Community discussions

 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Script to add IP of failed IPSEC login to block list

Mon Jun 10, 2019 10:26 am

When a user tries IPSEC, but does not have correct credential, a message like this will be logged "negotiation failed"
This script take the IP from this attempt and add it to a block list to prevent multiple login attempt. (Blocked out)


script name: Find_IPSEC_negotian_failed
# Created Jotne 2019 v1.1
# 1.1 made sure "negotiation failed" is at end of line and it contains IP
#
# This script add ip of user who failed IPSEC negotiation to a block list for 24hour
# Schedule the script to run every 5 min
# It should run on all routerOS version

# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m)  (message~"negotiation failed.\$" || message~"src_ip")]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=IPSEC timeout=24h
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ip"
	}

Create a scheduler that do run the script Find_IPSEC_negotian_failed every 5 min:
/system scheduler add interval=5m name="Find IPSEC" on-event=Find_IPSEC_negotian_failed
Then add an access list high in your filter rules like this (change ether1 with your outside IP):
/ip firewall filter add action=drop chain=forward comment="Block wrong IPSEC" in-interface=ether1 src-address-list=IPSEC
You can change the timeout=24h to set it how long you will block all IP, or remove it to permanently block all IP
Last edited by Jotne on Tue Jun 18, 2019 9:48 pm, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Thu Jun 13, 2019 2:33 pm

Thank you for this!
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 2:31 pm

When I add the all the script code via copy/paste it fails. So this must be some CR issue on my end.

I will try and sort it later.

Thanks for your help
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 3:46 pm

First part can not be copy/pasted directly to cli.

You ned from Web or Winbox, create a script, then copy/past the first part to the script.

Here is a version you can copy/past from cli (much harder do read and understand)
/system script add dont-require-permissions=no name=Find_IPSEC_negotian_failed owner=jotne policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Created Jotne 2019 v1.0\r\
    \n#\r\
    \n# This script add ip of user who failed IPSEC negotiation to a block list for 24hour\r\
    \n# Schedule the script to run every 5 min\r\
    \n# It should run on all routerOS version\r\
    \n\r\
    \n# Find all \"negotiation failed\" error last 5 min\r\
    \n:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~\"negotiation failed\"]]\r\
    \n\r\
    \n# for all error do\r\
    \n:foreach i in=\$loglist do={\r\
    \n\r\
    \n# find message\r\
    \n\t:local logMessage [/log get \$i message]\r\
    \n# find ip\r\
    \n\t:local ip [:pick \$logMessage 0 [:find \$logMessage \" \"]]\r\
    \n\r\
    \n# Add ip to accesslist\t\r\
    \n\t/ip firewall address-list add address=\$ip list=IPSEC timeout=24h\r\
    \n# Send a message to the log\t\r\
    \n\t:log info message=\"script=IPSEC_failed src_ip=\$ip\"\r\
    \n\t}\r\
    \n"
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 4:00 pm

I was trying to copy your original post in to the script windows and not CLI.

Adding it Via CLI worked better. It ran and gave me a FW entry this time, but it does not pull the IP from the log entry. Here is the log add from the script:

script=IPSEC_failed src_ip=phase1

That is the beginning of the line in the log that contains the "negotiation failed" bit.

Any ideas? Thanks again.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 5:11 pm

Try to run the script from cli
Output is to cli not to log in this version. Also changed to last 24h
[
# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=IPSEC timeout=24h
# Send a message to the log	
	:put "script=IPSEC_failed src_ip=$ip"
	}
]

Also try this manually
:put [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sat Jun 15, 2019 3:25 am

Thanks Jotne - I will try it later and report back.
 
User avatar
hova888
just joined
Posts: 3
Joined: Sat Jun 15, 2019 4:37 am

Re: Script to add IP of failed IPSEC login to block list

Sat Jun 15, 2019 5:27 am

Thanks , one qustion why 5 min?
ipsec list will be created when the first block IP is added?
Mikrotik hap ac2
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sat Jun 15, 2019 2:50 pm

Hi - Here is what happens with the first part -

1. dynamically created a FW address-list rule named IPSEC with and address of phase1. Timeout is correct.
2. Terminal L1: script=IPSEC_failed src_ip=phase1
3. Terminal L2: failure: already have such entry
note: I deleted the previous phase1 entries form the FW address-list. I am unclear where the L2 report is coming from...?

I am running 6.44.3. The failure message in my log is:
phase1 negotiation failed due to time up
xxxxxx(xxx)<=>XXXXXX(xxx)
as;dlfkj;lkjw2l;j22as;lkdfa;lsfj;lasjkf

The first IP address is the target VPN and the second is my Cell phone IP. I am using my cell VPN to hit the correct address with invalid secret and credentials.

For the second piece you asked me to run manually I get some strange hex(?) back: *19da;*19db;*19ed;*19fe
I am guessing it is not pickup up the system time of that message, yet still trying to subtract 24h thus the hex. That is an uneducated guess.
edit: if I make - 0m it will return a blank. not sure why it is not picking up the time of the message containing "negotiation failed"

Hope this helps.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Sat Jun 15, 2019 9:02 pm

Not sure whats goes wrong.

