Community discussions

MikroTik App
 
flameflower
just joined
Topic Author
Posts: 2
Joined: Mon Mar 16, 2020 1:43 pm

How to get SrcIP address from PPTP Auth failure log?

Mon Mar 16, 2020 2:02 pm

Hi!
I wrote script to ban users who can't establish L2TP connection.
#Preparing
#/system logging action
#add name=FirewallServicesAuthFailure target=memory
#/system logging
#add action=FirewallServicesAuthFailure topics=l2tp,error
#/ip firewall raw
#add action=drop chain=prerouting src-address-list=FirewallServicesAuthFailure


:foreach line in=[/log find buffer=FirewallServicesAuthFailure] do={:do {:local AuthFailureLog [/log get $line message];
:local StrAddrStart [:find $AuthFailureLog "<"];
:local StrAddrEnd [:find $AuthFailureLog ":"];
:local StrUserStart [:find $AuthFailureLog "user "];
:local StrUserEnd [:find $AuthFailureLog "authentication failed"];
:local StrUser "";
:local StrAddr "";
:local StrAddrLen;
:local PickAddrStartLen "1";
:local PickAddrEndLen;
:local AuthFailureIP;
:local AuthFailureIPBanTimeout "30d";
:set StrAddr [:pick $AuthFailureLog $StrAddrStart $StrAddrEnd];
:set StrUser [:pick $AuthFailureLog $StrUserStart $StrUserEnd];
:set StrAddrLen [:len $StrAddr];
:set PickAddrEndLen ($StrAddrLen-1);
:set AuthFailureIP [:pick $StrAddr $PickAddrStartLen $PickAddrEndLen ];
/ip firewall address-list add list=FirewallServicesAuthFailure address=$AuthFailureIP comment=$StrUser timeout=$AuthFailureIPBanTimeout;
} on-error={};
}
/system logging action set FirewallServicesAuthFailure memory-lines=1;
/system logging action set FirewallServicesAuthFailure memory-lines=1000;
For L2TP connections it works fine, but it didn't work for PPTP because in <> brackets we have some number instead IP.
Any ideas how to get SRC IP from failed PPTP authentication parsing log files?
You do not have the required permissions to view the files attached to this post.
 
nacer
just joined
Posts: 14
Joined: Mon Sep 27, 2010 9:08 pm

Re: How to get SrcIP address from PPTP Auth failure log?

Wed Jun 17, 2020 2:13 pm

Hi,

Did you find any solution?
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: How to get SrcIP address from PPTP Auth failure log?

Wed Jun 17, 2020 2:53 pm

Any ideas how to get SRC IP from failed PPTP authentication parsing log files?
The IP is in the previous log line "TCP connection established from ..."
 
flameflower
just joined
Topic Author
Posts: 2
Joined: Mon Mar 16, 2020 1:43 pm

Re: How to get SrcIP address from PPTP Auth failure log?

Mon Jun 29, 2020 9:33 am

Any ideas how to get SRC IP from failed PPTP authentication parsing log files?
The IP is in the previous log line "TCP connection established from ..."
I know it, but in this log we have successful and failed connections.
So if we'll have many simultaneous connections in short time it [scrpit] will ban legitimate connections.
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 297
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to get SrcIP address from PPTP Auth failure log?

Mon Jun 29, 2020 9:41 am

Is there a certain "pattern" in the source IP's of the failed attempts ?
You could try get these IP's on a access-list if they setup more then 3x / minute to the VPN service
Each of these IP's will go trough the SYN - SYN ACK - ACK TCP-setup states, so you could "watch" for incoming "SYN" packets and if the same IP does this more then 3x / minute to the VPN port chances are big its not normal...

Who is online

Users browsing this forum: No registered users and 21 guests