Hi all
I just setup a 450g as PPTP server - I used it to connect via VPN.
Is there a way how I could set it to report any hacking attacks on the external interface to a syslog server or better to send e-mails via an smtp?
Thanks
All firewall rules can have “log” as an action. I’d send email from the sys log server or you’re going to DoS yourself at some point. A router busy trying to send you 500 emails per second because you’re under a medium rate attack doesn’t have much time to do routing.
Let me be more specific - I dont intend to have the router send an e-mail for every ‘drop’ or ‘block’ but rather send a log every hour with all the blocks made - obviously specifying the IP address of the ‘attack’ source. I just need it to assess the effectiveness of the device against another device which we already have. This way I would be able to choose which is the best of both.
I d appreciate if you could tell me if there is a how-to as to how this can be setup.
cheers
You could maybe implement adding those IPs to an address list with a timeout of one hour (before the drop action, you also run a add-src-to-address-list with a 60 minute timeout and set passthrough=yes). Then you do a “/ip firewall address-list print file=myBlockedList” followed by “/tool email send file=myBlockedList [other parameters]” and then clear out the address list in a script scheduled to run every hour.
That would be far less work than accumulating logs in a buffer and using the scripting language to compile a list - the biggest pain there would be the 4096 byte variable size limit.
could you help me?
i already make :
- firewall rule to detect ftp bruteforce
- firewall rule to drop the attacker
- put the attacker to address list “ftp_blacklist”
- set mail to report the attacker
- do the test for sending mail manually through mikrotik
- set logging for mail, so that every event using email, will be logging.
- put some script, to send report about attack event to email using below:
name="send_ftp" owner="admin"
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source=
:foreach a in=[/ip firewall address-list find list=ftp_blacklist] do={
:local ftpip [/ip firewall address-list get $a address];
:log warning ("FTP Attack from:" .$ftpip)
:local sysname [/system identity get name];
:local date [/system clock get date];
:local time [/system clock get time];
/tool e-mail send from="$sysname<aaa.bbb@gmail.com>" to=ddd.eee@gmail.com
tls=yes server=74.125.127.108 port=587 password=aaabbbpass subject="FTP Attack!"
body=" Dear Admin,
\n \n We have note that on $date at $time. There are FTP attack to $sysname from IP
$ftpip, and has been blocked by firewall.
\n See http://whois.sc/$ftpip for detail IP attacker information.
\n \n Thanks & Regard”}
- set the scheduler to run the script.
NB: sender = aaa.bbb@gmail.com
im already test everything, number 1 to 6 is success, the IP attacker listed to address list, IP attacker drop by rule firewall. But, The --Problem-- is, i cant get the report on my email. Besides, i test send mail manually through mikrotik, its success.
Sorry for long post.
I really stuck on this one. 