60. Mikrotik Email Alert and Block on Fail log in.

Here is a Script:

# Script Name: SSH Block by log
# This script reads a specified log buffer (logBuffer)  At each log entry read,
# any IP exceeding the number below (failthreshold) is added to the address list below (blacklist)
# The log buffer is then cleared, so only new entries are read each time this script gets executed.
#/system logging action add memory-lines=1000 memory-stop-on-full=no name=failedauth target=memory
#/system logging add action=failedauth disabled=no prefix="" topics=critical,system,error

# Set this to a "memory" action log buffer. Example commands above.
:local logBuffer "failedauth"
:local failthreshold 5
:local blocklist "ssh_blocklist"
:local emailAddress "phalla.ccmt@gmail.com"
:local Output "Now you are attach by: "

# -----------------------------------

:local attackiparray {0}
:local attackcountarray {0}
:local logEntryTopics
:local logEntryTime
:local logEntryMessage
:local clearedbuf
:local lines
:set clearedbuf 0

:local i 0
:foreach rule in=[/log print as-value where buffer=($logBuffer)] do={
# Now all data is collected in memory..

# Clear log buffer right away so new entries come in
   :if ($clearedbuf = 0) do={
      /system logging action {
         :set lines [get ($logBuffer) memory-lines]
         set ($logBuffer) memory-lines 1
         set ($logBuffer) memory-lines $lines
      :set clearedbuf 1
# End clear log buffer

   :set logEntryTime ""
   :set logEntryTopics ""
   :set logEntryMessage ""

:set logEntryTime ($rule->"time")
:set logEntryTopics ($rule->"topics")
:set logEntryMessage ($rule->"message")

:if ($logEntryMessage~"login failure") do={

:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])]

:local x 0
:foreach ip in=$attackiparray do={
  :if ($ip = $attackip) do={
    :set ($attackcountarray->$x) (($attackcountarray->$x)+1)
  } else={
    :set ($attackiparray->$i) $attackip
    :set ($attackcountarray->$i) 1
:set x ($x+1)


:set i ($i+1)
# end foreach rule
:local z 0
:foreach ip in=$attackiparray do={
  :if ($attackcountarray->$z > $failthreshold) do={
    :set ($attackcountarray->$z) 0
    /ip firewall address-list add address=($attackiparray->$z) list=$blocklist
    /tool e-mail send to="$emailAddress" subject="MikroTik alert $currentTime" body="$Output $attackiparray"
:set ($attackcountarray->$z) 0
:set z ($z+1)

You can contact me: plus.google.com/+PhallaCCMT; youtube.com/phallaccmt; facebook.com/Phalla.CCMT; twitter.com/PhallaCCMT and Phalla.CCMT@gmail.com
Next Post »