Can a script be created if a wrong login name is used

Thu Aug 08, 2019 7:23 pm

Can a script be created if a wrong login name is used to place the IP address in the address list and then be blocked into the firewall?
For example, superuser is the correct name. All the rest is wrong and must by blocked

Thanks

pe1chl · Thu Aug 08, 2019 7:50 pm

It is possible to write a script that reads recent log entries from memory, analyzes them and takes action.
When you schedule that script to run regularly, it could do what you want.

Thu Aug 08, 2019 8:11 pm

I found something like this on this forum but i want edit this to is used a wrong username.

:local loglist [:toarray [/log find time>([/system clock get time] - 1m) message~"critical login failurel"]]
:foreach i in=$loglist do={
:local logMessage [/log get $i message]
:local ip [:pick $logMessage 0 [:find $logMessage " "]]
/ip firewall address-list add address=$ip list=LOGIN_FAILURE timeout=30d
:log info message="script=LOGIN_FAILURE src_ip=$ip"
}

Jotne · Thu Aug 08, 2019 8:22 pm

This is the message you get when using wrong username or password:

system,error,critical MikroTik: login failure for user per from 192.168.88.10 via winbox

Give me some minute and I will fix a script. But take care, this can block your self from entering the system.

Thu Aug 08, 2019 8:33 pm

Hello Jotne, thanks for your effort, i appresiate that.

Jotne · Thu Aug 08, 2019 8:44 pm

This should do:
Schedule it to run every 5 min.
It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour.

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list


# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]
5
# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

Thu Aug 08, 2019 10:27 pm

You are great Jotne, you are a great help for me and many others.

Thanks a lot

xme · Sun Feb 27, 2022 1:15 am

This should do:
Schedule it to run every 5 min.
It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour.

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list


# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]
5
# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

Any update ?
I try it on ver, 6,42 and 7.1 but the script does not create any address-list.
My log is full with messages eg. "login failure for user x from x.x.x.x via winbox" but no address-list added

Im noob in scripting. How to modify the script to send / print the variables $if, $i to log for help find out which script section does not work?

xme · Sun Feb 27, 2022 8:03 pm

OK it was stupid error.
I was start to learn scripting but it was enough to remove the line with the character 5 from the code, which somehow get there

Here is the corrected version:

# Created Jotne 2019 v1.0
#
# Add user who tries wrong user or password to address-list

# Find all "login failure" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"login failure"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage ([:find $logMessage "from"]+5) [:find $logMessage " via"]]
# Add ip to accesslist	
	/ip firewall address-list add address=$ip list=Wrong_User timeout=24h
	}

kevinds · Mon Apr 25, 2022 2:43 am

# Add user who tries wrong user or password to address-list

What if I don't care about wrong passwords? Only wrong usernames?

I'm thinking an if-then else-then?

Supplying a list of usernames, or fetching the list of users from /system/users, if matches a username, do nothing, else add IP? But only for login failures? Would this be CPU intensive?

Jotne · Mon Apr 25, 2022 2:02 pm

I am not sure if the message that are logged are different if its wrong user or wrong password.
Test and se what log you get. If log are different, it should be easy to fix the script.
I am away from my mikrotik routes, so no testing (vacation in Brazil

)

kevinds · Mon Apr 25, 2022 2:23 pm

I am not sure if the message that are logged are different if its wrong user or wrong password.

They are not logged differently. That would make this too easy..

Login failure for user x from a.b.c.d via service"

pe1chl · Mon Apr 25, 2022 5:13 pm

It already is bad enough that the value of the entered wrong username is logged with the message...

Jotne · Mon Apr 25, 2022 11:32 pm

When going through bad login, its possible to compare the username against all local stored user name and if not found, then do log a message.

pe1chl · Tue Apr 26, 2022 10:08 am

When going through bad login, its possible to compare the username against all local stored user name and if not found, then do log a message.

Well but I am asking for the opposite: when a user name is entered that is NOT one of the locally known usernames, do NOT log it.
Well, it is possible to log a message but not include the username.
Example: it can log "login failure for user admin from 192.168.88.10 via ssh" or similar, but it should NOT log "login failure for user Wor6Eqs2FWqA from 192.168.88.10 via ssh", when usename Wor6Eqs2FWqA does not exist in the router. Instead it can log just "login failure from 192.168.88.10 via ssh".

