Community discussions

 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Script to add IP of failed IPSEC login to block list

Mon Jun 10, 2019 10:26 am

When a user tries IPSEC, but does not have correct credential, a message like this will be logged "negotiation failed"
This script take the IP from this attempt and add it to a block list to prevent multiple login attempt. (Blocked out)


script name: Find_IPSEC_negotian_failed
# Created Jotne 2019 v1.0
#
# This script add ip of user who failed IPSEC negotiation to a block list for 24hour
# Schedule the script to run every 5 min
# It should run on all routerOS version

# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"negotiation failed"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=IPSEC timeout=24h
# Send a message to the log	
	:log info message="script=IPSEC_failed src_ip=$ip"
	}

Create a scheduler that do run the script Find_IPSEC_negotian_failed every 5 min:
/system scheduler add interval=5m name="Find IPSEC" on-event=Find_IPSEC_negotian_failed
Then add an access list high in your filter rules like this (change ether1 with your outside IP):
/ip firewall filter add action=drop chain=forward comment="Block wrong IPSEC" in-interface=ether1 src-address-list=IPSEC
You can change the timeout=24h to set it how long you will block all IP, or remove it to permanently block all IP
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Thu Jun 13, 2019 2:33 pm

Thank you for this!
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 2:31 pm

When I add the all the script code via copy/paste it fails. So this must be some CR issue on my end.

I will try and sort it later.

Thanks for your help
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 3:46 pm

First part can not be copy/pasted directly to cli.

You ned from Web or Winbox, create a script, then copy/past the first part to the script.

Here is a version you can copy/past from cli (much harder do read and understand)
/system script add dont-require-permissions=no name=Find_IPSEC_negotian_failed owner=jotne policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Created Jotne 2019 v1.0\r\
    \n#\r\
    \n# This script add ip of user who failed IPSEC negotiation to a block list for 24hour\r\
    \n# Schedule the script to run every 5 min\r\
    \n# It should run on all routerOS version\r\
    \n\r\
    \n# Find all \"negotiation failed\" error last 5 min\r\
    \n:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~\"negotiation failed\"]]\r\
    \n\r\
    \n# for all error do\r\
    \n:foreach i in=\$loglist do={\r\
    \n\r\
    \n# find message\r\
    \n\t:local logMessage [/log get \$i message]\r\
    \n# find ip\r\
    \n\t:local ip [:pick \$logMessage 0 [:find \$logMessage \" \"]]\r\
    \n\r\
    \n# Add ip to accesslist\t\r\
    \n\t/ip firewall address-list add address=\$ip list=IPSEC timeout=24h\r\
    \n# Send a message to the log\t\r\
    \n\t:log info message=\"script=IPSEC_failed src_ip=\$ip\"\r\
    \n\t}\r\
    \n"
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 4:00 pm

I was trying to copy your original post in to the script windows and not CLI.

Adding it Via CLI worked better. It ran and gave me a FW entry this time, but it does not pull the IP from the log entry. Here is the log add from the script:

script=IPSEC_failed src_ip=phase1

That is the beginning of the line in the log that contains the "negotiation failed" bit.

Any ideas? Thanks again.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script to add IP of failed IPSEC login to block list

Fri Jun 14, 2019 5:11 pm

Try to run the script from cli
Output is to cli not to log in this version. Also changed to last 24h
[
# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]

# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=IPSEC timeout=24h
# Send a message to the log	
	:put "script=IPSEC_failed src_ip=$ip"
	}
]

Also try this manually
:put [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sat Jun 15, 2019 3:25 am

Thanks Jotne - I will try it later and report back.
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sat Jun 15, 2019 2:50 pm

Hi - Here is what happens with the first part -

1. dynamically created a FW address-list rule named IPSEC with and address of phase1. Timeout is correct.
2. Terminal L1: script=IPSEC_failed src_ip=phase1
3. Terminal L2: failure: already have such entry
note: I deleted the previous phase1 entries form the FW address-list. I am unclear where the L2 report is coming from...?

I am running 6.44.3. The failure message in my log is:
phase1 negotiation failed due to time up
xxxxxx(xxx)<=>XXXXXX(xxx)
as;dlfkj;lkjw2l;j22as;lkdfa;lsfj;lasjkf

The first IP address is the target VPN and the second is my Cell phone IP. I am using my cell VPN to hit the correct address with invalid secret and credentials.

For the second piece you asked me to run manually I get some strange hex(?) back: *19da;*19db;*19ed;*19fe
I am guessing it is not pickup up the system time of that message, yet still trying to subtract 24h thus the hex. That is an uneducated guess.
edit: if I make - 0m it will return a blank. not sure why it is not picking up the time of the message containing "negotiation failed"

Hope this helps.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script to add IP of failed IPSEC login to block list

Sat Jun 15, 2019 9:02 pm

Not sure whats goes wrong.

But the code is correct. It represent ID number of the lines that represent what it finds. This is the way all script works in MT,

Try this and see the ID with the log lines.
[
:local list [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]
:put "ID-List"
:put $list
:put ""
:put "Log lines"
:foreach i in=$list do={
	:put [/log print as-value where .id=$i]}
]
 
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 3:19 am

When I copy that in CLI I get the following -

ID-List


Log lines

That is it - with two blanks between. The log is filled with at least 10 "negotiation failed" lines in the last 24 hours. Could the clock be causing a problem?

