RouterOS and e-mail of failed logins and other system info

RouterOS General
1

I’ve glanced through the forums and found a few posts about emails but nothing about getting mails when there are failed login attempts on your mikrotik router. I was wondering how people do it. So far, I have done this:

/system logging action> print
Flags: * - default 
 #   NAME             TARGET REMOTE                                            
 0 * memory           memory
 1 * disk             disk  
 2 * echo             echo  
 3 * remote           remote ::                                                
 4   1                remote ::                                                
 5   2                remote ::

I have sent myself a test mail and it works. How can i get the router to send me more info, will the remote rules (4 & 5) be enough for this?

Thanks.

Getting mails when there are failed login
notify us when someone try to log into a router
2

Mine works. V4.16 on RB433AH. This is my settings:

[admin@test] /system logging action> print
Flags: * - default
 #   NAME                                                    TARGET REMOTE
 0 * memory                                                  memory
 1 * disk                                                    disk
 2 * echo                                                    echo
 3 * remote                                                  remote 0.0.0.0:514
 4   email                                                   email

Then for a test

/system logging
print
set X action=email

Replace X with the line number of the topic you want emailed.
I set “topics=critical” as email and then tried to login with a bad password. The email was sent.

3

That’s why having the “tls=yes” parameter in the server declaration section would have been so usefull. Actually, it’s only available on the “send” command line, so it wouldn’t work in my case (gmail).

4

I’m still on V4.16, but I hear rumors that the “/tool e-mail” settings in V5.x has a tls setting.

ADD: You don’t need tls to send email to a gmail account.
You need tls to relay email to a non-gmail account using your gmail account.
You must use port 25 instead of 583 tho. My nslookup shows I can use server = 74.125.157.27 port 25 to send to gmail accounts. EDIT: This ip works for me. I just checked it.
With gmail, your email may end up in your “spam” folder. Mine did. Check there too.

Some email servers are starting to use a spam filter that blocks email from source ip/subnets that are considered “residential”. If you obtain your ip by DHCP, and it is not “persistent” (“static” ip assigned by dhcp to your mac address), then your ip/subnet will probably end up on this list some day.

5

Negative:
v5.4:

/tool e-mail set   
address  from  password  port  user



Thx for this info (didn’t know that). But still… I have this security feature available, it works, why wouldn’t I want to use it? :slight_smile:

MT, please add support for tls setting to the e-mail menu.

6

So much for rumors. :frowning:

@elgo: I agree with you. The tls setting in “/tool e-mail” would enable your router to send email even if the receiving email server thinks your router is “residential”.

7

Tried that but not working for me, I am on 5.4, when setting up I get:

/system logging> set 3 action=mail
input does not match any value of action
8

I put together a script a while back for this purpose. I wanted to be alerted whenever anyone logged into the router or when anyone failed to log in. This was my solution:

http://forum.mikrotik.com/t/is-it-possible-to-run-a-script-on-login/55422/1

The script can be easily modified to search for any text you would like. The example searches for logs that contain the text “logged in” or “login failure”.

:local currentBuf [ :toarray [ /log find message~"logged in" || message~"login failure" ] ] ;

If you only want to check for login failures, something like this:

:local currentBuf [ :toarray [ /log find message~"login failure" ] ] ;

See the script for the full code…