93. Mikrotik Email Alert and Block Failure Login User




You can contact me: plus.google.com/+PhallaCCMT; youtube.com/phallaccmt; facebook.com/Phalla.CCMT; twitter.com/PhallaCCMT and Phalla.CCMT@gmail.com

Script:

:local logBuffer "failedauth"
:local failthreshold 2
:local blocklist "Lst_AttemptLoginIP"
:local emailAddress "phalla.ccmt@gmail.com"
:local emailCC "alertphalla@gmail.com"
:local GTime [:pick [/system clock get time] 0 8]
:local RName [/system identity get name];
:local Output "Your Router($RName) is attempt login by:"

# ----------------------------------------------------------------------------------------

:local attackiparray {0}
:local attackcountarray {0}
:local logEntryTopics
:local logEntryTime
:local logEntryMessage
:local clearedbuf
:local lines
:local datetime [/system clock get date]
:set clearedbuf 0

:local i 0
:foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
# Now all data is collected in memory..

# Clear log buffer right away so new entries come in
   :if ($clearedbuf = 0) do={
      /system logging action {
         :set lines [get ($logBuffer) memory-lines]
         set ($logBuffer) memory-lines 1
         set ($logBuffer) memory-lines $lines
      }
      :set clearedbuf 1
   }
# End clear log buffer

   :set logEntryTime ""
   :set logEntryTopics ""
   :set logEntryMessage ""

:set logEntryTime ($rule->"time")
:set logEntryTopics ($rule->"topics")
:set logEntryMessage ($rule->"message")

:if ($logEntryMessage~"login failure") do={

:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

:local x 0
:foreach ip in=$attackiparray do={
  :if ($ip = $attackip) do={
    :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
  } else={
    :set ($attackiparray->$i) $attackip
    :set ($attackcountarray->$i) 1
  }
:set x ($x+1)
}
}
:set i ($i+1)
# end foreach rule
}
:local z 0
:foreach ip in=$attackiparray do={
  :if ($attackcountarray->$z > $failthreshold) do={
    :set ($attackcountarray->$z) 0
    /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
    /tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray at $GTime. Now it has been add to block list."
  }
:set ($attackcountarray->$z) 0
:set z ($z+1)
}

:local logBuffer "failedauth"
:local failthreshold 2
:local blocklist "Lst_AttemptLoginIP"
:local emailAddress "phalla.ccmt@gmail.com"
:local emailCC "phalla.hong@saturn.com.kh"
:local RName [/system identity get name];
:local Output "Your Router($RName) is attempt login by: "

# -----------------------------------

:local attackiparray {0}
:local attackcountarray {0}
:local logEntryTopics
:local logEntryTime
:local logEntryMessage
:local clearedbuf
:local lines
:local datetime [/system clock get date]
:set clearedbuf 0

:local i 0
:foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
# Now all data is collected in memory..

# Clear log buffer right away so new entries come in
   :if ($clearedbuf = 0) do={
      /system logging action {
         :set lines [get ($logBuffer) memory-lines]
         set ($logBuffer) memory-lines 1
         set ($logBuffer) memory-lines $lines
      }
      :set clearedbuf 1
   }
# End clear log buffer

   :set logEntryTime ""
   :set logEntryTopics ""
   :set logEntryMessage ""

:set logEntryTime ($rule->"time")
:set logEntryTopics ($rule->"topics")
:set logEntryMessage ($rule->"message")

:if ($logEntryMessage~"login failure") do={

:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

:local x 0
:foreach ip in=$attackiparray do={
  :if ($ip = $attackip) do={
    :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
  } else={
    :set ($attackiparray->$i) $attackip
    :set ($attackcountarray->$i) 1
  }
:set x ($x+1)
}
}
:set i ($i+1)
# end foreach rule
}
:local z 0
:foreach ip in=$attackiparray do={
  :if ($attackcountarray->$z > $failthreshold) do={
    :set ($attackcountarray->$z) 0
    /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
    /tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray"
  }
:set ($attackcountarray->$z) 0
:set z ($z+1)
}


Configuration:

- Logging:
/system logging action
add name=failedauth target=memory
/system logging
add action=failedauth topics=critical,system,error

- Email:
/tool e-mail
set address=173.194.77.108 from=alertphalla@gmail.com last-status=succeeded \
    password=phallaccmt.blogspot.com port=587 start-tls=yes user=alertphalla@gmail.com

- Filter:
/ip firewall filter
add action=drop chain=input comment="Drop Attempt Login User" disabled=yes \
    in-interface=ether1-WAN src-address-list=Lst_AttemptLoginIP



Previous
Next Post »

8 comments

Write comments
pawel
AUTHOR
April 2, 2019 at 9:13 PM delete

great script,

Could you tell me what to change in the script to block after the first attempt to login?

Reply
avatar
April 19, 2019 at 7:21 PM delete

Excellent website you have here, so much cool information!.. Email List

Reply
avatar
hania khan
AUTHOR
June 17, 2019 at 11:08 PM delete

To maintain a strategic distance from this incident you should completely get a handle on what it is your potential clients see and see when they initially come into contact with your logo. logo design service

Reply
avatar
July 4, 2019 at 12:58 AM delete

I like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... buy email list

Reply
avatar
drs net
AUTHOR
October 2, 2020 at 10:02 AM delete

adding ip to blocked list but i can still acces from that ip

Reply
avatar
Ethan
AUTHOR
February 6, 2021 at 8:41 PM delete

Hi Sir, how do we just make them banned for certain hour or minutes instead of blocking their ip?

Reply
avatar