• Breaking News

    Monday 8 February 2016

    Home Unlabelled 60. Mikrotik Email Alert and Block on Fail log in.

    60. Mikrotik Email Alert and Block on Fail log in.

    02:45
    Here is a Script:

    # Script Name: SSH Block by log
    # This script reads a specified log buffer (logBuffer)  At each log entry read,
    # any IP exceeding the number below (failthreshold) is added to the address list below (blacklist)
    # The log buffer is then cleared, so only new entries are read each time this script gets executed.
    #/system logging action add memory-lines=1000 memory-stop-on-full=no name=failedauth target=memory
    #/system logging add action=failedauth disabled=no prefix="" topics=critical,system,error

    # Set this to a "memory" action log buffer. Example commands above.
    :local logBuffer "failedauth"
    :local failthreshold 5
    :local blocklist "ssh_blocklist"
    :local emailAddress "phalla.ccmt@gmail.com"
    :local Output "Now you are attach by: "

    # -----------------------------------

    :local attackiparray {0}
    :local attackcountarray {0}
    :local logEntryTopics
    :local logEntryTime
    :local logEntryMessage
    :local clearedbuf
    :local lines
    :set clearedbuf 0

    :local i 0
    :foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
    # Now all data is collected in memory..

    # Clear log buffer right away so new entries come in
       :if ($clearedbuf = 0) do={
          /system logging action {
             :set lines [get ($logBuffer) memory-lines]
             set ($logBuffer) memory-lines 1
             set ($logBuffer) memory-lines $lines
          }
          :set clearedbuf 1
       }
    # End clear log buffer

       :set logEntryTime ""
       :set logEntryTopics ""
       :set logEntryMessage ""

    :set logEntryTime ($rule->"time")
    :set logEntryTopics ($rule->"topics")
    :set logEntryMessage ($rule->"message")

    :if ($logEntryMessage~"login failure") do={

    :local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

    :local x 0
    :foreach ip in=$attackiparray do={
      :if ($ip = $attackip) do={
        :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
      } else={
        :set ($attackiparray->$i) $attackip
        :set ($attackcountarray->$i) 1
      }
    :set x ($x+1)
    }

    }

    :set i ($i+1)
    # end foreach rule
    }
    :local z 0
    :foreach ip in=$attackiparray do={
      :if ($attackcountarray->$z > $failthreshold) do={
        :set ($attackcountarray->$z) 0
        /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
        /tool e-mail send to="$emailAddress" subject="MikroTik alert $currentTime" body="$Output $attackiparray"
      }
    :set ($attackcountarray->$z) 0
    :set z ($z+1)
    }


    You can contact me: plus.google.com/+PhallaCCMT; youtube.com/phallaccmt; facebook.com/Phalla.CCMT; twitter.com/PhallaCCMT and Phalla.CCMT@gmail.com
    Read more
    Posted by at

    1 comment:

    1. Unknown20 July 2021 at 19:31

      Hi I checked above script but its not working after failer of login more than 5 times.

      Not received email or no blacklist IP address.

      Please suggest

      ReplyDelete

    Fashion

    Beauty

    Travel