• Breaking News

    Saturday 31 December 2016

    93. Mikrotik Email Alert and Block Failure Login User




    You can contact me: plus.google.com/+PhallaCCMT; youtube.com/phallaccmt; facebook.com/Phalla.CCMT; twitter.com/PhallaCCMT and Phalla.CCMT@gmail.com

    Script:

    :local logBuffer "failedauth"
    :local failthreshold 2
    :local blocklist "Lst_AttemptLoginIP"
    :local emailAddress "phalla.ccmt@gmail.com"
    :local emailCC "alertphalla@gmail.com"
    :local GTime [:pick [/system clock get time] 0 8]
    :local RName [/system identity get name];
    :local Output "Your Router($RName) is attempt login by:"

    # ----------------------------------------------------------------------------------------

    :local attackiparray {0}
    :local attackcountarray {0}
    :local logEntryTopics
    :local logEntryTime
    :local logEntryMessage
    :local clearedbuf
    :local lines
    :local datetime [/system clock get date]
    :set clearedbuf 0

    :local i 0
    :foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
    # Now all data is collected in memory..

    # Clear log buffer right away so new entries come in
       :if ($clearedbuf = 0) do={
          /system logging action {
             :set lines [get ($logBuffer) memory-lines]
             set ($logBuffer) memory-lines 1
             set ($logBuffer) memory-lines $lines
          }
          :set clearedbuf 1
       }
    # End clear log buffer

       :set logEntryTime ""
       :set logEntryTopics ""
       :set logEntryMessage ""

    :set logEntryTime ($rule->"time")
    :set logEntryTopics ($rule->"topics")
    :set logEntryMessage ($rule->"message")

    :if ($logEntryMessage~"login failure") do={

    :local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

    :local x 0
    :foreach ip in=$attackiparray do={
      :if ($ip = $attackip) do={
        :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
      } else={
        :set ($attackiparray->$i) $attackip
        :set ($attackcountarray->$i) 1
      }
    :set x ($x+1)
    }
    }
    :set i ($i+1)
    # end foreach rule
    }
    :local z 0
    :foreach ip in=$attackiparray do={
      :if ($attackcountarray->$z > $failthreshold) do={
        :set ($attackcountarray->$z) 0
        /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
        /tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray at $GTime. Now it has been add to block list."
      }
    :set ($attackcountarray->$z) 0
    :set z ($z+1)
    }

    :local logBuffer "failedauth"
    :local failthreshold 2
    :local blocklist "Lst_AttemptLoginIP"
    :local emailAddress "phalla.ccmt@gmail.com"
    :local emailCC "phalla.hong@saturn.com.kh"
    :local RName [/system identity get name];
    :local Output "Your Router($RName) is attempt login by: "

    # -----------------------------------

    :local attackiparray {0}
    :local attackcountarray {0}
    :local logEntryTopics
    :local logEntryTime
    :local logEntryMessage
    :local clearedbuf
    :local lines
    :local datetime [/system clock get date]
    :set clearedbuf 0

    :local i 0
    :foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
    # Now all data is collected in memory..

    # Clear log buffer right away so new entries come in
       :if ($clearedbuf = 0) do={
          /system logging action {
             :set lines [get ($logBuffer) memory-lines]
             set ($logBuffer) memory-lines 1
             set ($logBuffer) memory-lines $lines
          }
          :set clearedbuf 1
       }
    # End clear log buffer

       :set logEntryTime ""
       :set logEntryTopics ""
       :set logEntryMessage ""

    :set logEntryTime ($rule->"time")
    :set logEntryTopics ($rule->"topics")
    :set logEntryMessage ($rule->"message")

    :if ($logEntryMessage~"login failure") do={

    :local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

    :local x 0
    :foreach ip in=$attackiparray do={
      :if ($ip = $attackip) do={
        :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
      } else={
        :set ($attackiparray->$i) $attackip
        :set ($attackcountarray->$i) 1
      }
    :set x ($x+1)
    }
    }
    :set i ($i+1)
    # end foreach rule
    }
    :local z 0
    :foreach ip in=$attackiparray do={
      :if ($attackcountarray->$z > $failthreshold) do={
        :set ($attackcountarray->$z) 0
        /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
        /tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray"
      }
    :set ($attackcountarray->$z) 0
    :set z ($z+1)
    }


    Configuration:

    - Logging:
    /system logging action
    add name=failedauth target=memory
    /system logging
    add action=failedauth topics=critical,system,error

    - Email:
    /tool e-mail
    set address=173.194.77.108 from=alertphalla@gmail.com last-status=succeeded \
        password=phallaccmt.blogspot.com port=587 start-tls=yes user=alertphalla@gmail.com

    - Filter:
    /ip firewall filter
    add action=drop chain=input comment="Drop Attempt Login User" disabled=yes \
        in-interface=ether1-WAN src-address-list=Lst_AttemptLoginIP



    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel