Can a script be created if a wrong login name is used

Can a script be created if a wrong login name is used to place the IP address in the address list and then be blocked into the firewall?
For example, superuser is the correct name. All the rest is wrong and must by blocked

Thanks

It is possible to write a script that reads recent log entries from memory, analyzes them and takes action.
When you schedule that script to run regularly, it could do what you want.

I found something like this on this forum but i want edit this to is used a wrong username.

:local loglist [:toarray [/log find time>([/system clock get time] - 1m) message~“critical login failurel”]]
:foreach i in=$loglist do={
:local logMessage [/log get $i message]
:local ip [:pick $logMessage 0 [:find $logMessage " "]]
/ip firewall address-list add address=$ip list=LOGIN_FAILURE timeout=30d
:log info message=“script=LOGIN_FAILURE src_ip=$ip”
}

This is the message you get when using wrong username or password:

system,error,critical MikroTik: login failure for user per from 192.168.88.10 via winbox

Give me some minute and I will fix a script. But take care, this can block your self from entering the system.

Hello Jotne, thanks for your effort, i appresiate that.

This should do:
Schedule it to run every 5 min.
It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour.

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list


# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]
5
# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

You are great Jotne, you are a great help for me and many others.

Thanks a lot

Any update ?
I try it on ver, 6,42 and 7.1 but the script does not create any address-list.
My log is full with messages eg. “login failure for user x from x.x.x.x via winbox” but no address-list added

Im noob in scripting. How to modify the script to send / print the variables $if, $i to log for help find out which script section does not work?

OK it was stupid error.
I was start to learn scripting but it was enough to remove the line with the character 5 from the code, which somehow get there

Here is the corrected version:

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list

# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

What if I don’t care about wrong passwords? Only wrong usernames?

I’m thinking an if-then else-then?

Supplying a list of usernames, or fetching the list of users from /system/users, if matches a username, do nothing, else add IP? But only for login failures? Would this be CPU intensive?

I am not sure if the message that are logged are different if its wrong user or wrong password.
Test and se what log you get. If log are different, it should be easy to fix the script.
I am away from my mikrotik routes, so no testing (vacation in Brazil :slight_smile: )

They are not logged differently. That would make this too easy.. :wink:

Login failure for user x from a.b.c.d via service"

It already is bad enough that the value of the entered wrong username is logged with the message…

When going through bad login, its possible to compare the username against all local stored user name and if not found, then do log a message.

Well but I am asking for the opposite: when a user name is entered that is NOT one of the locally known usernames, do NOT log it.
Well, it is possible to log a message but not include the username.
Example: it can log “login failure for user admin from 192.168.88.10 via ssh” or similar, but it should NOT log “login failure for user Wor6Eqs2FWqA from 192.168.88.10 via ssh”, when usename Wor6Eqs2FWqA does not exist in the router. Instead it can log just “login failure from 192.168.88.10 via ssh”.

Why? Because Wor6Eqs2FWqA then probably is the PASSWORD for a user known in the system. And because log information could become available to others more easily than you would desire (e.g. when an external log server is used, or when critical messages are picked up by a monitoring system and sent as alerts).

Either way should be possible. I will look at it when I am back home.

I prefer a script that will put in a blacklist all the usernames login attempts (more than 3 attempts) that are not users of the system.

I’d rather blacklist/drop on the first attempt of using a wrong username, but that is the idea..

That is a pretty small use-case…

If it happens enough that it is an issue, I would suggest not allowing that user access to your system because they are not competent..

User: Wor6Eqs2FWqA
Password:

User needs to disconnect… They should know entering a password will only trigger a logging of their password.

Overall, if it was possible, to not log username failures, I’d be happy with that because then I wouldn’t care anymore about login failures..

On my systems, only SSH is open to the world.. Login failures filling the logs can hide actual issues that I need the logs for, but I would rather see the SSH failures in the logs than be locked out when I need to access the router.

Edit: “User needs to disconnect… They should know entering a password will only trigger a logging of their password.” Nevermind, it does log eventually, there is a delay..

About the OP:
Is wrong to put immediately on blacklist an IP after wrong username is used.
The user must have the time to notice some errors…
Like, if the username is MySecretname typo can happen and the user involuntarely blacklist himself…
mYsECRETNAME
MySEcretname
MysEcretname
MySecrtname
etc.
better to put at least 3 attempts instead of just one attempt, for example…