So its time to get Mikrotik acting as firewall. And for this i will use SSH key as our command to block ip’s will go via ssh commands. I am going to use address_lists on the mikrotik just because i have already rules set up for thos which i have manually populated in the past.
This howto can be found onĀ https://wiki.mikrotik.com/wiki/Use_Mikrotik_as_Fail2ban_firewall only change i will make to this is that i will use address-lists on mikrotik, so one rule for all addresses. I will have one temp_ban and perm_ban list to populate
Starting by creating an SSH key for our root user on server.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
admin@linux:/$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: b8:ea:79:ad:61:c4:e0:1a:66:46:5b:0e:70:b6:aa:38 user@example.org The key's randomart image is: +--[ DSA 1024]----+ |. o | | + . | | + o | | o * o . | |. * o + S | |o+ o . . | |E . +. | | . +... | | .+... | +---------+ |
Now you need to upload your public ssh key, id_dsa.pub to mikrotik and add import it
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
root@ubuntu:~# ftp 192.168.0.1 Connected to 192.168.0.1. 220 MikroTik FTP server (MikroTik 5.23) ready Name (192.168.0.1:jani): admin 331 Password required for admin Password: 230 User admin logged in Remote system type is UNIX. ftp> put /root/.ssh/id_dsa.pub fail2bankey local: /root/.ssh/id_dsa.pub remote: fail2bankey 200 PORT command successful 150 Opening ASCII mode data connection for 'fail2bankey' 226 ASCII transfer complete 603 bytes sent in 0.00 secs (5165.5 kB/s) ftp> exit 221 Closing |
And then we start congifuring mikrotik side, so we open an console on the mikrotik and add the linux user and import key to the same user
1 2 |
[admin@MikroTik] > user add name=linux address=192.168.0.80 group=full [admin@MikroTik] > user ssh-keys import public-key-file=fail2bankey user=linux |
OK thats it for now on the mikrotik back configuring the server side again
1 |
nano /usr/bin/mikrotik |
And add this to the file
1 2 |
#!/bin/bash ssh -l linux -p22 -i /root/.ssh/id_dsa 192.168.0.1 "$1" |
Now to create the mikrotik conf file which will be handling the banning on the mikrotik side
1 |
nano /etc/fail2ban/action.d/mikrotik.conf |
And in that file we write
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # <name> protocoll name # Values: CMD # actionban = mikrotik "/ip firewall address-list add list=temp_ban address=<ip> comment=<name>" /usr/local/fail2sql/fail2sql <name> <protocol> <port> <ip> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = mikrotik "/ip firewall address-list remove [/ip firewall address-list find where address=<ip> list=<list>]" |
and then we configure the jail.local file and section [ssh]
1 2 3 4 5 6 7 8 9 10 |
[ssh] enabled = true port = ssh filter = sshd action = mikrotik[name=ssh, list=temp_ban, protocol=tcp, port=22] sendmail-whois[name=SSH, dest=destinationemail, sender=senderemail] logpath = /var/log/auth.log maxretry = 3 findtime = 600 bantime = 600 |
After this we just restart the fail2ban server
1 |
service fail2ban restart |
And now the list temp_ban on the mikrotik should get populated instead of iptables locally. Altho i noticed while testing that for every fail2ban service restart all the bans where deleted so we need to fix so that they are persistent after reboot/service restart. But after few hours of testing i could not find any way of re-populating fail2ban with temporary bans, they are acting as permanent bans because if i have command on unban to delete ip from my temp_ban.list then it seems that every restart of service runs the unban command and emptied my temp_ban.list. Will come back to this, atleast writing ip number to an file is viable solution for permanent bans so i will fix that in order and let temp bans be like they are now.