Why? Because Wor6Eqs2FWqA then probably is the PASSWORD for a user known in the system. And because log information could become available to others more easily than you would desire (e.g. when an external log server is used, or when critical messages are picked up by a monitoring system and sent as alerts).

Jotne · Tue Apr 26, 2022 5:40 pm

Either way should be possible. I will look at it when I am back home.

shakisha · Wed Apr 27, 2022 12:55 am

I prefer a script that will put in a blacklist all the usernames login attempts (more than 3 attempts) that are not users of the system.

kevinds · Wed Apr 27, 2022 1:17 am

I prefer a script that will put in a blacklist all the usernames login attempts (more than 3 attempts) that are not users of the system.

I'd rather blacklist/drop on the first attempt of using a wrong username, but that is the idea..

kevinds · Wed Apr 27, 2022 1:32 am

Why? Because Wor6Eqs2FWqA then probably is the PASSWORD for a user known in the system. And because log information could become available to others more easily than you would desire (e.g. when an external log server is used, or when critical messages are picked up by a monitoring system and sent as alerts).

That is a pretty small use-case...

If it happens enough that it is an issue, I would suggest not allowing that user access to your system because they are not competent..

User: Wor6Eqs2FWqA
Password:

User needs to disconnect... They should know entering a password will only trigger a logging of their password.

Overall, if it was possible, to not log username failures, I'd be happy with that because then I wouldn't care anymore about login failures..

On my systems, only SSH is open to the world.. Login failures filling the logs can hide actual issues that I need the logs for, but I would rather see the SSH failures in the logs than be locked out when I need to access the router.

Edit: "User needs to disconnect... They should know entering a password will only trigger a logging of their password." Nevermind, it does log eventually, there is a delay..

rextended · Wed Apr 27, 2022 3:12 am

About the OP:
Is wrong to put immediately on blacklist an IP after wrong username is used.
The user must have the time to notice some errors...
Like, if the username is MySecretname typo can happen and the user involuntarely blacklist himself...
mYsECRETNAME
MySEcretname
MysEcretname
MySecrtname
etc.
better to put at least 3 attempts instead of just one attempt, for example...

rextended · Wed Apr 27, 2022 3:17 am

[/system clock get time] - 5m

The omnipresent time error with subtraction, 2022-04-27 00:00:00 - 5 minutes... = 2022-04-27 -00:05:00...

rextended · Wed Apr 27, 2022 3:21 am

I have already maded one similar script, I just need to modify it to do what required from OP:
viewtopic.php?p=917307#p917428

REMEMBER TO REMOVE THE \ BEFORE ? IF USED INSIDE A SCRIPT OR SCHEDULER (yes for v6...)
And also I use :global for test rapidly on terminal, but on script can be replaced with :local

First version, add IP of failed logins to blacklist. On the IP addedd to blacklist also add on comment why is added:

/log
:global failmsg  "login failure for user "
:global frommsg  " from "
:global viamsg   " via "
:global listfail "list_failed_attempt"
:foreach rlog in=[find where message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={
    :local rmess [get $rlog message]
    :if (($rmess~$failmsg) and ($rmess~$frommsg) and ($rmess~$viamsg)) do={
         :local userinside [:pick $rmess ([:find $rmess $failmsg -1] + [:len $failmsg]) [:find $rmess $frommsg -1]]
         :local ipinside [:pick $rmess ([:find $rmess $frommsg -1] + [:len $frommsg]) [:find $rmess $viamsg -1]]
         :local intinside [:pick $rmess ([:find $rmess $viamsg -1] + [:len $viamsg]) [:len $rmess]]
         /ip firewall address-list
         :if ([:len [find where list=$listfail and address=$ipinside]] = 0) do={
             add list=$listfail address=$ipinside comment="$rmess"
         }
    }
}

