Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

Block VPN access from Log records parsing

Post Reply
 
User avatar
zBear
just joined
Topic Author
Posts: 23
Joined: Sat Mar 07, 2015 6:17 pm

Block VPN access from Log records parsing

Wed Apr 03, 2024 3:16 pm

Hi

In my log I usually find several types of VPN access errors

Examples:
Code: Select all
123.123.111.123 phase1 negotiation failed.
123.123.122.123 parsing packet failed, possible cause: wrong password
phase1 negotiation failed due to time up 100.100.100.100[500]<=>123.123.133.123[500] e0c091b198818b39:6b463379b059196c
<123.123.144.123>: user Admin authentication failed
And usually these "attacks" are 10-15 minutes long and from different IP addresses on the same 0/24 subnet

Here is a script that will extract the attackers IP addresses from the log, convert to 0/24 subnet and place these addresses to the block_vpn_access address list
Do not forget to create a firewall rule for dropping input from this list
Code: Select all
:foreach i in=[/log/find message~"^\\d+\\.\\d+\\.\\d+\\.\\d+ phase1 negotiation failed\\."] do={
	:local msg [/log get $i message];
	:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");	
	do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}

:foreach i in=[/log/find message~"^\\d+\\.\\d+\\.\\d+\\.\\d+ parsing packet failed, possible cause: wrong password"] do={
	:local msg [/log get $i message];
	:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");	
	do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}

:foreach i in=[/log/find message~"^phase1 negotiation failed due to time up"] do={
	:local logMessage [/log get $i message];
	:local startPosition [:find $logMessage ">"];
	:local msg [:pick $logMessage ($startPosition + 1) [:len $logMessage]];
	:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");
	do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}

:foreach i in=[/log/find message~".*>: user [^ ]+ authentication failed"] do={
	:local logMessage [/log get $i message];
	:local startPosition [:find $logMessage "<"];
	:local msg [:pick $logMessage ($startPosition + 1) [:len $logMessage]];
	:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");
	do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}
The only problem I can't solve is how to analyze not the whole log, but the last 15 minutes of it (because I want this script to be triggered every 15 minutes)
This script right now is light and quick, but my inner perfectionist does not like it unoptimized :-)
If someone can show me an example how to handle date and time on log records, this script can be improved
Top
Post Reply

Who is online

Users browsing this forum: BrianHiggins, Paternot and 11 guests
  4. RouterOS
  5. Scripting