# Fail2Ban configuration file # # Mikrotik routerOS action to add/remove address-list entries # # Author: Duncan Bellamy # based on forum.mikrotik.com post by pakjebakmeel # # in the instructions: # (10.0.0.1 is ip of mikrotik router) # (10.0.0.2 is ip of fail2ban machine) # # on fail2ban machine: # sudo mkdir /var/lib/fail2ban/ssh # sudo chmod 700 /var/lib/fail2ban/ssh # sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa # sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/ # ssh admin@10.0.0.1 # # on mikrotik router: # /user add name=miki-f2b group=write address=10.0.0.2 password="" # /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b # /quit # # on fail2ban machine: # (check password login fails) # ssh miki-f2b@10.0.0.1 # (check private key works) # sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1 # # Then create rules on mikrorik router that use address # list(s) maintained by fail2ban eg in the forward chain # drop from address list, or in the forward chain drop # from address list to server # # example extract from jail.local overriding some defaults # action = mikrotik[mtikkeyfile="%(mkeyfile)s", mtikuser="%(muser)s", mtikhost="%(mhost)s", mtiklistname="%(mlistname)s"] # # ignoreip = 127.0.0.1/8 192.168.0.0/24 # mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa # muser = myuser # mhost = 192.168.0.1 # mlistname = BAD LIST [Definition] actionstart = actionstop = actioncheck = actionban = %(mtikcommand)s "/ip firewall address-list add list=\"%(mtiklistname)s\" address= comment=%(mtikcomment)s" actionunban = %(mtikcommand)s "/ip firewall address-list remove [find list=\"%(mtiklistname)s\" comment=%(mtikcomment)s]" mtikcommand = ssh -l %(mtikuser)s -p%(mtikport)s -i %(mtikkeyfile)s %(mtikhost)s # Option: mktikuser # Notes.: username to use when connecting to routerOS mtikuser = # Option: mtikport # Notes.: port to use when connecting to routerOS mtikport = 22 # Option: mtikkeyfile # Notes.: ssh private key to use for connecting to routerOS mtikkeyfile = # Option: mtikhost # Notes.: hostname or ip of router mtikhost = # Option: mtiklistname # Notes.: name of "address-list" to use on router mtiklistname = Auto Fail2Ban # Option: mtikcomment # Notes.: comment to use on routerOS (must be unique as used for ip address removal) mtikcomment = AutoF2B-- [Init] name="%(__name__)s"