This version add to blacklist the IP only if the username do not exist

/log
:global failmsg  "login failure for user "
:global frommsg  " from "
:global viamsg   " via "
:global listfail "list_failed_attempt"
:foreach rlog in=[find where message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={
    :local rmess [get $rlog message]
    :if (($rmess~$failmsg) and ($rmess~$frommsg) and ($rmess~$viamsg)) do={
         :local userinside [:pick $rmess ([:find $rmess $failmsg -1] + [:len $failmsg]) [:find $rmess $frommsg -1]]
         :local ipinside [:pick $rmess ([:find $rmess $frommsg -1] + [:len $frommsg]) [:find $rmess $viamsg -1]]
         :local intinside [:pick $rmess ([:find $rmess $viamsg -1] + [:len $viamsg]) [:len $rmess]]
         :if ([:len [/user find where name=$userinside]] = 0) do={
             /ip firewall address-list
             :if ([:len [find where list=$listfail and address=$ipinside]] = 0) do={
                 add list=$listfail address=$ipinside comment="$rmess"
             }
         }
    }
}

kevinds · Wed Apr 27, 2022 3:44 am

I have already maded one similar script, I just need to modify it to do what required from OP:
viewtopic.php?p=917307#p917428

I knew I saw it somewhere in the past, couldn't find it again.

Thank you rextended!! *offers digital drink*

         :if ([:len [/user find where name=$userinside]] = 0) do={
             /ip firewall address-list
             :if ([:len [find where list=$listfail and address=$ipinside]] = 0) do={
                 add list=$listfail address=$ipinside comment="$rmess"

Why two 'do' actions? - Trying to understand the 'why' so I can learn this scripting..

First go to the address-list section..

/ip firewall address-list

Then add the IP to the list..

add list=$listfail address=$ipinside comment="$rmess"

Why not

 :if ([:len [/user find where name=$userinside]] = 0) do={
             /ip firewall address-list add list=$listfail address=$ipinside comment="$rmess"

do it with one?

rextended · Wed Apr 27, 2022 3:47 am

Remember that also exist something like that:

log code

login failure for user aveawve from 64:D1:54:FF:44:77 via mac-telnet
login failure for user dminfghj from 08:60:6E:F7:EE:41 via winbox

On that cases, is possible to add MAC address on /firewall raw prerouting drop, but that logs can come only from your LAN (VPN, etc.), not from Internet...

rextended · Wed Apr 27, 2022 3:50 am

I knew I saw it somewhere in the past, couldn't find it again.

Thank you rextended!! *offers digital drink*

Nice, thanks

rextended · Wed Apr 27, 2022 3:58 am

         :if ([:len [/user find where name=$userinside]] = 0) do={
             /ip firewall address-list
             :if ([:len [find where list=$listfail and address=$ipinside]] = 0) do={
                 add list=$listfail address=$ipinside comment="$rmess"
             }
         }

>>>Why two 'do' actions? - Trying to understand the 'why' so I can learn this scripting..

Because the first is added later to first script for fastly understand between the two version what I add (simply the ckeck if the user exist)

>>>First go to the address-list section..
>>>Then add the IP to the list..
>>>Why not

 :if ([:len [/user find where name=$userinside]] = 0) do={
             /ip firewall address-list add list=$listfail address=$ipinside comment="$rmess"
 }

>>>do it with one?

you do notice the two operation on address list:
first check if already is present,
second, if not present, add the address inside the list:

original code

         :if ([:len [/user find where name=$userinside]] = 0) do={
             /ip firewall address-list
             :if ([:len [find where list=$listfail and address=$ipinside]] = 0) do={
                 add list=$listfail address=$ipinside comment="$rmess"
             }
         }

equivalent code

         :if ([:len [/user find where name=$userinside]] = 0) do={
             :if ([:len [/ip firewall address-list find where list=$listfail and address=$ipinside]] = 0) do={
                 /ip firewall address-list add list=$listfail address=$ipinside comment="$rmess"
             }
         }

if you try to add an IP already existant, you got error, and the script stop. and I hate Microsoft concept of "on-error resume next"

shakisha · Wed Apr 27, 2022 11:18 am

I have already maded one similar script, I just need to modify it to do what required from OP:

how to configure the number of attempts before they goes in blacklist?

