How to get SrcIP address from PPTP Auth failure log?

flameflower · March 16, 2020, 12:02pm

Hi!
I wrote script to ban users who can’t establish L2TP connection.

#Preparing
#/system logging action
#add name=FirewallServicesAuthFailure target=memory
#/system logging
#add action=FirewallServicesAuthFailure topics=l2tp,error
#/ip firewall raw
#add action=drop chain=prerouting src-address-list=FirewallServicesAuthFailure


:foreach line in=[/log find buffer=FirewallServicesAuthFailure] do={:do {:local AuthFailureLog [/log get $line message];
:local StrAddrStart [:find $AuthFailureLog "<"];
:local StrAddrEnd [:find $AuthFailureLog ":"];
:local StrUserStart [:find $AuthFailureLog "user "];
:local StrUserEnd [:find $AuthFailureLog "authentication failed"];
:local StrUser "";
:local StrAddr "";
:local StrAddrLen;
:local PickAddrStartLen "1";
:local PickAddrEndLen;
:local AuthFailureIP;
:local AuthFailureIPBanTimeout "30d";
:set StrAddr [:pick $AuthFailureLog $StrAddrStart $StrAddrEnd];
:set StrUser [:pick $AuthFailureLog $StrUserStart $StrUserEnd];
:set StrAddrLen [:len $StrAddr];
:set PickAddrEndLen ($StrAddrLen-1);
:set AuthFailureIP [:pick $StrAddr $PickAddrStartLen $PickAddrEndLen ];
/ip firewall address-list add list=FirewallServicesAuthFailure address=$AuthFailureIP comment=$StrUser timeout=$AuthFailureIPBanTimeout;
} on-error={};
}
/system logging action set FirewallServicesAuthFailure memory-lines=1;
/system logging action set FirewallServicesAuthFailure memory-lines=1000;

For L2TP connections it works fine, but it didn’t work for PPTP because in <> brackets we have some number instead IP.
Any ideas how to get SRC IP from failed PPTP authentication parsing log files?

nacer · June 17, 2020, 11:13am

Hi,

Did you find any solution?

mutluit · June 17, 2020, 11:53am

The IP is in the previous log line “TCP connection established from …”

flameflower · June 29, 2020, 6:33am

I know it, but in this log we have successful and failed connections.
So if we’ll have many simultaneous connections in short time it [scrpit] will ban legitimate connections.

jvanhambelgium · June 29, 2020, 6:41am

Is there a certain “pattern” in the source IP’s of the failed attempts ?
You could try get these IP’s on a access-list if they setup more then 3x / minute to the VPN service
Each of these IP’s will go trough the SYN - SYN ACK - ACK TCP-setup states, so you could “watch” for incoming “SYN” packets and if the same IP does this more then 3x / minute to the VPN port chances are big its not normal…

futstars · January 23, 2021, 12:55am

working 100% … great job

is it posible to modifid it for sstp server?

best regard