Community discussions

MikroTik App
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Email notification about the Blacklist

Mon Jan 30, 2023 9:55 pm

Hello!
I would like to create a script that sends an email if an IP address is added to the black list on the local network.
The Black Lists are available, the addresses are dynamically added to them from the firewall rules.
I have created a local address list
the comparison is already working. Now somehow I can't write the ip variable in the email. Can you help me what am I doing wrong?
:local list1 [ip firewall address-list print where list="internal"];
:local list2 [ip firewall address-list print where list="brute_forcers_blacklist"];
:local ips1 [];
:local ips2 [];
:local emailAddress "mail@gmail.com"
:local EmailText;
:local systemName [system identity get name];
:local dateBlock [system clock get date] ;
:local timeBlock [system clock get time] ;
:local CreateTime;
:local SendError 0;
:local blackIP;


:foreach i in=$list1 do={
:set ips1 ($ips1 . $i->"address" . ",");
}

:foreach i in=$list2 do={
:set ips2 ($ips2 . $i->"address" . ",");

}

:if ( [:find $ips1 $ips2] = -1 ) do={
:put "Nincs azonos IP cím.";
} else={
:put "Van azonos IP cím.";
:log info "IP"
:foreach ip in={$ips1;ips2} do={
:set blackIP [ip firewall address-list find where .id address=$ip list="internal"];
:set EmailText ($EmailText."IP [$blackIP] Has been added to the BlackList\r\n");
:put "Van azonos IP cím.";
:log info IP2;
:log info $ip;
}
}
:if ([:len $EmailText] > 0) do={
:do {
tool e-mail send to="$emailAddress" subject="$systemName Security Notice" body="$systemName Security Notice\r\nRuning Time: $dateBlock - $timeBlock\r\n\r\n$EmailText"
} on-error={
log error "$systemName Security Notice : Failed to send email.";
}
}
 
zainarbani
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Thu Jul 22, 2021 9:42 am
Location: Pati, Indonesia

Re: Email notification about the Blacklist

Tue Jan 31, 2023 8:25 am

"internal" mean ur local networks?

print 'as-value':
:local list1 [/ip firewall address-list print as-value where list="internal"];
Also, what'd u compare here?
:if ([:find $ips1 $ips2] = -1) do={
 :put "Nincs azonos IP cím.";
}
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:20 pm

print is for print on terminal, you must use find, some rare exceptions exist, but this is not the case.

Start script:
>how many ip on blacklist?
>same as previous check?
>do nothing.

>how many ip on blacklist?
>more than previous check?
>send one mail with all added IP on the list afte the last know number.

Done.

Consideration:
>The IP on blacklist are static?
>On bootup set the correct number of IP on blacklist or the script send all IPs by mail.

>The IPs are dynamic and not keeped?
>Ignore the variable initialization

>The IPs are dynamic but are autodeleted?
>Too much complex, must be create alternative addresslist where put all address already advised by mail.
>Do not do that.
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:29 pm

Hello! The BlackList is dynamically created, in which the addresses are entered by firewall rules. (ddos, portscan, etc.)
And there is a Fixed address list that contains local network addresses.
the goal would be to send an email if for some reason an address that is included in the local address list is blacklisted.
I made another script. My problem is that I'm not very professional in programming. until then, I compare the 2 address lists, but I can't read which is the IP address.
:log info "Email Notification Starting";
:local AlertIPs;
:local InternalIPs;
:local blackIPs;
:local emailAddress "mail@mail.com"
:local EmailText;
:local systemName [system identity get name];
:local dateBlock [system clock get date] ;
:local timeBlock [system clock get time] ;
:local BlackList [ip firewall address-list find where .id list="brute_forcers_blacklist"];
:local PortScan [ip firewall address-list find where .id list="port scanners"];
:local Internal [ip firewall address-list find where .id list="internal"];
:log info "Local Loading";

:foreach InternalID in=$Internal do={
:set InternalIPs ($InternalIPs.[ip firewall address-list get $InternalID address].";")
}
:log info "Internal IPs $InternalIPs";

:foreach PortScanID in=$PortScan do={
:set AlertIPs ($AlertIPs.[ip firewall address-list get $PortScanID address].";")
}
:log info "PortScanIPs $AlertIPs";

:foreach BListID in=$BlackList do={
:set blackIPs ($blackIPs.[ip firewall address-list get $BListID address].";")

}
:if ( [:find $InternalIPs $blackIPs] = -1 ) do={
:put "Nincs azonos IP cím.";
} else={
:put "Van ip";
}