rextended · Wed Apr 27, 2022 1:46 pm

The script immediately blacklist the IP, as requested by the OP.
But I can modify the script for wait x attempt for that.
Just wait as long as I implement it and try it.

rextended · Wed Apr 27, 2022 1:59 pm

Same warnings:

REMEMBER TO REMOVE THE \ BEFORE ? IF USED INSIDE A SCRIPT OR SCHEDULER (yes for v6...)
And also I use :global for test rapidly on terminal, but on script can be replaced with :local

This add to blacklist after 3 (configurable) failed attempts:

/log
:global maxattampt 3
:global errorArray [:toarray ""]
:global failmsg  "login failure for user "
:global frommsg  " from "
:global viamsg   " via "
:global listfail "list_failed_attempt"
:foreach rlog in=[find where message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={
    :local rmess [get $rlog message]
    :if (($rmess~$failmsg) and ($rmess~$frommsg) and ($rmess~$viamsg)) do={
         :local userinside [:pick $rmess ([:find $rmess $failmsg -1] + [:len $failmsg]) [:find $rmess $frommsg -1]]
         :local ipinside [:pick $rmess ([:find $rmess $frommsg -1] + [:len $frommsg]) [:find $rmess $viamsg -1]]
         :local intinside [:pick $rmess ([:find $rmess $viamsg -1] + [:len $viamsg]) [:len $rmess]]
         :if ([:typeof (($errorArray)->$ipinside)] = "nothing") do={
             :set (($errorArray)->$ipinside) 1
         } else={
             :set (($errorArray)->$ipinside) ((($errorArray)->$ipinside) + 1)
         }
         :if ((($errorArray)->$ipinside) > ($maxattampt - 1)) do={
             /ip firewall address-list
             :if ([:len [find where list=$listfail and address=$ipinside]] = 0) do={
                 add list=$listfail address=$ipinside comment="$rmess"
             }
         }
    }
}

shakisha · Thu Apr 28, 2022 12:43 am

Same warnings:

Thank you for the script.
I have tested and works great, but there is a trouble.
When a remove a blacklist entry, at the next script run it will put again the blacklist entry. How to avoid this?

kevinds · Thu Apr 28, 2022 12:45 am

Thank you for the script.
I have tested and works great, but there is a trouble.
When a remove a blacklist entry, at the next script run it will put again the blacklist entry. How to avoid this?

You create a second address list with your address to white-list with a rule that is accepted, before the blacklist rule drops the traffic.

shakisha · Thu Apr 28, 2022 12:47 am

You create a second address list with your address to white-list with a rule that is accepted, before the blacklist rule drops the traffic.

No way to create a script that parses only last entries from the log, without going to parse everytime entire logs? ( think I have seen something like "-5 minutes" or something like this.

rextended · Thu Apr 28, 2022 1:10 am

You create a second address list with your address to white-list with a rule that is accepted, before the blacklist rule drops the traffic.
No way to create a script that parses only last entries from the log, without going to parse everytime entire logs? ( think I have seen something like "-5 minutes" or something like this.

Read this:
viewtopic.php?t=150961#p929372

rextended · Thu Apr 28, 2022 1:11 am

When a remove a blacklist entry, at the next script run it will put again the blacklist entry. How to avoid this?

Do not remove... DISABLE...
Or empty the log...

Or use my script here, this use two list, white and black:
viewtopic.php?p=917307#p917428

kevinds · Wed May 25, 2022 2:43 am

I have already maded one similar script, I just need to modify it to do what required from OP:

Is there any way to increase the efficiency of this script?

It is taking well over two minutes to execute with just DHCP entries.. I logged a firewall drop rule and it created 30-40 entries and the script started taking 4+ minutes to execute..

I used to have it set to run every 10 seconds or so which worked great for the SSH attempts except last time I logged in there were many instances of the job running, cleared the log and set for 1 minute, came back later a LOT of DHCP entries showed up and there was 35 instances of the job. Performance didn't affect a CCR but it did on a RB750Gr3, at least it only tied up one core, not all of them.. On a CCR1009, I stopped the scheduler with 42 jobs running, one has been running for an hour now..

