In my log I usually find several types of VPN access errors
Examples:
Code: Select all
123.123.111.123 phase1 negotiation failed.
123.123.122.123 parsing packet failed, possible cause: wrong password
phase1 negotiation failed due to time up 100.100.100.100[500]<=>123.123.133.123[500] e0c091b198818b39:6b463379b059196c
<123.123.144.123>: user Admin authentication failed
Here is a script that will extract the attackers IP addresses from the log, convert to 0/24 subnet and place these addresses to the block_vpn_access address list
Do not forget to create a firewall rule for dropping input from this list
Code: Select all
:foreach i in=[/log/find message~"^\\d+\\.\\d+\\.\\d+\\.\\d+ phase1 negotiation failed\\."] do={
:local msg [/log get $i message];
:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");
do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}
:foreach i in=[/log/find message~"^\\d+\\.\\d+\\.\\d+\\.\\d+ parsing packet failed, possible cause: wrong password"] do={
:local msg [/log get $i message];
:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");
do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}
:foreach i in=[/log/find message~"^phase1 negotiation failed due to time up"] do={
:local logMessage [/log get $i message];
:local startPosition [:find $logMessage ">"];
:local msg [:pick $logMessage ($startPosition + 1) [:len $logMessage]];
:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");
do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}
:foreach i in=[/log/find message~".*>: user [^ ]+ authentication failed"] do={
:local logMessage [/log get $i message];
:local startPosition [:find $logMessage "<"];
:local msg [:pick $logMessage ($startPosition + 1) [:len $logMessage]];
:local ip ([:pick $msg 0 [:find $msg "." ([:find $msg "." ([:find $msg "."] + 1)] + 1)]].".0/24");
do {/ip/firewall/address-list/add list=block_vpn_access address=$ip} on-error={}
}
This script right now is light and quick, but my inner perfectionist does not like it unoptimized :-)
If someone can show me an example how to handle date and time on log records, this script can be improved