93. Mikrotik Email Alert and Block Failure Login User

You can contact me: plus.google.com/+PhallaCCMT; youtube.com/phallaccmt; facebook.com/Phalla.CCMT; twitter.com/PhallaCCMT and Phalla.CCMT@gmail.com

Script:

:local logBuffer "failedauth"
:local failthreshold 2
:local blocklist "Lst_AttemptLoginIP"
:local emailAddress "phalla.ccmt@gmail.com"
:local emailCC "alertphalla@gmail.com"
:local GTime [:pick [/system clock get time] 0 8]
:local RName [/system identity get name];
:local Output "Your Router($RName) is attempt login by:"

# ----------------------------------------------------------------------------------------

:local attackiparray {0}
:local attackcountarray {0}
:local logEntryTopics
:local logEntryTime
:local logEntryMessage
:local clearedbuf
:local lines
:local datetime [/system clock get date]
:set clearedbuf 0

:local i 0
:foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
# Now all data is collected in memory..

# Clear log buffer right away so new entries come in
   :if ($clearedbuf = 0) do={
      /system logging action {
         :set lines [get ($logBuffer) memory-lines]
         set ($logBuffer) memory-lines 1
         set ($logBuffer) memory-lines $lines
      }
      :set clearedbuf 1
   }
# End clear log buffer

   :set logEntryTime ""
   :set logEntryTopics ""
   :set logEntryMessage ""

:set logEntryTime ($rule->"time")
:set logEntryTopics ($rule->"topics")
:set logEntryMessage ($rule->"message")

:if ($logEntryMessage~"login failure") do={

:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

:local x 0
:foreach ip in=$attackiparray do={
  :if ($ip = $attackip) do={
    :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
  } else={
    :set ($attackiparray->$i) $attackip
    :set ($attackcountarray->$i) 1
  }
:set x ($x+1)
}
}
:set i ($i+1)
# end foreach rule
}
:local z 0
:foreach ip in=$attackiparray do={
  :if ($attackcountarray->$z > $failthreshold) do={
    :set ($attackcountarray->$z) 0
    /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
    /tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray at $GTime. Now it has been add to block list."
  }
:set ($attackcountarray->$z) 0
:set z ($z+1)
}

:local logBuffer "failedauth"
:local failthreshold 2
:local blocklist "Lst_AttemptLoginIP"
:local emailAddress "phalla.ccmt@gmail.com"
:local emailCC "phalla.hong@saturn.com.kh"
:local RName [/system identity get name];
:local Output "Your Router($RName) is attempt login by: "

# -----------------------------------

:local attackiparray {0}
:local attackcountarray {0}
:local logEntryTopics
:local logEntryTime
:local logEntryMessage
:local clearedbuf
:local lines
:local datetime [/system clock get date]
:set clearedbuf 0

:local i 0
:foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
# Now all data is collected in memory..

# Clear log buffer right away so new entries come in
   :if ($clearedbuf = 0) do={
      /system logging action {
         :set lines [get ($logBuffer) memory-lines]
         set ($logBuffer) memory-lines 1
         set ($logBuffer) memory-lines $lines
      }
      :set clearedbuf 1
   }
# End clear log buffer

   :set logEntryTime ""
   :set logEntryTopics ""
   :set logEntryMessage ""

:set logEntryTime ($rule->"time")
:set logEntryTopics ($rule->"topics")
:set logEntryMessage ($rule->"message")

:if ($logEntryMessage~"login failure") do={

:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

:local x 0
:foreach ip in=$attackiparray do={
  :if ($ip = $attackip) do={
    :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
  } else={
    :set ($attackiparray->$i) $attackip
    :set ($attackcountarray->$i) 1
  }
:set x ($x+1)
}
}
:set i ($i+1)
# end foreach rule
}
:local z 0
:foreach ip in=$attackiparray do={
  :if ($attackcountarray->$z > $failthreshold) do={
    :set ($attackcountarray->$z) 0
    /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
    /tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray"
  }
:set ($attackcountarray->$z) 0
:set z ($z+1)
}

Configuration:

- Logging:
/system logging action
add name=failedauth target=memory
/system logging
add action=failedauth topics=critical,system,error

- Email:
/tool e-mail
set address=173.194.77.108 from=alertphalla@gmail.com last-status=succeeded \
    password=phallaccmt.blogspot.com port=587 start-tls=yes user=alertphalla@gmail.com

- Filter:

/ip firewall filter

add action=drop chain=input comment="Drop Attempt Login User" disabled=yes \

    in-interface=ether1-WAN src-address-list=Lst_AttemptLoginIP

• Twitter
• Facebook
• Google
• Tumblr
• Pinterest