分享MikroTik RouterOS IPSec防护脚本

hyes

L2TP IPSEC，通过ios测试，ipsec密钥是错误时候，日志会报错。一下是引用原始项目。

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now I changed configuration on Windows side and it’s become to such form: l2tp+ipsec encription (valid), proposal (valid), IPSec Secret (invalid) and user+password combination (invalid).

In such situation previous rules can't help, but next records were appearing in Mikrotik's logs. Five strings with: 192.168.1.15 parsing packet failed, possible couse: wrong password and one string with: phase1 negotiation failed due to time up 11.32.86.22[500]<=>192.168.1.15[500]

So I decided to write script to process first string and that's what I got:

https://github.com/Onoro/Mikrotik/blob/master/script1.rsc

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

原始项目七年前的，就是流弊。自己稍微修改了，测试可用。

这边测试，一次链接会有七个日志。所以修改了原始项目的数字。这里大概是五次处罚会加入到l2黑名单防火墙地址列表。

至于计划任务以及raw或者filter如何搞。看个人。以下是脚本

1. ## *********************************************************
   
2. ## *               Mikrotik L2TP protection.               *
   
3. ## *         https://github.com/Onoro/Mikrotik/            *
   
4. ## *                                                       *
   
5. ## *********************************************************
   
6. ## Protection of Ipsec identity-secret
   
7. ## The original project address: https://github.com/Onoro/Mikrotik/blob/master/script1.rsc
   
8. ## Modified by G.D. on 2024/06/02
   
9. 
   
10. ## variables
    
11. :local MachIpsecLogL;
    
12. :local l2tpIpsecLog;
    
13. :local IpsecAttackers;
    
14. :local l2Attackerslist;
    
15. :local l2WhiteList;
    
16. :local IpsecAttackLogC;
    
17. 
    
18. :set MachIpsecLogL 36;
    
19. :set l2Attackerslist "l2tp-brutforce";
    
20. :set l2WhiteList "WhiteList_l2tp";
    
21. 
    
22. 
    
23. ## ------------------------------------------------------------------------------------------
    
24. ##  !!!! DO NOT CHANGE ANYTHING BELOW THIS LINE, IF YOU ARE NOT SURE WHAT YOU ARE DOING !!!!
    
25. ## ------------------------------------------------------------------------------------------
    
26. 
    
27. ## searching for "parsing packet failed, possible cause: wrong password" string in log.
    
28. :if ( [ :tobool [ /log find where message~"^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+.*parsing packet failed, possible cause: wrong password" ] ] = true )  do={ \
    
29.   :set l2tpIpsecLog [ /log find where message~"^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+.*parsing packet failed, possible cause: wrong password" ]; \
    
30.   # :log info $l2tpIpsecLog; \
    
31. } else={ \
    
32.   :log info "There isn't log-line that contain parsing packet failed, possible cause: wrong password. "; \
    
33.   :error "Error. There isn't log-line that contain  'parsing packet failed, possible cause: wrong password'. "; \
    
34. }
    
35. 
    
36. # walking through array
    
37. foreach i in=$l2tpIpsecLog do={
    
38. 
    
39.   ## searching IP address of remote host
    
40.   :set IpsecAttackers [:pick [/log get $i message ] 0 ([:len [/log get $i message ]]-54)]
    
41.   
    
42.   ## execute if quantity of "parsing packet failed" records more than MachIpsecLogL variable
    
43.   :set IpsecAttackLogC [:len [/log find message~"^$IpsecAttackers.*parsing packet failed, possible cause: wrong password"]];
    
44.   
    
45.   if ($IpsecAttackLogC>=$MachIpsecLogL) do={
    
46.   
    
47.     ## execute if IP address isn't in firewall adress-list
    
48.     if ([:len [/ip firewall address-list find list="$l2Attackerslist" address=$IpsecAttackers]]=0 ) do={
    
49.       # supplementation IP to address-list
    
50.           
    
51.           if ([:len [/ip firewall address-list find list="$l2WhiteList" address=$IpsecAttackers]]=0 ) do={
    
52.             :log info ( $IpsecAttackLogC . " log containing <" . $IpsecAttackers . "~ parsing packet failed, possible cause: wrong password>." );
    
53.                 :delay 2s;
    
54.             :log info ( "Add " . [:toip $IpsecAttackers] . " to list " . $l2Attackerslist . ", timeout-4h..."); \
    
55.         /ip firewall address-list add list="$l2Attackerslist" address=[:toip $IpsecAttackers] timeout=4h
    
56.                 :delay 2s;
    
57.         # /tool e-mail send to="alerts@mail.srv" start-tls=tls-only subject="L2TP allert" body="$IpsecAttackers was blocked because of L2TP brutforce"  server=[:resolve mail.srv]
    
58.       } else={
    
59.           :log info ( $IpsecAttackers . " is in the address-list " . $l2WhiteList . ".")
    
60.       }
    
61.           
    
62.         }
    
63.        
    
64.   }
    
65. }
    
66. 
    
67. # you have to change mail.srv to your valid smtp server and alerts@mail.srv to your valid mail address.
    
68. # second step is to configure Tools>Email tool in Mikrotik menu via Winbox, ssh or web interface.

复制代码

Evalyn

今天l2tp ipsec刚被刷就看到这个，马克下