Community discussions

MUM Europe 2020
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Sat May 24, 2014 8:14 am

script to detect RDP user connected

Thu Sep 20, 2018 8:45 am

I just barely understand what I'm doing when it comes to scripting...
I'm trying to mash a couple scripts together to detect when there is an active RDP connection. I have a firewall rule to add the IP to an address list. I'm having trouble with syntax on the second line.

:global vCurrentStatus;
:local vNewStatus [/ip firewall address-list> :put [:len [find list="RDPUserConnected"] ]];
:if ($vNewStatus != $vCurrentStatus) do={
    :put "ip address $vCurrentStatus changed to $vNewStatus";
    :set vCurrentStatus $vNewStatus;
}

:put [:len [find list="RDPUserConnected"] ]];
runs fine if I am already in the terminal at /ip firewall address-list>, but I can't get it to run with the first part?

I'll try to fix the 4th line to send me an email after we get the 2nd line figured out.
Thanks for any assistance.
 
User avatar
rendezz
just joined
Posts: 15
Joined: Mon Sep 17, 2018 11:07 am

Re: script to detect RDP user connected

Fri Sep 21, 2018 9:31 am

:global vCurrentStatus;
:local vNewStatus [/ip firewall address-list> :put [:len [/ip firewall address-list find list="RDPUserConnected"] ]];
:if ($vNewStatus != $vCurrentStatus) do={
    :put "ip address $vCurrentStatus changed to $vNewStatus";
    :set vCurrentStatus $vNewStatus;
}
Thats just a guess from my part
Home of the Badjr, the cloud-managed business network router built on Mikrotik http://baselinecloud.com/badjr
 
User avatar
rendezz
just joined
Posts: 15
Joined: Mon Sep 17, 2018 11:07 am

Re: script to detect RDP user connected

Fri Sep 21, 2018 9:38 am

Actually just ignore my post above

Try this
global vCurrentStatus;
:local vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
:if ($vNewStatus != $vCurrentStatus) do={
    :put "ip address $vCurrentStatus changed to $vNewStatus";
    :set vCurrentStatus $vNewStatus;
}
Home of the Badjr, the cloud-managed business network router built on Mikrotik http://baselinecloud.com/badjr
 
gregster
just joined
Posts: 1
Joined: Fri Sep 21, 2018 5:42 pm

Re: script to detect RDP user connected

Fri Sep 21, 2018 7:01 pm

Hi,

I am new to the mikrotik world. I have done a little bit of googling, but I am not sure how to proceed. I would like to get notification of activity on certain ports. Say that I want to get notification of activity on port 3389 (like this post). On connection to an endpoint on this port, I would like to call a REST endpoint, something like http://myserver/rdplog?ip=ipaddress&mac=macid. Is this possible? I would like to avoid grabbing the log since that is likely to bog down the router/firewall as this will form the basis of an external monitor for banned activity. Is this possible via scripting? Does anyone have a simple example that I can start working off of?


Thank you!

-Greg
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Sat May 24, 2014 8:14 am

Re: script to detect RDP user connected

Sat Sep 22, 2018 12:10 am

Rendezz, thanks for looking. At first, it appears that it isn't working, but I won't have time to dig into it until this weekend.

Gregster, The other part of this is the firewall rules that I'm using (or trying to). Here are the rules..... probably need tweaking..... I'll post what works when we figure it out, but you should be able to apply it to other services/ports as well. assumming you don't have a large number of connections to that service (I only have one). I imagine with a little more effort, there might be able to modify this to work with more connections too by counting number in the address list or maybe new connections? I just want to know when my accountant is connected via RDP so I don't login and bump her off. I'd like to set it up so that it emails to my cell phone to get an SMS notification.

/ip firewall filter

add action=add-src-to-address-list address-list=RDPUserConnected address-list-timeout=10m chain=forward dst-port=3389 log=yes log-prefix="RDPUserConnected - " protocol=tcp src-address=192.168.0.0/24
add action=accept chain=forward dst-port=3389 protocol=tcp src-address=192.168.0.0/24 src-address-list=!RDPUserConnected
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Sat May 24, 2014 8:14 am

