OS: CentOS 7.1

At my organization we are currently assessing using Fail2ban with the firewall on our Mikrotik router. I want Fail2ban to communicate any IP flagged as banned to the Mikrotik firewall, creating a new firewall rule. There are three files relevant to this process:


ssh -l admin -p22 -i /root/.ssh/id_dsa "$1"


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
actionban = mikrotik "/ip firewall filter add action=drop chain=forward dst-address=<ip> comment=AutoFail2ban-<ip>"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD

actionunban =  mikrotik "/ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"


enabled = true
port    = ssh
filter  = sshd
action  = mikrotik
logpath = /var/log/secure
maxrety = 3
bantime = 120

The current issue is that when an IP is flagged to be banned, the entire process of ssh-ing in to the Mikrotik and creating the firewall rule does not occur. Manually running the command mikrotik successfully ssh's into the Mikrotik. Manually running the "/ip firewall..." command in the Mikrotik console successfully creates the firewall rule, so I know that the command is correct.

doing a tail -f on /var/log/fail2ban.log while causing an ip to be banned gives the error:

[10265]: ERROR   /usr/bin/mikrotik -- returned 127 
[10265]: INFO   HINT on 127: "Command not found". Make sure that all commands in '/usr/bin/mikrotik' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ).

However, performing the suggested grep command gives:


Changing the banaction to use ssh will give similar output and state that the command ssh is not found.

Any insight in to how we can pass the Mikrotik command via ssh would be greatly appreciated.

  • 9
  • 1
  • 1
    Have you tried changing `ssh` to `/usr/bin/ssh` (or whatever the full path to the ssh executable is) ? – Cha0s Feb 02 '16 at 17:13
  • 1
    Also under what UID is the `/usr/bin/mikrotik` script executed as? If not 0 (=root), then the `ssh` command will not be able to access the private key file under `/root/.ssh/` – Cha0s Feb 02 '16 at 17:17

0 Answers0