But the code is correct. It represent ID number of the lines that represent what it finds. This is the way all script works in MT,

Try this and see the ID with the log lines.
[
:local list [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]
:put "ID-List"
:put $list
:put ""
:put "Log lines"
:foreach i in=$list do={
	:put [/log print as-value where .id=$i]}
]
 
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 3:19 am

When I copy that in CLI I get the following -

ID-List


Log lines

That is it - with two blanks between. The log is filled with at least 10 "negotiation failed" lines in the last 24 hours. Could the clock be causing a problem?

The log is stored in memory - I assume that is ok as default?

update - I typed the whole think in the terminal manually (each line) thinking there was a character set issue - but go the same result as above.

Thanks for your help - this would be a great script to have!
Last edited by RackKing on Sun Jun 16, 2019 3:39 am, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 3:29 am

You get nothing since find does not fin anything.

Try this, should get all message with a in it.
[
:local list [:toarray [/log find message~"a"]]
:put "ID-List"
:put $list
:put ""
:put "Log lines"
:foreach i in=$list do={
	:put [/log print as-value where .id=$i]}
]


To test ting out, try a command with :put in front of it.

Eks for this:
:local list [:toarray [/log find message~"a"]]
Try this:
:put [:toarray [/log find message~"a"]]
To see how time works:
:put ([/system clock get time] - 2h)
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 3:57 am

[
:local list [:toarray [/log find message~"negotiation failed"]]
:put "ID-List"
:put $list
:put ""
:put "Log lines"
:foreach i in=$list do={
	:put [/log print as-value where .id=$i]}
]
So I ran that - and the log started filling up with lots of lines... I had to interrupt it :-) so that worked

Then I changed the "a" to "negotiation failed" and it work! I did get all the messages with negotiation failed to fill the logs.
:put ([/system clock get time] - 2h)
that worked as expected and report the correct time back.

To be honest I am not sure what output to expect from these -
:local list [:toarray [/log find message~"a"]]
:put [:toarray [/log find message~"a"]]
I got some output that looked like ;*lb60;*lb61;*lb62... - it was a long list.

Getting closer?
Last edited by RackKing on Sun Jun 16, 2019 2:34 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 11:50 am

you are getting the line id, they looks like this:
*lb60;*lb61;*lb62"
so that is correct.
You should read trough the script manual and try to learn scripts.

Start with these pages:
https://wiki.mikrotik.com/wiki/Manual:Scripting
https://wiki.mikrotik.com/wiki/Scripts
https://wiki.mikrotik.com/wiki/Manual:S ... g-examples
viewtopic.php?t=40507
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 12:47 pm

Ok Jotne -

Thank you for the links.

I assume the script you posted works on your MTs? I would have thought that I could copy a working script and duplicate the results.

I will struggle with it some more, but probably do not have the programming skills to work through it.

Thanks again for your efforts.
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 2:11 pm

For anyone who may see this - here is some code I have cobbled together to produce the following output.

To be clear - this was code that Jotone wrote and is his credit. I am simply trying to find why it does not work for me.
[
:local loglist [:toarray [/log find message~"negotiation failed"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip"
	}
]
Output CLI:
Image

It appears there are two issues.
1) It is not finding the IP addresses for each message - it only found for two of them.
2) I am looking at the entire log of "negotiation failed" messages and getting the result. I think there is a problem with the this.
:put [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]
as it does not appear to find any results within the last 24 hours.

I am hoping someone with more scripting skill that I have (which is zero) may chime in. I will keep working at it in my own layman way and report back any progress.

Thanks in advance.
Last edited by RackKing on Sun Jun 16, 2019 2:31 pm, edited 1 time in total.
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 2:29 pm

For clarity - when I use what I believe is the "within last 24 hour" part of the original script I get no output.
[
:local loglist [:toarray [/log find time>([/system clock get time] -24h) message~"negotiation failed"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip"
	}
]
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 4:05 pm

IP does come from the message. So if there are no IP, no IP will be shown.
I do see only IP, so it may be som wrong with your IPSec setup.

What do you get from this? (it show the message from the log as well)
[
:local loglist [:toarray [/log find message~"negotiation failed"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 4:36 pm

Thank you for your continued help in this.

This is a sample of what I get.... it is about 20-30 lines longer.

Image
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 4:41 pm

Here is one where id work the IP and message = is the IP address

Image
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 9:11 pm

I see now what is going on.

There are more then one type of negotiation failed. Message with time out does not contain IP, so there are nothing to add to access list.

