Black list for failed login to IPSec VPN

Jotne · August 8, 2019, 5:03pm

Edit: Updated see this post https://forum.mikrotik.com/viewtopic.php?p=905420#p905420

Updated
Now also block user with these type of message:
SPI e14750001eda995ec not registred for 89.50.40.10[4500]

# Created Jotne 2019 v1.3
#
# This script add ip of user who with "IPSEC negotiation failed" and "SPI* not registered" to a block list for 24hour
# Schedule the script to run every 5 min
# It should run on all routerOS version
# 1.3 added "Invalid exchange"


# Find all "negotiation failed" error last 5 min
:local loglistN [:toarray [/log find  time>([/system clock get time] - 5m) message~"negotiation failed"]]

# for all error do
:foreach i in=$loglistN do={

# find message
	:local logMessageN [/log get $i message]
# find ip
	:local ipN [:pick $logMessageN 0 [:find $logMessageN " "]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ipN list=IPSEC timeout=30d
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ipN why=negotiation_failed"
	}

	

# Find all "SPI* not registered"" error last 5 min
:local loglistS [:toarray [/log find  time>([/system clock get time] - 5m) message~"SPI.*not regist"]]

# for all error do
:foreach j in=$loglistS do={

# find message
	:local logMessageS [/log get $j message]
# find ip
	:local ipS [:pick $logMessageS ([:find $logMessageS "for "]+4) [:find $logMessageS "["]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ipS list=IPSEC timeout=30d
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ipS why=SPI_not_registered"
	}
	
  
# Find all "Invalid exchange" error last 5 min
:local loglistS [:toarray [/log find  time>([/system clock get time] - 5m) message~"Invalid exchange"]]

# for all error do
:foreach j in=$loglistS do={

# find message
	:local logMessageS [/log get $j message]
# find ip
	:local ipS [:pick $logMessageS ([:find $logMessageS "for "]+4) [:find $logMessageS "["]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ipS list=IPSEC timeout=7d
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ipS why=SPI_not_registered"
	}