Dear All
I’m still looking for script that can auto BLOCK any clints IP or MAC who try to log in to hotspot 3 time with wrong username and password
I’m not talking about SSH and TELNET because I live in crowded area
If you can see it in the logs, you can make a script for it.
This is nearly the same as block VPN user not authenticate correctly.
See here:
http://forum.mikrotik.com/t/black-list-for-failed-login-to-ipsec-vpn/130090/1
thank you Jotne for your reply
i fund this script to convert ip to mac:
#Hotspot IP to MAC binding#
:local ipaddr value=“”;
:local mac value=“”;
:foreach a in=[/ip firewall address-list find where dynamic=yes and list=hotspot_blacklist] do={
:set $ipaddr [/ip firewall address-list get $a value-name=address];
:local m [/ip arp find where address=$ipaddr dynamic=yes];
:set $mac [/ip arp get $m mac-address];
/ip hotspot ip-binding add type=blocked mac-address=$mac comment=“blocked from script”;
/ip firewall address-list remove $a;
:log warning ("Blocked from Hotspot " . " MAC: " . $mac);
}
and i try to use this script:
/ip firewall filter
add chain=input protocol=tcp src-address-list=hotspot_blacklist action=drop comment=“Hotspot bruteforce prevention”
add chain=output action=accept protocol=tcp content=“invalid username or password” dst-limit=2/1m,4,dst-address/2m comment=“Hotspot bruteforce prevention”
add chain=output action=add-dst-to-address-list protocol=tcp content=“invalid username or password” address-list=hotspot_blacklist address-list-timeout=3h
on this Solved: Bruteforce HTTP CHAP login prevention
but doesn’t work with RB4011iGS+ OS7.1.1 and even not working with RB5009UG+S+
and help or advice
best regards
- Do not quote post above you. There is a big Post Reply button under the post to use to reply.
- Do use code tags when posting code. </> button above the post.
I have cleaned up the script and added code tags to be able to read it.
#Hotspot IP to MAC binding#
:foreach a in=[/ip firewall address-list find where dynamic=yes and list=hotspot_blacklist] do={
:local ipaddr [/ip firewall address-list get $a value-name=address]
:local m [/ip arp find where address=$ipaddr dynamic=yes]
:local mac [/ip arp get $m mac-address]
/ip hotspot ip-binding add type=blocked mac-address=$mac comment="blocked from script"
/ip firewall address-list remove $a
:log warning ("Blocked from Hotspot " . " MAC: " . $mac)
}
This is not a script, these are firewall rules:
/ip firewall filter
add chain=input protocol=tcp src-address-list=hotspot_blacklist action=drop comment="Hotspot bruteforce prevention"
add chain=output action=accept protocol=tcp content="invalid username or password" dst-limit=2/1m,4,dst-address/2m comment="Hotspot bruteforce prevention"
add chain=output action=add-dst-to-address-list protocol=tcp content="invalid username or password" address-list=hotspot_blacklist address-list-timeout=3h
What does not work?
Dear Joten
first of all thank you for your reply and I’m sorry I didn’t know about these things
when I create this firewall rules its not working i can see from log that there is more than error invalids username and one of them tried 289 time to log in to my hotspot
i hope understand my point
Best regards
Are anything added to the access list “hotspot_blacklist”
no nothing
How do you see that a user has 3 times login failure? From the log?
If its from the log, you can modify this script to search for log inn errors:
http://forum.mikrotik.com/t/black-list-for-failed-login-to-ipsec-vpn/130090/4