Community discussions

 
nickjail
just joined
Topic Author
Posts: 16
Joined: Mon Feb 17, 2014 9:26 pm

Black list for failed login to IPSec VPN

Sat May 11, 2019 12:40 am

Hello!
Got a VPN Server on my router. Of course periodically someone tries to knock on it and I get tons of email messages before I add IP to block list.
I don't want to close ports. I want to make script that adds failed IPs to block list.

This command shows negotiation failed IPs
/log print where message~"negotiation"
This is what it shows (I've removed some digits from IP for not showing real IP):

apr/15 03:50:37 ipsec,error 216.xx.206.6 phase1 negotiation failed.
apr/16 03:31:44 ipsec,error 216.xx.206.118 phase1 negotiation failed.
apr/17 05:33:29 ipsec,error 216.xx.206.102 phase1 negotiation failed.
may/08 14:30:13 ipsec,error 122.xx.64.43 phase1 negotiation failed.
may/08 14:30:13 ipsec,error 122.xx.64.43 phase1 negotiation failed

Does anyone knows how to make script based on command above that parse log and adds IP to IP list?
Any information how alternatively secure IPSec would be useful.
Thanks.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1290
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Black list for failed login to IPSec VPN

Sat May 11, 2019 11:29 am

Here you go

Create a script with name Find_IPSEC that is used to find all lines with negotiation failed last 5m, extract the IP and add it to a access list.
Find_IPSEC
# Created Jotne 2019 v1.1
#
# This script add ip of user who failed IPSEC negotiation to a block list for 30 day
# Schedule the script to run every 5 min
# It should run on all routerOS version

# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"negotiation failed"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=IPSEC timeout=30d
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ip"
	}
	
Create a scheduler that do run the script Find_IPSEC every 5 min:
/system scheduler add interval=5m name="Find IPSEC" on-event=Find_IPSEC
Then add an access list high in your filter rules like this (change ether1 with your outside IP):
/ip firewall filter add action=drop chain=forward comment="Block wrong IPSEC" in-interface=ether1 src-address-list=IPSEC
You can change the timeout=24h to set it how long you will block all IP, or remove it to permanently block all IP
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
plisken
Forum Guru
Forum Guru
Posts: 2409
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: Black list for failed login to IPSec VPN

Sun Jul 28, 2019 7:58 pm

Very interesting application. I will definitely use this script. Thanks
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1290
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Black list for failed login to IPSec VPN

Thu Aug 08, 2019 8:03 pm

Updated
Now also block user with these type of message:
SPI e14750001eda995ec not registred for 89.50.40.10[4500]

# Created Jotne 2019 v1.2
#
# This script add ip of user who with "IPSEC negotiation failed" and "SPI* not registered" to a block list for 24hour
# Schedule the script to run every 5 min
# It should run on all routerOS version



# Find all "negotiation failed" error last 5 min
:local loglistN [:toarray [/log find  time>([/system clock get time] - 5m) message~"negotiation failed"]]

# for all error do
:foreach i in=$loglistN do={

# find message
	:local logMessageN [/log get $i message]
# find ip
	:local ipN [:pick $logMessageN 0 [:find $logMessageN " "]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ipN list=IPSEC timeout=24h
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ipN why=negotiation_failed"
	}

	

# Find all "SPI* not registered"" error last 5 min
:local loglistS [:toarray [/log find  time>([/system clock get time] - 5m) message~"SPI.*not regist"]]

# for all error do
:foreach j in=$loglistS do={

# find message
	:local logMessageS [/log get $j message]
# find ip
	:local ipS [:pick $logMessageS ([:find $logMessageS "for "]+4) [:find $logMessageS "["]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ipS list=IPSEC timeout=24h
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ipS why=SPI_not_registered"
	}
	
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
iamdc
just joined
Posts: 1
Joined: Mon Aug 19, 2019 7:35 am

Re: Black list for failed login to IPSec VPN

Mon Aug 19, 2019 7:39 am

181.209.165.10 parsing packet failed, possible cause: wrong password
181.209.165.10 parsing packet failed, possible cause: wrong password
181.209.165.10 parsing packet failed, possible cause: wrong password
181.209.165.10 parsing packet failed, possible cause: wrong password
181.209.165.10 parsing packet failed, possible cause: wrong password
181.209.165.10 parsing packet failed, possible cause: wrong password
181.209.165.10 parsing packet failed, possible cause: wrong password
phase1 negotiation failed due to time up xx.xx.xx.xx[4500]<=>181.209.165.10[4500]
run script is
script=IPSEC_failed src_ip=phase1 why=negotiation failed

can
# Find all "negotiation failed due to time up" error last 60 min
:local loglistTimeout [:toarray [/log find  time>([/system clock get time] - 60m) message~"phase1 negotiation failed due to time up"]]

# for all error do
:foreach i in=$loglistTimeout do={

# find message
	:local logMessageTimeout [/log get $i message]
# find ip
                :local ip1 [:pick $logMessageTimeout [:find $logMessageTimeout ">"] [:len $logMessageTimeout]]
                :local ipTimeout [:pick $ip1 1 [:find $ip1 "["] ]
# Add ip to accesslist	
	/ip firewall address-list add address=$ipTimeout list=IPSEC_failed timeout=245d
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ipTimeout why=negotiation_failed due to time up"
	}
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1290
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Black list for failed login to IPSec VPN

Mon Aug 19, 2019 10:09 am

I see that you have used 60 minutes.
The you also have to schedule the script to run 60 min , not 5 min as I have used as standard.
If not you will get double logging and IP will be added multiple times.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 4 guests