Use Mikrotik as Fail2ban firewall - MikroTik Script RouterOS

The Explanation
This tutorial is about how to configure Fail2ban to use Mikrotik as Firewall. Fail2ban is very halpfull application Its allows system administrators easily detect and prevent attack attempts. It's scaning log files (e.g. /var/log/auth.log) and bans IPs that show the malicious signs (too many password failures, seeking for exploits, etc..). By default Fail2ban using IPTables as firewall software but today I will show you how to configure system to put all firewall rules in one place.

P.S Fail2Ban comes with filters for various services (apache, curier, ssh, postfix, asterisk, etc).

OK lets start :-)

Preparing
Our first point must be generation SSH key for secure remote login

Note that RouterOS 2.9.13 and upper versions supporting SSH logins.

Note: New RouterOS versions v6 and up requires RSA keys
Use this command to generate keys.

admin@linux:/$ ssh-keygen -t dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
b8:ea:79:ad:61:c4:e0:1a:66:46:5b:0e:70:b6:aa:38 [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
|. o        |
| + .        |
|  + o        |
| o * o .         |
|. * o + S    |
|o+ o . .         |
|E .   +.      |
| .   +...         |
|   .+...       |
+---------+
DO NOT WRITE ANY PASSPHRASE. Now we need to upload and import id_dsa.pub key to mikrotik. File is located at /home/user/.ssh/id_dsa.pub if you are using root account then /root/.ssh/id_dsa.pub

Configuration on Mikrotik side

[admin@mikrotik] > user add name=linux address=LINUX-SERVER-IP-ADDRESS group=full
This command will add a user without password with full permissions login allowed from only your linux machine.

[admin@mikrotik]> user ssh-keys import public-key-file=id_dsa.pub user=linux
This command will import your uploaded id_dsa public key to key mikrotik store.

Configuration on Linux side
On Linux side we must create a file named mikrotik to /usr/bin/ dir.

touch /usr/bin/mikrotik
and put this bash script into this file.

#!/bin/bash
ssh -l linux -p22 -i /root/.ssh/id_dsa MIKROTIK-IP-ADDRESS "$1"
OK.

now create a new file in /etc/fail2ban/action.d/ directory 
with name mikrotik.conf

nano /etc/fail2ban/action.d/mikrotik.conf 
and put this text to that file.

# Fail2Ban configuration file
#
# Author: Ludwig Markosyan
# Release 09/02/2013
#
# $Version: 1.0 BETA $
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:      IP address
#            number of failures
#          

Note: Instead of adding drop rule for each IP, you could use single drop rule and address list to save CPU resources

OK now we configured ban and unban actions

Then we must edit jail.conf file to tell Fail2ban to use mikrotik as ban action.

nano /etc/fail2ban/jail.conf
I will show you example for ASTERISK jail you can use any other as you want.

[ASTERISK]
enabled  = true
filter   = asterisk
action = mikrotik
          sendmail-whois[name=ASTERISK, [email protected], [email protected]]
logpath  = /var/log/asterisk/full
maxretry = 10
bantime = 3600
OK It's all. I'm opened to listen any questions and remarks about this script. you can write me at "[email protected]'

Thanks for your interest.