https://wiki.mikrotik.com/index.php?title=Use_Mikrotik_as_Fail2ban_firewall&feed=atom&action=historyUse Mikrotik as Fail2ban firewall - Revision history2024-03-28T12:42:48ZRevision history for this page on the wikiMediaWiki 1.38.2https://wiki.mikrotik.com/index.php?title=Use_Mikrotik_as_Fail2ban_firewall&diff=29829&oldid=prevMarisb: /* Configuration on Linux side */2017-10-04T13:29:23Z<p><span dir="auto"><span class="autocomment">Configuration on Linux side</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:29, 4 October 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l128">Line 128:</td>
<td colspan="2" class="diff-lineno">Line 128:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>actionunban = mikrotik ":ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>actionunban = mikrotik ":ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{Note | Instead of adding drop rule for each IP, you could use single drop rule and address list to save CPU resources}}</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>OK now we configured ban and unban actions </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>OK now we configured ban and unban actions </div></td></tr>
</table>Marisbhttps://wiki.mikrotik.com/index.php?title=Use_Mikrotik_as_Fail2ban_firewall&diff=29828&oldid=prevMarisb: /* Preparing */2017-10-04T13:25:46Z<p><span dir="auto"><span class="autocomment">Preparing</span></span></p>
<p><b>New page</b></p><div>== The Explanation ==<br />
<br />
This tutorial is about how to configure Fail2ban to use Mikrotik as Firewall.<br />
Fail2ban is very halpfull application Its allows system administrators easily detect and prevent attack attempts. It's scaning log files (e.g. /var/log/auth.log) and bans IPs that show the malicious signs (too many password failures, seeking for exploits, etc..). By default Fail2ban using IPTables as firewall software but today I will show you how to configure system to put all firewall rules in one place. <br />
<br />
''P.S'' Fail2Ban comes with filters for various services (apache, curier, ssh, postfix, asterisk, etc).<br />
<br />
OK lets start :-)<br />
<br />
== Preparing ==<br />
<br />
Our first point must be generation SSH key for secure remote login<br />
<br />
Note that RouterOS 2.9.13 and upper versions supporting SSH logins.<br />
{{ Note | New RouterOS versions v6 and up requires RSA keys }}<br />
<br />
Use this command to generate keys.<br />
<pre><br />
admin@linux:/$ ssh-keygen -t dsa<br />
<br />
Generating public/private dsa key pair.<br />
Enter file in which to save the key (/root/.ssh/id_dsa):<br />
Enter passphrase (empty for no passphrase):<br />
Enter same passphrase again:<br />
Your identification has been saved in /root/.ssh/id_dsa.<br />
Your public key has been saved in /root/.ssh/id_dsa.pub.<br />
The key fingerprint is:<br />
b8:ea:79:ad:61:c4:e0:1a:66:46:5b:0e:70:b6:aa:38 user@example.org<br />
The key's randomart image is:<br />
+--[ DSA 1024]----+<br />
|. o |<br />
| + . |<br />
| + o |<br />
| o * o . |<br />
|. * o + S |<br />
|o+ o . . |<br />
|E . +. |<br />
| . +... |<br />
| .+... |<br />
+---------+<br />
</pre><br />
<br />
'''DO NOT WRITE ANY PASSPHRASE.<br />
'''<br />
Now we need to upload and import id_dsa.pub key to mikrotik.<br />
File is located at /home/user/.ssh/id_dsa.pub if you are using root account then /root/.ssh/id_dsa.pub<br />
<br />
== Configuration on Mikrotik side ==<br />
<br />
<pre>[admin@mikrotik] > user add name=linux address=LINUX-SERVER-IP-ADDRESS group=full</pre><br />
<br />
This command will add a user without password with full permissions login allowed from only your linux machine.<br />
<br />
<pre>[admin@mikrotik]> user ssh-keys import public-key-file=id_dsa.pub user=linux</pre><br />
<br />
This command will import your uploaded id_dsa public key to key mikrotik store.<br />
<br />
== Configuration on Linux side ==<br />
<br />
On Linux side we must create a file named mikrotik to /usr/bin/ dir.<br />
<br />
<pre>touch /usr/bin/mikrotik</pre><br />
<br />
and put this bash script into this file.<br />
<pre><br />
#!/bin/bash<br />
ssh -l linux -p22 -i /root/.ssh/id_dsa MIKROTIK-IP-ADDRESS "$1"<br />
</pre><br />
OK.<br />
<br />
now create a new file in /etc/fail2ban/action.d/ directory with name mikrotik.conf<br />
<br />
<pre>nano /etc/fail2ban/action.d/mikrotik.conf </pre><br />
<br />
and put this text to that file.<br />
<pre><br />
# Fail2Ban configuration file<br />
#<br />
# Author: Ludwig Markosyan<br />
# Release 09/02/2013<br />
#<br />
# $Version: 1.0 BETA $<br />
#<br />
<br />
[Definition]<br />
<br />
# Option: actionstart<br />
# Notes.: command executed once at the start of Fail2Ban.<br />
# Values: CMD<br />
#<br />
actionstart =<br />
<br />
<br />
# Option: actionstop<br />
# Notes.: command executed once at the end of Fail2Ban<br />
# Values: CMD<br />
#<br />
actionstop =<br />
<br />
<br />
# Option: actioncheck<br />
# Notes.: command executed once before each actionban command<br />
# Values: CMD<br />
#<br />
actioncheck =<br />
<br />
<br />
# Option: actionban<br />
# Notes.: command executed when banning an IP. Take care that the<br />
# command is executed with Fail2Ban user rights.<br />
# Tags: <ip> IP address<br />
# <failures> number of failures<br />
# <time> unix timestamp of the ban time<br />
# Values: CMD<br />
#<br />
actionban = mikrotik ":ip firewall filter add action=drop chain=forward dst-address=<ip> comment=AutoFail2ban-<ip>"<br />
<br />
<br />
# Option: actionunban<br />
# Notes.: command executed when unbanning an IP. Take care that the<br />
# command is executed with Fail2Ban user rights.<br />
# Tags: <ip> IP address<br />
# <failures> number of failures<br />
# <time> unix timestamp of the ban time<br />
# Values: CMD<br />
#<br />
<br />
actionunban = mikrotik ":ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"<br />
</pre><br />
<br />
OK now we configured ban and unban actions <br />
<br />
Then we must edit jail.conf file to tell Fail2ban to use mikrotik as ban action.<br />
<br />
<pre> nano /etc/fail2ban/jail.conf</pre><br />
<br />
<br />
I will show you example for ASTERISK jail you can use any other as you want.<br />
<br />
<pre><br />
[ASTERISK]<br />
enabled = true<br />
filter = asterisk<br />
action = mikrotik<br />
sendmail-whois[name=ASTERISK, dest=me@ludnix.info, sender=fail2ban@ludnix.info]<br />
logpath = /var/log/asterisk/full<br />
maxretry = 10<br />
bantime = 3600<br />
</pre><br />
<br />
OK It's all. I'm opened to listen any questions and remarks about this script. you can write me at ''"ludwig@markosyan.info'''<br />
<br />
<br />
Thanks for your interest.</div>Marisb