drop failure request after more than 3 failure

RouterOS General
1

hi
how i can auto add failure request ip in mikrotik firewall for drop input request for 1 hour
for example this user test-user and Calling-Station-Id = “2.180.224.69” ip

pr/17/2021 16:37:41 radius,debug,packet Calling-Station-Id = “2.180.224.69”
Apr/17/2021 16:37:41 radius,debug,packet Called-Station-Id = “185.19.252.230”
Apr/17/2021 16:37:41 radius,debug,packet Acct-Session-Id = “810058be”
Apr/17/2021 16:37:41 radius,debug,packet MS-CHAP-Challenge = 0xee5284fe835e436c69ba19ea22deb168
Apr/17/2021 16:37:41 radius,debug,packet MS-CHAP2-Response = 0x01002fd4740c5f23946491d46d4b84f9
Apr/17/2021 16:37:41 radius,debug,packet d088000000000000000090d39f5f20d3
Apr/17/2021 16:37:41 radius,debug,packet 3024e91ca33d487694a52e58052b9399
Apr/17/2021 16:37:41 radius,debug,packet 1453
Apr/17/2021 16:37:41 radius,debug,packet NAS-Identifier = “MikroTik”
Apr/17/2021 16:37:41 radius,debug,packet NAS-IP-Address = 185.19.252.230
Apr/17/2021 16:37:41 pptp,ppp,debug,packet <22626>: sent CHAP Failure id=0x1
Apr/17/2021 16:37:41 pptp,ppp,debug,packet E=691 R=0 C=EE5284FE835E436C69BA19EA22DEB168 V=3 M=bad username or password
Apr/17/2021 16:37:41 pptp,ppp,error <22626>: user test-user authentication failed


thanks

2

@moeinfrozen

Remove your Public IP from your text.
You might want to change your PPTP to something more secure. PPTP discontinued.

Is this topic related to your other post? DO NOT DROP THE ICMP IF YOU RUN A VPN SERVER

You could adapt this script(this is for IPsec fail logins, you could change the parameters to suit your PPTPs error. Following this, you need to run a scheduler for the script too.

:local logMessage ""
:local logIp ""
/log
:foreach i in=[find where message~"phase1 negotiation failed\\." or message~"SPI.*not regist" or message~"Invalid exchange"] do={
    :set logMessage [get $i message]

    :if ($logMessage~"phase1 negotiation failed\\.") do={
        :set logIp [:toip [:pick $logMessage -1 [:find $logMessage " "]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
            :log info message="script=Black List - Bots src_ip=$logIp why=negotiation_failed"
        }
    }

    :if ($logMessage~"SPI .* not registered for") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "for "]+4) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
			:log info message="script=Black List - Bots src_ip=$logIp why=SPI_not_registered"
        }
    }

    :if ($logMessage~"Invalid exchange") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "from "]+5) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
			:log info message="script=Black List - Bots src_ip=$logIp why=Invalid_exchange"
        }
    }
}
3

Hello good time
This issue is not related to the other post
I have pptp and l2tp protocols on the server
But some users who do not exist in the server send many requests to the server
And they interfere with the Radius server
I want to block repeated unauthorized requests for a period of time

4

hi Anyone Can Help me More ?
thanks .