Re: script to detect RDP user connected

Wed Sep 26, 2018 6:06 am

line 2 of what you posted seems to work, Rendezz, but it didn't seem to print the 4th line (:put) to the terminal. I've worked some more on the email portion but that still isn't working. I also commented the script. Any thoughts? Thanks.
#Define variables
global vCurrentStatus;
global vCurrentRDPIPs:
global vNewStatus:
#find number of connected RDP Users
: vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
#If change in RDP user count - send email
:if ($vNewStatus != $vCurrentStatus) do={
     :if ($vNewStatus != 0) do={
         /tool e-mail send to=user@domain.com subject="RDP Users Connected" body="The following $vNewStatus RDP users are currently connected" start-tls=yes;
         } 
     else={
         /tool e-mail send to=user@domain.com subject="No RDP Users Connected" body="There are no longer any RDP users connected" start-tls=yes;
        }
     :set vCurrentStatus $vNewStatus;
     }
 
User avatar
rendezz
just joined
Posts: 15
Joined: Mon Sep 17, 2018 11:07 am

Re: script to detect RDP user connected

Wed Sep 26, 2018 2:31 pm

Your code doesn't seem to compile on my side

Colon end of second line
Colon end of third line
no :local on fourth line

Does that code compile on your side?

Can you send me your running code so I can take a look at it.
Home of the Badjr, the cloud-managed business network router built on Mikrotik http://baselinecloud.com/badjr
 
User avatar
rendezz
just joined
Posts: 15
Joined: Mon Sep 17, 2018 11:07 am

Re: script to detect RDP user connected

Wed Sep 26, 2018 2:41 pm

If I correct your code like this
#Define variables
global vCurrentStatus;
global vCurrentRDPIPs
global vNewStatus
#find number of connected RDP Users
:set vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
#If change in RDP user count - send email
:if ($vNewStatus != $vCurrentStatus) do={
     :if ($vNewStatus != 0) do={
         :put "The following $vNewStatus RDP users are currently connected"
         }  else={
         :put "There are no longer any RDP users connected"
        }
     :set vCurrentStatus $vNewStatus;
     }
    
Then I get this output
[admin@unconfigured.democpt] > /system script run script1                                             
There are no longer any RDP users connected
[admin@unconfigured.democpt] > /ip firewall address-list add address="1.1.1.1" list="RDPUserConnected"
[admin@unconfigured.democpt] > /system script run script1                                             
The following 1 RDP users are currently connected
[admin@unconfigured.democpt] > 
Which is as expected.
Home of the Badjr, the cloud-managed business network router built on Mikrotik http://baselinecloud.com/badjr
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Sat May 24, 2014 8:14 am

Re: script to detect RDP user connected

Fri Sep 28, 2018 7:23 am

Hi Rendezz,

Uh.... it seems I know far less about RouterOS Scripting than I thought (which wasn't much)..... What do you mean by compile? I didn't see anything about compiling in the wiki/manual. Compiling might mean IDE or text editor (I found that there is notepad++ with syntax highlighting.... is there something better?

I also found
/system script print
was helpful.

What you posted worked great and it helped my learn a bit more about scripting. Thank you!

So I then decided to tweak it a little more and broke it again. :(
I wanted to get the list of IPs from the address list, put them in a variable (vCurrentRDPIPs) and include them in the email, but now when I run /system scripts print it highlights "get" on line 7 in red. I assume this is bad and I need to fix it. I tried print as well as a few other things but couldn't get it to work. Do I need an Array for multiple lines?
Thanks for all of your help.
I found the scripting wiki/manual and the tips and tricks. Are there any other good ways to learn scripting?
#Define variables
global vCurrentStatus;
global vCurrentRDPIPs;
global vNewStatus;
#find number of connected RDP Users
:set vNewStatus [:len [/ip firewall address-list find list="RDPUserConnected"]];
:if ($vNewStatus != $vCurrentStatus) do={
#If change in RDP user count - send email
     :if ($vNewStatus != 0) do={
     #Get list of RDP IPs     
          :set $vCurrentRDPIPs [:get [/ip firewall address-list find list="RDPUserConnected"]];
         /tool e-mail send to=user@domain.com subject="RDP Users" body="The following $vNewStatus RDP IPs are currently connected \r test $vCurrentRDPIPs" start-tls=yes;
         } else={
         /tool e-mail send to=user@domain.com subject="RDP Users" body="There are no longer any RDP IPs connected" start-tls=yes;
        }
     :set vCurrentStatus $vNewStatus;
     }

Who is online

Users browsing this forum: No registered users and 4 guests