I’m struggling with a bruteforce http chap login prevention script for the hotspot.
I checked this out: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention - but with wireshark I can’t get any useful detail to build up an address list.
So I was thinking to use the logs. Do you know if I can create and address list (blacklist) by counting failed logins from the log file? I believe it’s possible and probably the script needs to be scheduled to run all the time. How this would affect the router resources? - Probably you guys have a better idea
Thanks to https://goo.gl/yJfPYE I didn’t know that “invalid username or password” was carried from tcp in this scenario.
Move those filters above all the hotspot filters.
Ok, after 6 failed logins (in 2 minutes) all the tcp connections for those ip addresses are dropped. The list will expire after 3hours.
My dhcp server lease time is quite short (and I need to keep it short) so I wrote down another script. It does an ip to mac conversion by using arp, but i believe that can be done by the dhcp server (indeed it also collects mac addresses). If you don’t wanna play around: just → Add arp for leases.
#Hotspot IP to MAC binding#
:local ipaddr value=“”;
:local mac value=“”;
:foreach a in=[/ip firewall address-list find where dynamic=yes and list=hotspot_blacklist] do={
:set $ipaddr [/ip firewall address-list get $a value-name=address];
:local m [/ip arp find where address=$ipaddr dynamic=yes];
:set $mac [/ip arp get $m mac-address];
thank you emanuele
this is what exactly i need but i noticed it’s working on RB4011iGS+RM and i try it with RB5009UG+S+IN but it doesn’t work i don’t know why i did seam thing on bot devices
any help or comments
best regards
