分享MikroTik RouterOS IPSec防护脚本
本帖最后由 hyes 于 2024-6-2 02:35 编辑L2TP IPSEC,通过ios测试,ipsec密钥是错误时候,日志会报错。一下是引用原始项目。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now I changed configuration on Windows side and it’s become to such form: l2tp+ipsec encription (valid), proposal (valid), IPSec Secret (invalid) and user+password combination (invalid).
In such situation previous rules can't help, but next records were appearing in Mikrotik's logs. Five strings with: 192.168.1.15 parsing packet failed, possible couse: wrong password and one string with: phase1 negotiation failed due to time up 11.32.86.22<=>192.168.1.15
So I decided to write script to process first string and that's what I got:
https://github.com/Onoro/Mikrotik/blob/master/script1.rsc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
原始项目七年前的,就是流弊。自己稍微修改了,测试可用。
这边测试,一次链接会有七个日志。所以修改了原始项目的数字。这里大概是五次处罚会加入到l2黑名单防火墙地址列表。
至于计划任务以及raw或者filter如何搞。看个人。以下是脚本
## *********************************************************
## * Mikrotik L2TP protection. *
## * https://github.com/Onoro/Mikrotik/ *
## * *
## *********************************************************
## Protection of Ipsec identity-secret
## The original project address: https://github.com/Onoro/Mikrotik/blob/master/script1.rsc
## Modified by G.D. on 2024/06/02
## variables
:local MachIpsecLogL;
:local l2tpIpsecLog;
:local IpsecAttackers;
:local l2Attackerslist;
:local l2WhiteList;
:local IpsecAttackLogC;
:set MachIpsecLogL 36;
:set l2Attackerslist "l2tp-brutforce";
:set l2WhiteList "WhiteList_l2tp";
## ------------------------------------------------------------------------------------------
##!!!! DO NOT CHANGE ANYTHING BELOW THIS LINE, IF YOU ARE NOT SURE WHAT YOU ARE DOING !!!!
## ------------------------------------------------------------------------------------------
## searching for "parsing packet failed, possible cause: wrong password" string in log.
:if ( [ :tobool [ /log find where message~"^+\\.+\\.+\\.+.*parsing packet failed, possible cause: wrong password" ] ] = true )do={ \
:set l2tpIpsecLog [ /log find where message~"^+\\.+\\.+\\.+.*parsing packet failed, possible cause: wrong password" ]; \
# :log info $l2tpIpsecLog; \
} else={ \
:log info "There isn't log-line that contain parsing packet failed, possible cause: wrong password. "; \
:error "Error. There isn't log-line that contain'parsing packet failed, possible cause: wrong password'. "; \
}
# walking through array
foreach i in=$l2tpIpsecLog do={
## searching IP address of remote host
:set IpsecAttackers [:pick 0 ([:len ]-54)]
## execute if quantity of "parsing packet failed" records more than MachIpsecLogL variable
:set IpsecAttackLogC [:len ];
if ($IpsecAttackLogC>=$MachIpsecLogL) do={
## execute if IP address isn't in firewall adress-list
if ([:len ]=0 ) do={
# supplementation IP to address-list
if ([:len ]=0 ) do={
:log info ( $IpsecAttackLogC . " log containing <" . $IpsecAttackers . "~ parsing packet failed, possible cause: wrong password>." );
:delay 2s;
:log info ( "Add " . [:toip $IpsecAttackers] . " to list " . $l2Attackerslist . ", timeout-4h..."); \
/ip firewall address-list add list="$l2Attackerslist" address=[:toip $IpsecAttackers] timeout=4h
:delay 2s;
# /tool e-mail send to="alerts@mail.srv" start-tls=tls-only subject="L2TP allert" body="$IpsecAttackers was blocked because of L2TP brutforce"server=[:resolve mail.srv]
} else={
:log info ( $IpsecAttackers . " is in the address-list " . $l2WhiteList . ".")
}
}
}
}
# you have to change mail.srv to your valid smtp server and alerts@mail.srv to your valid mail address.
# second step is to configure Tools>Email tool in Mikrotik menu via Winbox, ssh or web interface. 今天l2tp ipsec刚被刷就看到这个,马克下
页:
[1]