操作系统:CentOS 7.1
在我的组织中,我们目前正在评估将 Fail2ban 与 Mikrotik 路由器上的防火墙结合使用。我希望 Fail2ban 将任何标记为禁止的 IP 传达给 Mikrotik 防火墙,从而创建新的防火墙规则。有三个文件与此过程相关:
/usr/bin/mikrotik
-----------------------------------------
#!/bin/bash
ssh -l admin -p22 -i /root/.ssh/id_dsa 192.168.0.1 "$1"
-----------------------------------------
/etc/fail2ban/action.d/mikrotik.conf
-----------------------------------------
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = mikrotik "/ip firewall filter add action=drop chain=forward dst-address=<ip> comment=AutoFail2ban-<ip>"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = mikrotik "/ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"
-----------------------------------------
/etc/fail2ban/jail.local
-----------------------------------------
[sshd]
enabled = true
port = ssh
filter = sshd
action = mikrotik
logpath = /var/log/secure
maxrety = 3
bantime = 120
-----------------------------------------
当前的问题是,当 IP 被标记为禁止时,整个通过 ssh 进入 Mikrotik 并创建防火墙规则的过程不会发生。手动运行该命令可mikrotik成功通过 ssh 进入 Mikrotik。在 Mikrotik 控制台中手动运行“/ip 防火墙...”命令可成功创建防火墙规则,因此我知道该命令是正确的。
在 /var/log/fail2ban.log 上执行操作tail -f导致 IP 被禁止时出现错误:
[10265]: ERROR /usr/bin/mikrotik -- returned 127
[10265]: INFO HINT on 127: "Command not found". Make sure that all commands in '/usr/bin/mikrotik' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ).
但是,执行建议的grep命令会出现以下情况:
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
将禁令改为使用 ssh 将给出类似的输出并表明ssh未找到该命令。
任何关于如何通过 ssh 传递 Mikrotik 命令的见解都将不胜感激。