Or is it already as optimized as it can be? Better to come up with a different solution?

if /system scripts job 'script1' present end? Something along those lines?

What is the best way? I don't see a way to stop logging failed logins... To stop logging DHCP is easy though..

rextended · Wed May 25, 2022 2:52 am

If SSH is used for RouterBOARD remote management, close SSH and use VPN.
If SSH is used inside the network, drop all SSH traffic on RAW, regardless if someone try to login or not,
and allow only secure source IPs (or again, use VPN) or put that IP on whitelist for x hours after correct port knocking...

Leaving open SSH you say to the world "Hey, I have SSH open, try to guess username and password, is free!!!"...

kevinds · Wed May 25, 2022 2:55 am

Yes, if SSH is used for RouterBOARD remote management, close SSH and use VPN.
If SSH is used inside the network, drop all SSH traffic on RAW, regardless if someone try to login or not,
and allow only secure source IPs (or again, use VPN) or put that IP on whitelist for x hours after correct port knocking...

SSH is allowed for remote management.. It is our fail safe because it is simple and safe.. If we can't connect with the VPN, we can use SSH to get in and fix the VPN.

I don't care about SSH attempts.. I would be happy to not log them at all.. Unfortunately failed SSH logs don't use the SSH "topic".. May be a bug...

rextended · Wed May 25, 2022 2:58 am

About the script, a best practice is to not run another job for same script,
but at least wait the end, or leave the script auto-call himself at the end...

rextended · Wed May 25, 2022 3:02 am

I don't care about SSH attempts.. I would be happy to not log them at all.. Unfortunately failed SSH logs don't use the SSH "topic".. May be a bug...

for ignore completly SSH:

from:
:foreach rlog in=[find where message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={

to:
:foreach rlog in=[find where !(message~" via ssh") and \
    message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={

kevinds · Wed May 25, 2022 3:06 am

About the script, a best practice is to not run another job for same script,
but at least wait the end, or leave the script auto-call himself at the end...

Interesting.. Put it in the startup scheduler and then have the script call itself at the end..

If I have the last command as

'system script run 'script1'

Will the 'jobs' show the first as still running because it hasn't ended? Resource exhaustion would happen very quickly..

Even putting a second script in the middle to call the first, if it treats it as a sub-routine, I expect the same result..

'script1'
as above..
/system script run "script2"

'script2'
/system script run "script1"

Humm....

rextended · Wed May 25, 2022 3:09 am

Remember asyncronous ":execute"...

as last line:

:execute "/system script run script1"

rextended · Wed May 25, 2022 3:14 am

Is also possible re-iterate the script, after first start:

:do {

<ORIGINAL SCRIPT>

:delay 1s ; # safety measure against loops
} while=(true)

kevinds · Wed May 25, 2022 3:15 am

Leaving open SSH you say to the world "Hey, I have SSH open, try to guess username and password, is free!!!"...

Go for it, I don't care, they are not getting in.

Normal systems have the

PasswordAuthentication No

parameter set.. So those systems disconnect without even offering the "Password:" prompt.. RouterOS doesn't offer this option, but it also doesn't allow the password when a public key is set for a user either.

Normal systems, I see one attempt and the bots move on and don't come back.. RouterOS, I see hundreds before the bots move on, and they come back again and again. They can spend a year trying to brute force the login, I don't care, they are not getting in. Filling up my log(s), that pisses me off.

rextended · Wed May 25, 2022 3:20 am

I must go now, if you write something, I read it tomorrow.
Ciao.

kevinds · Wed May 25, 2022 5:57 pm

Remember asyncronous ":execute"...

Nice. Thank you.

kevinds · Tue May 31, 2022 9:23 pm

I don't care about SSH attempts.. I would be happy to not log them at all.. Unfortunately failed SSH logs don't use the SSH "topic".. May be a bug...

for ignore completly SSH:
Code: Select all
from:
:foreach rlog in=[find where message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={

to:
:foreach rlog in=[find where !(message~" via ssh") and \
    message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={

Is it possible to delete/remove a message from the log? - I removed the ! because I want the script to 'act' when finding a SSH log entry to delete the message, otherwise still using from above, it just gets really, really slow when there are a lot of log entries with IP addresses in them, at least I believe it is log entries with IP addresses slowing it down.