:if ([:len $EmailText] > 0) do={
:do {
tool e-mail send to="$emailAddress" subject="$systemName Security Notice" body="$systemName Security Notice\r\nRuning Time: $dateBlock - $timeBlock\r\n\r\n$EmailText"
} on-error={
log error "$systemName Security Notice : Failed to send email.";
}
}
:log info "Notification Finish"
 
zainarbani
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Thu Jul 22, 2021 9:42 am
Location: Pati, Indonesia

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:38 pm

Like email me when some of my customer(localnet) trying to DDOS my server?
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:42 pm

Yes! Unfortunately, such a case can happen if one of the employees inhales a virus or is just trying to be smart on the network.
In this case, for example, the machine has been banned from the network due to brute force or port scan.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:43 pm

If some IP inside "internal" address-list is also present on "brute_forcers_blacklist" address-list, send one unique email with all correspondencies:

revised code

{
    /system
    :local systemName [identity get name]
    :local dateBlock  [clock get date] 
    :local timeBlock  [clock get time] 
    :local emlAdd     "mail@gmail.com"
    :local EmailText  ""

    /ip firewall address-list
    :foreach i in=[find where list="internal"] do={
        :local search [find where ((list="brute_forcers_blacklist") and ((address in [get $i address]) or (address=[get $i address])))]
        :if ([:len $search] > 0) do={
            :local arrip ({})
            :foreach j in=$search do={
                :set arrip ($arrip,[get $j address])
# for also remove, at the same time, the address from the list brute_forcers_blacklist, uncomment next line:
#                remove $j
            }
            :set EmailText ($EmailText."IP $[:tostr $arrip] has been found on the BlackList\r\n")
        }
    }
    :if ($EmailText != "") do={
        :do {
            /tool e-mail send to=$emlAdd subject="$systemName Security Notice" \
            body="$systemName Security Notice\r\nRuning Time: $dateBlock - $timeBlock\r\n\r\n$EmailText"
        } on-error={
            :log error "$systemName Security Notice: Failed to send email."
        }
    }
}
Last edited by rextended on Wed Feb 08, 2023 1:45 pm, edited 17 times in total.
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:50 pm

Thanks for the help.
Unfortunately, the IP address is not returned in the text of the email
This comes in an email:

Security Notice
Runing Time: jan/31/2023 - 13:47:11

IP [get *6423B6 address] Has been added to the BlackList
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:52 pm

fixed the previous script.
Last edited by rextended on Tue Feb 07, 2023 7:46 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Tue Jan 31, 2023 2:59 pm

fixed the previous script.
Last edited by rextended on Tue Feb 07, 2023 7:46 pm, edited 1 time in total.
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Tue Jan 31, 2023 3:22 pm

Thank you very much for your help, I would like to request one more minor modification if possible.
if it says 192.168.86.0/24 in the address list
then you will not find 192.168.86.120 in the blacklist. Would this still be complicated to solve?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Tue Jan 31, 2023 3:35 pm

fixed the previous script.
Last edited by rextended on Tue Feb 07, 2023 7:46 pm, edited 1 time in total.
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Tue Jan 31, 2023 3:37 pm

Not if I add the local address list to a domain, then if an IP address is entered within the given domain, it will be notified. Like the search engine of winbox when I search for the address and constants I attach a picture of what I mean.
You do not have the required permissions to view the files attached to this post.
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Tue Jan 31, 2023 3:45 pm

I know I'm getting to be a lot. But again, thank you very much for your help. One last and really the last.
You are now emailing this
IP 192.168.69.0/24 Has been added to the BlackList
But I need this
IP 192.168.69.160 Has been added to the BlackList
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Tue Jan 31, 2023 3:49 pm

fixed the previous script.
Last edited by rextended on Tue Feb 07, 2023 7:46 pm, edited 1 time in total.
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Tue Jan 31, 2023 3:55 pm

Internal address: 192.168.69.0/24

/system script> run brute_force_notification
invalid internal item number
:(
unfortunately it doesn't run with this error :(
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Tue Feb 07, 2023 7:47 pm

invalid internal item number
fixed the previous script, check again
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Wed Feb 08, 2023 1:14 pm

Hello! Thank you for helping. Unfortunately, I tested the code, but it still sends an email when there is no matching IP.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Email notification about the Blacklist

Wed Feb 08, 2023 1:45 pm

Ah... right, I fix the script immediately...
 
djvabe
just joined
Topic Author
Posts: 13
Joined: Mon Jan 30, 2023 9:51 pm

Re: Email notification about the Blacklist

Wed Feb 08, 2023 2:14 pm

Ah... right, I fix the script immediately...
Thank you very much for your help! :)

Who is online

Users browsing this forum: GoogleOther [Bot] and 20 guests