Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

Scripts for black list vpn attackers...

Post Reply
 
ss4sgoku
just joined
Topic Author
Posts: 4
Joined: Thu Apr 24, 2025 1:17 am

Scripts for black list vpn attackers...

Thu Apr 24, 2025 6:52 am

hi, i have some scripts that put in black list every ip that try to connect using vpn with false credentials i hope you like them i use the log in the router for this and it runs every 5 minutes enjoy them
Code: Select all
:global ipCommentArray
:set ipCommentArray [:toarray ""]

:local addToBlackList do={
    :global ipCommentArray
    :local blacklist "Black List"
    :foreach entry in=$ipCommentArray do={
        :local ip [:pick $entry 0 [:find $entry ";"]]
        :local comment [:pick $entry ([:find $entry ";"] + 1) [:len $entry]]
        :if ([:len [/ip firewall address-list find where list=$blacklist address=$ip]] = 0) do={
            /ip firewall address-list add list=$blacklist address=$ip comment=$comment
            /log warning "Bloqueada IP $ip por $comment"
        }
    }
    :set ipCommentArray [:toarray ""]
}

# Bloque para IPsec
{
    :local logContent
    :local ipAddress
    :foreach logLine in=[/log find where (topics~"ipsec" and topics~"error" and message~"phase1 negotiation failed")] do={
        :set logContent [/log get $logLine message]
        :local ipPos [:find $logContent "<=>"]
        :if ($ipPos > 0) do={
            :local ipStart ($ipPos + 3)
            :local ipEnd [:find $logContent "[" $ipStart]
            :if ($ipEnd > $ipStart) do={
                :set ipAddress [:pick $logContent $ipStart $ipEnd]
                #/log warning "Por contenido $ipAddress "
                :set ($ipCommentArray->[:len $ipCommentArray]) "$ipAddress;VPN IPSEC Attack"
                #/log warning "Por 1 bloquear $ipAddress por intento sospechoso en VPN IPSEC"
            }
        } else={
            :local ipStart [:find $logContent " "]
            :if ($ipStart > 0) do={
                :set ipAddress [:pick $logContent 0 $ipStart]
                :set ($ipCommentArray->[:len $ipCommentArray]) "$ipAddress;VPN IPSEC Attack"
                #/log warning "Por 2 bloquear $ipAddress por intento sospechoso en VPN IPSEC"
            }
        }
    }
}

# Bloque para L2TP
{
    :local connections [:toarray [/log find where topics~"l2tp" && topics~"info" && message~"first L2TP UDP packet received from"]]
    :foreach logEntry in=$connections do={
        :local logText [/log get $logEntry message]
        :local srcIP [:pick $logText ([:find $logText "from "] + 5) [:len $logText]]
        :local logTime [/log get $logEntry time]
        :local success [:toarray [/log find where topics~"l2tp" && topics~"info" && message~"logged in" && message~$srcIP]]
        :if ([:len $success] = 0) do={
            :set ($ipCommentArray->[:len $ipCommentArray]) "$srcIP;VPN L2TP Attack"
            #/log warning "Por bloquear $srcIP por intento sospechoso en VPN L2TP "
        }
    }
}

# Bloque para PPTP
{
    :local connections [:toarray [/log find where topics~"pptp" && topics~"info" && message~"TCP connection established from"]]
    :foreach logEntry in=$connections do={
        :local logText [/log get $logEntry message]
        :local srcIP [:pick $logText ([:find $logText "from "] + 5) [:len $logText]]
        :local logTime [/log get $logEntry time]
        :local success [:toarray [/log find where topics~"pptp" && topics~"ppp" && message~"logged in" && message~$srcIP]]
        :if ([:len $success] = 0) do={
            :set ($ipCommentArray->[:len $ipCommentArray]) "$srcIP;VPN PPTP Attack"
            #/log warning "Por bloquear $srcIP por intento sospechoso en VPN PPTP"
        }
    }
}

$addToBlackList
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 13082
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Scripts for black list vpn attackers...

Thu Apr 24, 2025 10:54 am

That's the right way to crash your router by running out of memory.
(and often they do it on purpose, because the intent is not to break into the network, but to crash the router...)

Automatic blacklists are for ISPs (neither, really...), not consumers.
You don't have enough resources to stop real distributed DDoS and brute force attacks.

One of the solutions is to use really complex usernames and passwords and also not to use protocols that you already know that are easily hacked like pptp, etc.
Top
 
ss4sgoku
just joined
Topic Author
Posts: 4
Joined: Thu Apr 24, 2025 1:17 am

Re: Scripts for black list vpn attackers...

Thu Apr 24, 2025 7:20 pm

yes you are right, but doesnt matter if i use a good protocol for the vpn or complex passwords, if someone wants to be annoying and tray to accees or just for overload the router this was the best way to take that ip and black list them, the rest is the firewall config in the router, since its something maded for an small pyme or home it works without problem and the memory and cpu are just fine i have been testing this for 3 months
Top
Post Reply
  4. RouterOS
  5. Scripting