The log is stored in memory - I assume that is ok as default?

update - I typed the whole think in the terminal manually (each line) thinking there was a character set issue - but go the same result as above.

Thanks for your help - this would be a great script to have!
Last edited by RackKing on Sun Jun 16, 2019 3:39 am, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 3:29 am

You get nothing since find does not fin anything.

Try this, should get all message with a in it.
[
:local list [:toarray [/log find message~"a"]]
:put "ID-List"
:put $list
:put ""
:put "Log lines"
:foreach i in=$list do={
	:put [/log print as-value where .id=$i]}
]


To test ting out, try a command with :put in front of it.

Eks for this:
:local list [:toarray [/log find message~"a"]]
Try this:
:put [:toarray [/log find message~"a"]]
To see how time works:
:put ([/system clock get time] - 2h)
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 3:57 am

[
:local list [:toarray [/log find message~"negotiation failed"]]
:put "ID-List"
:put $list
:put ""
:put "Log lines"
:foreach i in=$list do={
	:put [/log print as-value where .id=$i]}
]
So I ran that - and the log started filling up with lots of lines... I had to interrupt it :-) so that worked

Then I changed the "a" to "negotiation failed" and it work! I did get all the messages with negotiation failed to fill the logs.
:put ([/system clock get time] - 2h)
that worked as expected and report the correct time back.

To be honest I am not sure what output to expect from these -
:local list [:toarray [/log find message~"a"]]
:put [:toarray [/log find message~"a"]]
I got some output that looked like ;*lb60;*lb61;*lb62... - it was a long list.

Getting closer?
Last edited by RackKing on Sun Jun 16, 2019 2:34 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 11:50 am

you are getting the line id, they looks like this:
*lb60;*lb61;*lb62"
so that is correct.
You should read trough the script manual and try to learn scripts.

Start with these pages:
https://wiki.mikrotik.com/wiki/Manual:Scripting
https://wiki.mikrotik.com/wiki/Scripts
https://wiki.mikrotik.com/wiki/Manual:S ... g-examples
viewtopic.php?t=40507
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 12:47 pm

Ok Jotne -

Thank you for the links.

I assume the script you posted works on your MTs? I would have thought that I could copy a working script and duplicate the results.

I will struggle with it some more, but probably do not have the programming skills to work through it.

Thanks again for your efforts.
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 2:11 pm

For anyone who may see this - here is some code I have cobbled together to produce the following output.

To be clear - this was code that Jotone wrote and is his credit. I am simply trying to find why it does not work for me.
[
:local loglist [:toarray [/log find message~"negotiation failed"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip"
	}
]
Output CLI:
Image

It appears there are two issues.
1) It is not finding the IP addresses for each message - it only found for two of them.
2) I am looking at the entire log of "negotiation failed" messages and getting the result. I think there is a problem with the this.
:put [:toarray [/log find  time>([/system clock get time] - 24h) message~"negotiation failed"]]
as it does not appear to find any results within the last 24 hours.

I am hoping someone with more scripting skill that I have (which is zero) may chime in. I will keep working at it in my own layman way and report back any progress.

Thanks in advance.
Last edited by RackKing on Sun Jun 16, 2019 2:31 pm, edited 1 time in total.
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 2:29 pm

For clarity - when I use what I believe is the "within last 24 hour" part of the original script I get no output.
[
:local loglist [:toarray [/log find time>([/system clock get time] -24h) message~"negotiation failed"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip"
	}
]
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 4:05 pm

IP does come from the message. So if there are no IP, no IP will be shown.
I do see only IP, so it may be som wrong with your IPSec setup.

What do you get from this? (it show the message from the log as well)
[
:local loglist [:toarray [/log find message~"negotiation failed"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 4:36 pm

Thank you for your continued help in this.

This is a sample of what I get.... it is about 20-30 lines longer.

Image
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 4:41 pm

Here is one where id work the IP and message = is the IP address

Image
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1029
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script to add IP of failed IPSEC login to block list

Sun Jun 16, 2019 9:11 pm

I see now what is going on.

There are more then one type of negotiation failed. Message with time out does not contain IP, so there are nothing to add to access list.

This should only get line with IP. Search for both negotiation failed and src_ip
[
:local loglist [:toarray [/log find (message~"negotiation failed" || message~"src_ip")]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
Or this may do, make sure negotiation filed. is at the end of the line
[
:local loglist [:toarray [/log find message~"negotiation failed\$"]]
:foreach i in=$loglist do={
	:local logMessage [/log get $i message]
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]
	:put "script=IPSEC_failed src_ip=$ip  msg=$logMessage"
	}
]
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
RackKing
Member Candidate
Member Candidate
Posts: 250
Joined: Wed Oct 09, 2013 1:59 pm

Re: Script to add IP of failed IPSEC login to block list

Mon Jun 17, 2019 1:33 am

Again - thank you for your help. I really appreciate your help like to get his working. Here is the output from the first version

Image
Or this may do, make sure negotiation filed. is at the end of the line
The second version did not pull anything.

So the first version appears to have worked. It pulled IP from both kinds of messages.

Who is online

Users browsing this forum: No registered users and 3 guests