Community discussions

MikroTik App
 
moeinfrozen
just joined
Topic Author
Posts: 22
Joined: Tue Sep 29, 2020 10:53 pm

drop failure request after more than 3 failure

Fri Jul 08, 2022 9:09 pm

hi
how i can auto add failure request ip in mikrotik firewall for drop input request for 1 hour
for example this user test-user and Calling-Station-Id = "2.180.224.69" ip

pr/17/2021 16:37:41 radius,debug,packet Calling-Station-Id = "2.180.224.69"
Apr/17/2021 16:37:41 radius,debug,packet Called-Station-Id = "185.19.252.230"
Apr/17/2021 16:37:41 radius,debug,packet Acct-Session-Id = "810058be"
Apr/17/2021 16:37:41 radius,debug,packet MS-CHAP-Challenge = 0xee5284fe835e436c69ba19ea22deb168
Apr/17/2021 16:37:41 radius,debug,packet MS-CHAP2-Response = 0x01002fd4740c5f23946491d46d4b84f9
Apr/17/2021 16:37:41 radius,debug,packet d088000000000000000090d39f5f20d3
Apr/17/2021 16:37:41 radius,debug,packet 3024e91ca33d487694a52e58052b9399
Apr/17/2021 16:37:41 radius,debug,packet 1453
Apr/17/2021 16:37:41 radius,debug,packet NAS-Identifier = "MikroTik"
Apr/17/2021 16:37:41 radius,debug,packet NAS-IP-Address = 185.19.252.230
Apr/17/2021 16:37:41 pptp,ppp,debug,packet <22626>: sent CHAP Failure id=0x1
Apr/17/2021 16:37:41 pptp,ppp,debug,packet E=691 R=0 C=EE5284FE835E436C69BA19EA22DEB168 V=3 M=bad username or password
Apr/17/2021 16:37:41 pptp,ppp,error <22626>: user test-user authentication failed


thanks
Last edited by moeinfrozen on Sat Sep 03, 2022 12:12 am, edited 2 times in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: drop failure request after more than 3 failure

Fri Jul 08, 2022 9:58 pm

@moeinfrozen

Remove your Public IP from your text.
You might want to change your PPTP to something more secure. PPTP discontinued.

Is this topic related to your other post? DO NOT DROP THE ICMP IF YOU RUN A VPN SERVER

You could adapt this script(this is for IPsec fail logins, you could change the parameters to suit your PPTPs error. Following this, you need to run a scheduler for the script too.
:local logMessage ""
:local logIp ""
/log
:foreach i in=[find where message~"phase1 negotiation failed\\." or message~"SPI.*not regist" or message~"Invalid exchange"] do={
    :set logMessage [get $i message]

    :if ($logMessage~"phase1 negotiation failed\\.") do={
        :set logIp [:toip [:pick $logMessage -1 [:find $logMessage " "]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
            :log info message="script=Black List - Bots src_ip=$logIp why=negotiation_failed"
        }
    }

    :if ($logMessage~"SPI .* not registered for") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "for "]+4) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
			:log info message="script=Black List - Bots src_ip=$logIp why=SPI_not_registered"
        }
    }

    :if ($logMessage~"Invalid exchange") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "from "]+5) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
			:log info message="script=Black List - Bots src_ip=$logIp why=Invalid_exchange"
        }
    }
}
 
moeinfrozen
just joined
Topic Author
Posts: 22
Joined: Tue Sep 29, 2020 10:53 pm

Re: drop failure request after more than 3 failure

Thu Jul 21, 2022 9:18 pm

@moeinfrozen

Remove your Public IP from your text.
You might want to change your PPTP to something more secure. PPTP discontinued.

Is this topic related to your other post? DO NOT DROP THE ICMP IF YOU RUN A VPN SERVER

You could adapt this script(this is for IPsec fail logins, you could change the parameters to suit your PPTPs error. Following this, you need to run a scheduler for the script too.
:local logMessage ""
:local logIp ""
/log
:foreach i in=[find where message~"phase1 negotiation failed\\." or message~"SPI.*not regist" or message~"Invalid exchange"] do={
    :set logMessage [get $i message]

    :if ($logMessage~"phase1 negotiation failed\\.") do={
        :set logIp [:toip [:pick $logMessage -1 [:find $logMessage " "]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
            :log info message="script=Black List - Bots src_ip=$logIp why=negotiation_failed"
        }
    }

    :if ($logMessage~"SPI .* not registered for") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "for "]+4) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
			:log info message="script=Black List - Bots src_ip=$logIp why=SPI_not_registered"
        }
    }

    :if ($logMessage~"Invalid exchange") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "from "]+5) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list="Black List - Bots" address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list="Black List - Bots" timeout=7d
			:log info message="script=Black List - Bots src_ip=$logIp why=Invalid_exchange"
        }
    }
}


Hello good time
This issue is not related to the other post
I have pptp and l2tp protocols on the server
But some users who do not exist in the server send many requests to the server
And they interfere with the Radius server
I want to block repeated unauthorized requests for a period of time
 
moeinfrozen
just joined
Topic Author
Posts: 22
Joined: Tue Sep 29, 2020 10:53 pm

Re: drop failure request after more than 3 failure

Fri Aug 05, 2022 3:23 pm

hi
how i can auto add failure request ip in mikrotik firewall for drop input request for 1 hour
for example this user test-user and Calling-Station-Id = "2.180.224.69" ip

pr/17/2021 16:37:41 radius,debug,packet Calling-Station-Id = "2.180.224.69"
Apr/17/2021 16:37:41 radius,debug,packet Called-Station-Id = "185.19.252.230"
Apr/17/2021 16:37:41 radius,debug,packet Acct-Session-Id = "810058be"
Apr/17/2021 16:37:41 radius,debug,packet MS-CHAP-Challenge = 0xee5284fe835e436c69ba19ea22deb168
Apr/17/2021 16:37:41 radius,debug,packet MS-CHAP2-Response = 0x01002fd4740c5f23946491d46d4b84f9
Apr/17/2021 16:37:41 radius,debug,packet d088000000000000000090d39f5f20d3
Apr/17/2021 16:37:41 radius,debug,packet 3024e91ca33d487694a52e58052b9399
Apr/17/2021 16:37:41 radius,debug,packet 1453
Apr/17/2021 16:37:41 radius,debug,packet NAS-Identifier = "MikroTik"
Apr/17/2021 16:37:41 radius,debug,packet NAS-IP-Address = 185.19.252.230
Apr/17/2021 16:37:41 pptp,ppp,debug,packet <22626>: sent CHAP Failure id=0x1
Apr/17/2021 16:37:41 pptp,ppp,debug,packet E=691 R=0 C=EE5284FE835E436C69BA19EA22DEB168 V=3 M=bad username or password
Apr/17/2021 16:37:41 pptp,ppp,error <22626>: user test-user authentication failed


thanks


hi Anyone Can Help me More ?
thanks .

Who is online

Users browsing this forum: karlisi, kivimart, Omerik, peterda, tangent and 99 guests