script to detect RDP user connected

gerakon · September 20, 2018, 5:45am

I just barely understand what I’m doing when it comes to scripting…
I’m trying to mash a couple scripts together to detect when there is an active RDP connection. I have a firewall rule to add the IP to an address list. I’m having trouble with syntax on the second line.

:global vCurrentStatus;
:local vNewStatus [/ip firewall address-list> :put [:len [find list="RDPUserConnected"] ]];
:if ($vNewStatus != $vCurrentStatus) do={
    :put "ip address $vCurrentStatus changed to $vNewStatus";
    :set vCurrentStatus $vNewStatus;
}

:put [:len [find list="RDPUserConnected"] ]];

runs fine if I am already in the terminal at /ip firewall address-list>, but I can’t get it to run with the first part?

I’ll try to fix the 4th line to send me an email after we get the 2nd line figured out.
Thanks for any assistance.

rendezz · September 21, 2018, 6:31am

:global vCurrentStatus;
:local vNewStatus [/ip firewall address-list> :put [:len [/ip firewall address-list find list="RDPUserConnected"] ]];
:if ($vNewStatus != $vCurrentStatus) do={
    :put "ip address $vCurrentStatus changed to $vNewStatus";
    :set vCurrentStatus $vNewStatus;
}

Thats just a guess from my part

rendezz · September 21, 2018, 6:38am

Actually just ignore my post above

Try this

global vCurrentStatus;
:local vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
:if ($vNewStatus != $vCurrentStatus) do={
    :put "ip address $vCurrentStatus changed to $vNewStatus";
    :set vCurrentStatus $vNewStatus;
}

gregster · September 21, 2018, 4:01pm

Hi,

I am new to the mikrotik world. I have done a little bit of googling, but I am not sure how to proceed. I would like to get notification of activity on certain ports. Say that I want to get notification of activity on port 3389 (like this post). On connection to an endpoint on this port, I would like to call a REST endpoint, something like http://myserver/rdplog?ip=ipaddress&mac=macid. Is this possible? I would like to avoid grabbing the log since that is likely to bog down the router/firewall as this will form the basis of an external monitor for banned activity. Is this possible via scripting? Does anyone have a simple example that I can start working off of?

Thank you!

-Greg

gerakon · September 21, 2018, 9:10pm

Rendezz, thanks for looking. At first, it appears that it isn’t working, but I won’t have time to dig into it until this weekend.

Gregster, The other part of this is the firewall rules that I’m using (or trying to). Here are the rules… probably need tweaking… I’ll post what works when we figure it out, but you should be able to apply it to other services/ports as well. assumming you don’t have a large number of connections to that service (I only have one). I imagine with a little more effort, there might be able to modify this to work with more connections too by counting number in the address list or maybe new connections? I just want to know when my accountant is connected via RDP so I don’t login and bump her off. I’d like to set it up so that it emails to my cell phone to get an SMS notification.

/ip firewall filter

add action=add-src-to-address-list address-list=RDPUserConnected address-list-timeout=10m chain=forward dst-port=3389 log=yes log-prefix="RDPUserConnected - " protocol=tcp src-address=192.168.0.0/24
add action=accept chain=forward dst-port=3389 protocol=tcp src-address=192.168.0.0/24 src-address-list=!RDPUserConnected

gerakon · September 26, 2018, 3:06am

line 2 of what you posted seems to work, Rendezz, but it didn’t seem to print the 4th line (:put) to the terminal. I’ve worked some more on the email portion but that still isn’t working. I also commented the script. Any thoughts? Thanks.

#Define variables
global vCurrentStatus;
global vCurrentRDPIPs:
global vNewStatus:
#find number of connected RDP Users
: vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
#If change in RDP user count - send email
:if ($vNewStatus != $vCurrentStatus) do={
     :if ($vNewStatus != 0) do={
         /tool e-mail send to=user@domain.com subject="RDP Users Connected" body="The following $vNewStatus RDP users are currently connected" start-tls=yes;
         } 
     else={
         /tool e-mail send to=user@domain.com subject="No RDP Users Connected" body="There are no longer any RDP users connected" start-tls=yes;
        }
     :set vCurrentStatus $vNewStatus;
     }

rendezz · September 26, 2018, 11:31am

Your code doesn’t seem to compile on my side

Colon end of second line
Colon end of third line
no :local on fourth line

Does that code compile on your side?

Can you send me your running code so I can take a look at it.

rendezz · September 26, 2018, 11:41am

If I correct your code like this

#Define variables
global vCurrentStatus;
global vCurrentRDPIPs
global vNewStatus
#find number of connected RDP Users
:set vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
#If change in RDP user count - send email
:if ($vNewStatus != $vCurrentStatus) do={
     :if ($vNewStatus != 0) do={
         :put "The following $vNewStatus RDP users are currently connected"
         }  else={
         :put "There are no longer any RDP users connected"
        }
     :set vCurrentStatus $vNewStatus;
     }

Then I get this output

[admin@unconfigured.democpt] > /system script run script1                                             
There are no longer any RDP users connected
[admin@unconfigured.democpt] > /ip firewall address-list add address="1.1.1.1" list="RDPUserConnected"
[admin@unconfigured.democpt] > /system script run script1                                             
The following 1 RDP users are currently connected
[admin@unconfigured.democpt] >

Which is as expected.

gerakon · September 28, 2018, 4:23am

Hi Rendezz,

Uh… it seems I know far less about RouterOS Scripting than I thought (which wasn’t much)… What do you mean by compile? I didn’t see anything about compiling in the wiki/manual. Compiling might mean IDE or text editor (I found that there is notepad++ with syntax highlighting… is there something better?

I also found

/system script print

was helpful.

What you posted worked great and it helped my learn a bit more about scripting. Thank you!

So I then decided to tweak it a little more and broke it again.
I wanted to get the list of IPs from the address list, put them in a variable (vCurrentRDPIPs) and include them in the email, but now when I run /system scripts print it highlights “get” on line 7 in red. I assume this is bad and I need to fix it. I tried print as well as a few other things but couldn’t get it to work. Do I need an Array for multiple lines?
Thanks for all of your help.
I found the scripting wiki/manual and the tips and tricks. Are there any other good ways to learn scripting?

#Define variables
global vCurrentStatus;
global vCurrentRDPIPs;
global vNewStatus;
#find number of connected RDP Users
:set vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
:if ($vNewStatus != $vCurrentStatus) do={
#If change in RDP user count - send email
     :if ($vNewStatus != 0) do={
     #Get list of RDP IPs     
          :set $vCurrentRDPIPs [:get [/ip firewall address-list find list="RDPUserConnected"]];
         /tool e-mail send to=user@domain.com subject="RDP Users" body="The following $vNewStatus RDP IPs are currently connected \r test $vCurrentRDPIPs" start-tls=yes;
         } else={
         /tool e-mail send to=user@domain.com subject="RDP Users" body="There are no longer any RDP IPs connected" start-tls=yes;
        }
     :set vCurrentStatus $vNewStatus;
     }