This should only get line with IP. Search for both negotiation failed and src_ip
[
:local loglist [:toarray [/log find (message~"negotiation failed" || message~"src_ip")]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
Or this may do, make sure negotiation filed. is at the end of the line
[
:local loglist [:toarray [/log find message~"negotiation failed.\$"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
Last edited by Jotne on Tue Jun 18, 2019 3:03 pm, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Mon Jun 17, 2019 1:33 am

Again - thank you for your help. I really appreciate your help like to get his working. Here is the output from the first version

Image
Or this may do, make sure negotiation filed. is at the end of the line
The second version did not pull anything.

So the first version appears to have worked. It pulled IP from both kinds of messages.
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Tue Jun 18, 2019 2:38 pm

I was working with the script again in an effort to get it going - here is where I at. This:
[
:local loglist [:toarray [/log find (message~"negotiation failed" || message~"src_ip")]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
Pulls a little different output that looks like the following. I can certainly see it pulling the two different types of messages.
Image

For clarity - the top messages looks something like:
script=IPSEC_failed src_ip=phase1 msg=phase1 negotiation failed due to time up x.x.x.x(xxx)<=>x.x.x.x(xxx) alksj;qwlej;lqw:13245j23;j;lj
where the first IP address is the server and the second is the user.

So it pulls the "negotiation failed" part, but the source IP in one of those src_ip=phase 1. So that is of no use right? Although it contains an IP in the message.

Am I right in thinking that one message an attempt to gain access with all the incorrect information, shared secret and/or user credentials, and the shorter message is correct shared secret, but incorrect user credentials? Should we try to catch both? It would seem the exposure to people hitting the ports with no secret or user credentials is greater? Or is it that that the shared secret gets out someone may use it with random user names and passwords? Either way - if I understand the output - the first lines of output make parsing the IP much more difficult or impossible?

Next - I tried to blend the time element back into the script, but I must have the syntax wrong as I get no output. That was the only thing changed. Any ideas?
[
:local loglist [:toarray [/log find time>([/system clock get time] - 7d) (message~"negotiation failed" || message~"src_ip")]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
I am going to keep working on this. Thanks for the help.
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Tue Jun 18, 2019 2:46 pm

I also went back to post #6 and re ran those scripts thinking that since we had different "negotation failed" messages these may work. But I did not receive out put from either. I did adjust the time back far enough to grab them. Below is the second one.
:put [:toarray [/log find  time>([/system clock get time] - 7d) message~"negotiation failed"]]
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Tue Jun 18, 2019 3:04 pm

7d does not work, max 24h, since field is just hour.

Did you try then end of line $?
:local loglist [:toarray [/log find message~"negotiation failed.\$"]]
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Tue Jun 18, 2019 3:21 pm

7d does not work, max 24h, since field is just hour.

Did you try then end of line $?
:local loglist [:toarray [/log find message~"negotiation failed.\$"]]
Ah - thank you for the clarification on the 24h part.

The first time I ran that as I indicated in #22 I go nothing. How when I run it I do get output. I know I have had a user with the correct shared secret, but was using the wrong credentials. That picked those up.

Image

Am I right in thinking your script is designed to catch this type of negotiation failed vs somebody trying to VPN with no secret or credentials?
 
User avatar
hova888
just joined
Posts: 3
Joined: Sat Jun 15, 2019 4:37 am

Re: Script to add IP of failed IPSEC login to block list

Tue Jun 18, 2019 3:39 pm

Hi, why not see IP added block Ipsec list?
Mikrotik hap ac2
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Script to add IP of failed IPSEC login to block list

Tue Jun 18, 2019 9:46 pm

Hi, why not see IP added block Ipsec list?
Not sure what you asking?

Am I right in thinking your script is designed to catch this type of negotiation failed vs somebody trying to VPN with no secret or credentials?
Script was made up from a simple test, not trough testing all possibility. It may be tuned to take more in account when look at wrong connection.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Wed Jun 19, 2019 3:33 pm

I have done some more testing on various versions of this script and typical failures that in my mind simulate a malicious attack.. Here are my findings.

The script will work properly if the log messages is in this exact format:
x.x.x.x phase 1 negotiation failed
I believe this is when the VPN server is hit by a client with little or no configuration so the proposal fails in total. The script does not work when the "negotiation failure" message syntax formatted differently than above. You can see this from the various messages posted above.

These include failures types like these:
1) wrong IP Sec shared secret and user credentials
2) correct IP Sec shared secret but incorrect User credentials
3) some combination of wrong user name or password

You can the script will find the "negotiation failed" part but phase 1 was leading part of the message so that is what it found as the scr_ip.

I have taken this and tested it as far as I can... for now. I wish I was a scripting wizard as I think this could be sorted but it becomes a much bigger project.

In summary - I conclude this script works in some instances, likely against simple kiddies/bots. You will have to make a judgement on how much value this holds to you. In the past 14 days I have had 4 such attempts, but never from the same IP twice.

I would like to thank Jotne for all the help. I have learned much from trying to work through this. I have a better understanding of what to look for and how work with scripts. I may event try to write my own :-) Thank you!

Best to all.

Who is online

Users browsing this forum: No registered users and 17 guests