mirror of https://github.com/fail2ban/fail2ban
Sergey G. Brester
2 years ago
committed by
GitHub
2 changed files with 85 additions and 0 deletions
@ -0,0 +1,84 @@ |
|||||||
|
# Fail2Ban configuration file |
||||||
|
# |
||||||
|
# Mikrotik routerOS action to add/remove address-list entries |
||||||
|
# |
||||||
|
# Author: Duncan Bellamy <dunk@denkimushi.com> |
||||||
|
# based on forum.mikrotik.com post by pakjebakmeel |
||||||
|
# |
||||||
|
# in the instructions: |
||||||
|
# (10.0.0.1 is ip of mikrotik router) |
||||||
|
# (10.0.0.2 is ip of fail2ban machine) |
||||||
|
# |
||||||
|
# on fail2ban machine: |
||||||
|
# sudo mkdir /var/lib/fail2ban/ssh |
||||||
|
# sudo chmod 700 /var/lib/fail2ban/ssh |
||||||
|
# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa |
||||||
|
# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/ |
||||||
|
# ssh admin@10.0.0.1 |
||||||
|
# |
||||||
|
# on mikrotik router: |
||||||
|
# /user add name=miki-f2b group=write address=10.0.0.2 password="" |
||||||
|
# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b |
||||||
|
# /quit |
||||||
|
# |
||||||
|
# on fail2ban machine: |
||||||
|
# (check password login fails) |
||||||
|
# ssh miki-f2b@10.0.0.1 |
||||||
|
# (check private key works) |
||||||
|
# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1 |
||||||
|
# |
||||||
|
# Then create rules on mikrorik router that use address |
||||||
|
# list(s) maintained by fail2ban eg in the forward chain |
||||||
|
# drop from address list, or in the forward chain drop |
||||||
|
# from address list to server |
||||||
|
# |
||||||
|
# example extract from jail.local overriding some defaults |
||||||
|
# action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"] |
||||||
|
# |
||||||
|
# ignoreip = 127.0.0.1/8 192.168.0.0/24 |
||||||
|
|
||||||
|
# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa |
||||||
|
# muser = myuser |
||||||
|
# mhost = 192.168.0.1 |
||||||
|
# mlist = BAD LIST |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
actionstart = |
||||||
|
|
||||||
|
actionstop = %(actionflush)s |
||||||
|
|
||||||
|
actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]" |
||||||
|
|
||||||
|
actioncheck = |
||||||
|
|
||||||
|
actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address=<ip> comment=%(comment)s" |
||||||
|
|
||||||
|
actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]" |
||||||
|
|
||||||
|
command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s |
||||||
|
|
||||||
|
# Option: user |
||||||
|
# Notes.: username to use when connecting to routerOS |
||||||
|
user = |
||||||
|
# Option: port |
||||||
|
# Notes.: port to use when connecting to routerOS |
||||||
|
port = 22 |
||||||
|
# Option: keyfile |
||||||
|
# Notes.: ssh private key to use for connecting to routerOS |
||||||
|
keyfile = |
||||||
|
# Option: host |
||||||
|
# Notes.: hostname or ip of router |
||||||
|
host = |
||||||
|
# Option: list |
||||||
|
# Notes.: name of "address-list" to use on router |
||||||
|
list = Fail2Ban |
||||||
|
# Option: startcomment |
||||||
|
# Notes.: used as a prefix to all comments, and used to match for flushing rules |
||||||
|
startcomment = f2b-<name> |
||||||
|
# Option: comment |
||||||
|
# Notes.: comment to use on routerOS (must be unique as used for ip address removal) |
||||||
|
comment = %(startcomment)s-<ip> |
||||||
|
|
||||||
|
[Init] |
||||||
|
name="%(__name__)s" |
Loading…
Reference in new issue