Can a script be created if a wrong login name is used

plisken · August 8, 2019, 4:23pm

Can a script be created if a wrong login name is used to place the IP address in the address list and then be blocked into the firewall?
For example, superuser is the correct name. All the rest is wrong and must by blocked

Thanks

pe1chl · August 8, 2019, 4:50pm

It is possible to write a script that reads recent log entries from memory, analyzes them and takes action.
When you schedule that script to run regularly, it could do what you want.

plisken · August 8, 2019, 5:11pm

I found something like this on this forum but i want edit this to is used a wrong username.

:local loglist [:toarray [/log find time>([/system clock get time] - 1m) message~“critical login failurel”]]
:foreach i in=$loglist do={
:local logMessage [/log get $i message]
:local ip [:pick $logMessage 0 [:find $logMessage " "]]
/ip firewall address-list add address=$ip list=LOGIN_FAILURE timeout=30d
:log info message=“script=LOGIN_FAILURE src_ip=$ip”
}

Jotne · August 8, 2019, 5:22pm

This is the message you get when using wrong username or password:

system,error,critical MikroTik: login failure for user per from 192.168.88.10 via winbox

Give me some minute and I will fix a script. But take care, this can block your self from entering the system.

plisken · August 8, 2019, 5:33pm

Hello Jotne, thanks for your effort, i appresiate that.

Jotne · August 8, 2019, 5:44pm

This should do:
Schedule it to run every 5 min.
It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour.

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list


# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]
5
# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

plisken · August 8, 2019, 7:27pm

You are great Jotne, you are a great help for me and many others.

Thanks a lot

xme · February 26, 2022, 11:15pm

TaxiPieter:

This should do:
Schedule it to run every 5 min.
It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour.

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list


# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]
5
# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

Any update ?
I try it on ver, 6,42 and 7.1 but the script does not create any address-list.
My log is full with messages eg. “login failure for user x from x.x.x.x via winbox” but no address-list added

Im noob in scripting. How to modify the script to send / print the variables $if, $i to log for help find out which script section does not work?

xme · February 27, 2022, 6:03pm

OK it was stupid error.
I was start to learn scripting but it was enough to remove the line with the character 5 from the code, which somehow get there

Here is the corrected version:

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list

# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

kevinds · April 24, 2022, 11:43pm

What if I don’t care about wrong passwords? Only wrong usernames?

I’m thinking an if-then else-then?

Supplying a list of usernames, or fetching the list of users from /system/users, if matches a username, do nothing, else add IP? But only for login failures? Would this be CPU intensive?

Jotne · April 25, 2022, 11:02am

I am not sure if the message that are logged are different if its wrong user or wrong password.
Test and se what log you get. If log are different, it should be easy to fix the script.
I am away from my mikrotik routes, so no testing (vacation in Brazil )

kevinds · April 25, 2022, 11:23am

They are not logged differently. That would make this too easy..

Login failure for user x from a.b.c.d via service"

pe1chl · April 25, 2022, 2:13pm

It already is bad enough that the value of the entered wrong username is logged with the message…

Jotne · April 25, 2022, 8:32pm

When going through bad login, its possible to compare the username against all local stored user name and if not found, then do log a message.

pe1chl · April 26, 2022, 7:08am

Well but I am asking for the opposite: when a user name is entered that is NOT one of the locally known usernames, do NOT log it.
Well, it is possible to log a message but not include the username.
Example: it can log “login failure for user admin from 192.168.88.10 via ssh” or similar, but it should NOT log “login failure for user Wor6Eqs2FWqA from 192.168.88.10 via ssh”, when usename Wor6Eqs2FWqA does not exist in the router. Instead it can log just “login failure from 192.168.88.10 via ssh”.

Why? Because Wor6Eqs2FWqA then probably is the PASSWORD for a user known in the system. And because log information could become available to others more easily than you would desire (e.g. when an external log server is used, or when critical messages are picked up by a monitoring system and sent as alerts).

Jotne · April 26, 2022, 2:40pm

Either way should be possible. I will look at it when I am back home.

shakisha · April 26, 2022, 9:55pm

I prefer a script that will put in a blacklist all the usernames login attempts (more than 3 attempts) that are not users of the system.

kevinds · April 26, 2022, 10:17pm

I’d rather blacklist/drop on the first attempt of using a wrong username, but that is the idea..

kevinds · April 26, 2022, 10:32pm

That is a pretty small use-case…

If it happens enough that it is an issue, I would suggest not allowing that user access to your system because they are not competent..

User: Wor6Eqs2FWqA
Password:

User needs to disconnect… They should know entering a password will only trigger a logging of their password.

Overall, if it was possible, to not log username failures, I’d be happy with that because then I wouldn’t care anymore about login failures..

On my systems, only SSH is open to the world.. Login failures filling the logs can hide actual issues that I need the logs for, but I would rather see the SSH failures in the logs than be locked out when I need to access the router.

Edit: “User needs to disconnect… They should know entering a password will only trigger a logging of their password.” Nevermind, it does log eventually, there is a delay..

rextended · April 27, 2022, 12:12am

About the OP:
Is wrong to put immediately on blacklist an IP after wrong username is used.
The user must have the time to notice some errors…
Like, if the username is MySecretname typo can happen and the user involuntarely blacklist himself…
mYsECRETNAME
MySEcretname
MysEcretname
MySecrtname
etc.
better to put at least 3 attempts instead of just one attempt, for example…