/system logging
set 0 topics=info,!dhcp

Did help..

/log only has "find" for an available command so I don't believe it will work to remove them, hoping I am wrong, but it makes sense not being able to 'edit' the log..

Jotne · Tue May 31, 2022 10:54 pm

No its not a simple delete commands for the logs.
You can set the log size to 0 and back to 1000 to clean it.
But you can store log id in your script and the and every time scripts run, only examine logs form the store id to the last id in the log.

Since scripting and logging are limited in RouterOS, its beter to send all logs to an external system and examine them there.

acrz6666 · Tue Aug 02, 2022 10:31 pm

This should do:
Schedule it to run every 5 min.
It will then add the IP for the user with wrong username or password to address list Wrong_User for 24 hour.

Thanks for your script. Is it possible to modify it so the IP enters the Wrong_User list only after, for example, 3 or 5 attempts?

Regards.

rextended · Tue Aug 02, 2022 11:18 pm

Just continue to read the topic....

zYx · Fri Nov 24, 2023 9:30 pm

Same warnings:

REMEMBER TO REMOVE THE \ BEFORE ? IF USED INSIDE A SCRIPT OR SCHEDULER (yes for v6...)
And also I use :global for test rapidly on terminal, but on script can be replaced with :local

This add to blacklist after 3 (configurable) failed attempts:

/log
:global maxattampt 3
:global errorArray [:toarray ""]
:global failmsg  "login failure for user "
:global frommsg  " from "
:global viamsg   " via "
:global listfail "list_failed_attempt"
:foreach rlog in=[find where message~"((25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])\\.){3}(25[0-5]|(2[0-4]|[01]\?[0-9]\?)[0-9])"] do={
    :local rmess [get $rlog message]
    :if (($rmess~$failmsg) and ($rmess~$frommsg) and ($rmess~$viamsg)) do={
         :local userinside [:pick $rmess ([:find $rmess $failmsg -1] + [:len $failmsg]) [:find $rmess $frommsg -1]]
         :local ipinside [:pick $rmess ([:find $rmess $frommsg -1] + [:len $frommsg]) [:find $rmess $viamsg -1]]
         :local intinside [:pick $rmess ([:find $rmess $viamsg -1] + [:len $viamsg]) [:len $rmess]]
         :if ([:typeof (($errorArray)->$ipinside)] = "nothing") do={
             :set (($errorArray)->$ipinside) 1
         } else={
             :set (($errorArray)->$ipinside) ((($errorArray)->$ipinside) + 1)
         }
         :if ((($errorArray)->$ipinside) > ($maxattampt - 1)) do={
             /ip firewall address-list
             :if ([:len [find where list=$listfail and address=$ipinside]] = 0) do={
                 add list=$listfail address=$ipinside comment="$rmess"
             }
         }
    }
}

Thanks. I'm new to MikroTik, and this is the only script that works for me in v7.12.1. I like that it will only add the IP after three failed attempts.

rextended · Sat Nov 25, 2023 10:01 am

Very thanks to you

drpioneer · Wed Nov 29, 2023 8:49 am

Hi!
An alternative version of the script that searches the device log for not only the wrong username, but many other phrases and can use a firewall:
https://forummikrotik.ru/viewtopic.php?p=91464#p91464
https://github.com/drpioneer/MikrotikBl ... danger.rsc

zYx · Sat Dec 02, 2023 9:48 pm

Hi!
An alternative version of the script that searches the device log for not only the wrong username, but many other phrases and can use a firewall:
https://forummikrotik.ru/viewtopic.php?p=91464#p91464
https://github.com/drpioneer/MikrotikBl ... danger.rsc

So this, kind of, replicates an enterprise firewall where everything is blocked unless explicitly unblocked?

drpioneer · Sun Dec 03, 2023 10:07 am

Hi!

So this, kind of, replicates an enterprise firewall where everything is blocked unless explicitly unblocked?

When the 'firewallUsage' variable is set to 'true', the script will try to configure the Firewall according to the principle: "everything that is not allowed is prohibited."