# Fail2Ban configuration file # # Mikrotik routerOS action to add/remove address-list entries # # Author: Duncan Bellamy # based on forum.mikrotik.com post by pakjebakmeel # # in the instructions: # (10.0.0.1 is ip of mikrotik router) # (10.0.0.2 is ip of fail2ban machine) # # on fail2ban machine: # sudo mkdir /var/lib/fail2ban/ssh # sudo chmod 700 /var/lib/fail2ban/ssh # sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa # sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/ # ssh admin@10.0.0.1 # # on mikrotik router: # /user add name=miki-f2b group=write address=10.0.0.2 password="" # /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b # /quit # # on fail2ban machine: # (check password login fails) # ssh miki-f2b@10.0.0.1 # (check private key works) # sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1 # # Then create rules on mikrorik router that use address # list(s) maintained by fail2ban eg in the forward chain # drop from address list, or in the forward chain drop # from address list to server # # example extract from jail.local overriding some defaults # action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"] # # ignoreip = 127.0.0.1/8 192.168.0.0/24 # mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa # muser = myuser # mhost = 192.168.0.1 # mlist = BAD LIST [Definition] actionstart = actionstop = %(actionflush)s actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]" actioncheck = actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address= comment=%(comment)s" actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]" command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s # Option: user # Notes.: username to use when connecting to routerOS user = # Option: port # Notes.: port to use when connecting to routerOS port = 22 # Option: keyfile # Notes.: ssh private key to use for connecting to routerOS keyfile = # Option: host # Notes.: hostname or ip of router host = # Option: list # Notes.: name of "address-list" to use on router list = Fail2Ban # Option: startcomment # Notes.: used as a prefix to all comments, and used to match for flushing rules startcomment = f2b- # Option: comment # Notes.: comment to use on routerOS (must be unique as used for ip address removal) comment = %(startcomment)s- [Init] name="%(__name__)s"