I wrote script to ban users who can't establish L2TP connection.
Code: Select all
#Preparing
#/system logging action
#add name=FirewallServicesAuthFailure target=memory
#/system logging
#add action=FirewallServicesAuthFailure topics=l2tp,error
#/ip firewall raw
#add action=drop chain=prerouting src-address-list=FirewallServicesAuthFailure
:foreach line in=[/log find buffer=FirewallServicesAuthFailure] do={:do {:local AuthFailureLog [/log get $line message];
:local StrAddrStart [:find $AuthFailureLog "<"];
:local StrAddrEnd [:find $AuthFailureLog ":"];
:local StrUserStart [:find $AuthFailureLog "user "];
:local StrUserEnd [:find $AuthFailureLog "authentication failed"];
:local StrUser "";
:local StrAddr "";
:local StrAddrLen;
:local PickAddrStartLen "1";
:local PickAddrEndLen;
:local AuthFailureIP;
:local AuthFailureIPBanTimeout "30d";
:set StrAddr [:pick $AuthFailureLog $StrAddrStart $StrAddrEnd];
:set StrUser [:pick $AuthFailureLog $StrUserStart $StrUserEnd];
:set StrAddrLen [:len $StrAddr];
:set PickAddrEndLen ($StrAddrLen-1);
:set AuthFailureIP [:pick $StrAddr $PickAddrStartLen $PickAddrEndLen ];
/ip firewall address-list add list=FirewallServicesAuthFailure address=$AuthFailureIP comment=$StrUser timeout=$AuthFailureIPBanTimeout;
} on-error={};
}
/system logging action set FirewallServicesAuthFailure memory-lines=1;
/system logging action set FirewallServicesAuthFailure memory-lines=1000;
Any ideas how to get SRC IP from failed PPTP authentication parsing log files?