Script:
:local logBuffer "failedauth"
:local failthreshold 2
:local blocklist "Lst_AttemptLoginIP"
:local emailAddress "phalla.ccmt@gmail.com"
:local emailCC "alertphalla@gmail.com"
:local GTime [:pick [/system clock get time] 0 8]
:local RName [/system identity get name];
:local Output "Your Router($RName) is attempt login by:"
# ----------------------------------------------------------------------------------------
:local attackiparray {0}
:local attackcountarray {0}
:local logEntryTopics
:local logEntryTime
:local logEntryMessage
:local clearedbuf
:local lines
:local datetime [/system clock get date]
:set clearedbuf 0
:local i 0
:foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
# Now all data is collected in memory..
# Clear log buffer right away so new entries come in
:if ($clearedbuf = 0) do={
/system logging action {
:set lines [get ($logBuffer) memory-lines]
set ($logBuffer) memory-lines 1
set ($logBuffer) memory-lines $lines
}
:set clearedbuf 1
}
# End clear log buffer
:set logEntryTime ""
:set logEntryTopics ""
:set logEntryMessage ""
:set logEntryTime ($rule->"time")
:set logEntryTopics ($rule->"topics")
:set logEntryMessage ($rule->"message")
:if ($logEntryMessage~"login failure") do={
:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]
:local x 0
:foreach ip in=$attackiparray do={
:if ($ip = $attackip) do={
:set ($attackcountarray->$x) (($attackcountarray->$x)+1)
} else={
:set ($attackiparray->$i) $attackip
:set ($attackcountarray->$i) 1
}
:set x ($x+1)
}
}
:set i ($i+1)
# end foreach rule
}
:local z 0
:foreach ip in=$attackiparray do={
:if ($attackcountarray->$z > $failthreshold) do={
:set ($attackcountarray->$z) 0
/ip firewall address-list add address=($attackiparray->$z) list=$blocklist
/tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray at $GTime. Now it has been add to block list."
}
:set ($attackcountarray->$z) 0
:set z ($z+1)
}
:local logBuffer "failedauth"
:local failthreshold 2
:local blocklist "Lst_AttemptLoginIP"
:local emailAddress "phalla.ccmt@gmail.com"
:local emailCC "phalla.hong@saturn.com.kh"
:local RName [/system identity get name];
:local Output "Your Router($RName) is attempt login by: "
# -----------------------------------
:local attackiparray {0}
:local attackcountarray {0}
:local logEntryTopics
:local logEntryTime
:local logEntryMessage
:local clearedbuf
:local lines
:local datetime [/system clock get date]
:set clearedbuf 0
:local i 0
:foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
# Now all data is collected in memory..
# Clear log buffer right away so new entries come in
:if ($clearedbuf = 0) do={
/system logging action {
:set lines [get ($logBuffer) memory-lines]
set ($logBuffer) memory-lines 1
set ($logBuffer) memory-lines $lines
}
:set clearedbuf 1
}
# End clear log buffer
:set logEntryTime ""
:set logEntryTopics ""
:set logEntryMessage ""
:set logEntryTime ($rule->"time")
:set logEntryTopics ($rule->"topics")
:set logEntryMessage ($rule->"message")
:if ($logEntryMessage~"login failure") do={
:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]
:local x 0
:foreach ip in=$attackiparray do={
:if ($ip = $attackip) do={
:set ($attackcountarray->$x) (($attackcountarray->$x)+1)
} else={
:set ($attackiparray->$i) $attackip
:set ($attackcountarray->$i) 1
}
:set x ($x+1)
}
}
:set i ($i+1)
# end foreach rule
}
:local z 0
:foreach ip in=$attackiparray do={
:if ($attackcountarray->$z > $failthreshold) do={
:set ($attackcountarray->$z) 0
/ip firewall address-list add address=($attackiparray->$z) list=$blocklist
/tool e-mail send to="$emailAddress" cc="$emailCC" subject="MikroTik alert on $datetime" body="$Output $attackiparray"
}
:set ($attackcountarray->$z) 0
:set z ($z+1)
}
Configuration:
- Logging:
/system logging action
add name=failedauth target=memory
/system logging
add action=failedauth topics=critical,system,error
- Email:
/tool e-mail
set address=173.194.77.108 from=alertphalla@gmail.com last-status=succeeded \
password=phallaccmt.blogspot.com port=587 start-tls=yes user=alertphalla@gmail.com
- Filter:
/ip firewall filter
add action=drop chain=input comment="Drop Attempt Login User" disabled=yes \
in-interface=ether1-WAN src-address-list=Lst_AttemptLoginIP
No comments:
Post a Comment