommand = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s -# Option: mktikuser +# Option: user # Notes.: username to use when connecting to routerOS mtikuser = -# Option: mtikport +# Option: port # Notes.: port to use when connecting to routerOS mtikport = 22 -# Option: mtikkeyfile +# Option: keyfile # Notes.: ssh private key to use for connecting to routerOS mtikkeyfile = -# Option: mtikhost +# Option: host # Notes.: hostname or ip of router mtikhost = -# Option: mtiklistname +# Option: list # Notes.: name of "address-list" to use on router -mtiklistname = Auto Fail2Ban +mtiklistname = Fail2Ban # Option: startcomment # Notes.: used as a prefix to all comments, and used to match for flushing rules startcomment = f2b- -# Option: mtikcomment +# Option: comment # Notes.: comment to use on routerOS (must be unique as used for ip address removal) mtikcomment = %(startcomment)s- From 7dc32971f8fa9fb4b4260e4a641aaedde68756d2 Mon Sep 17 00:00:00 2001 From: Duncan Bellamy Date: Wed, 8 Mar 2023 12:16:35 +0000 Subject: [PATCH 8/8] changed missed names --- config/action.d/mikrotik.conf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/config/action.d/mikrotik.conf b/config/action.d/mikrotik.conf index 30e9bac5..9343c86b 100644 --- a/config/action.d/mikrotik.conf +++ b/config/action.d/mikrotik.conf @@ -56,29 +56,29 @@ actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]" -mtikcommand = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s +command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s # Option: user # Notes.: username to use when connecting to routerOS -mtikuser = +user = # Option: port # Notes.: port to use when connecting to routerOS -mtikport = 22 +port = 22 # Option: keyfile # Notes.: ssh private key to use for connecting to routerOS -mtikkeyfile = +keyfile = # Option: host # Notes.: hostname or ip of router -mtikhost = +host = # Option: list # Notes.: name of "address-list" to use on router -mtiklistname = Fail2Ban +list = Fail2Ban # Option: startcomment # Notes.: used as a prefix to all comments, and used to match for flushing rules startcomment = f2b- # Option: comment # Notes.: comment to use on routerOS (must be unique as used for ip address removal) -mtikcomment = %(startcomment)s- +comment = %(startcomment)s- [Init] name="%(__name__)s"