∮Ω奧米加空間∮»MikroTik RouterOS»【教學】Scripts 應用範例
作者 |
主題 |
dc
管理員

性別:男
來自:瓦肯星
發表總數:11040
註冊時間:2002-05-07 16:32 |
(第 1 篇) 【教學】Scripts 應用範例
開啟了 L2TP VPN 後,因為需要對外開啟 UDP Port 500,1701,4500 所以在 Log 裡常常可以看到有人在 Try 與用錯誤的密碼嘗試連入。
在 Terminal 下指令
/log print where message~"negotiation failed"
aug/05 09:30:11 ipsec,error 216.218.206.78 phase1 negotiation failed.
aug/06 10:21:07 ipsec,error 216.218.206.106 phase1 negotiation failed.
aug/09 09:14:01 ipsec,error 216.218.206.126 phase1 negotiation failed.
aug/09 17:33:11 ipsec,error 121.82.172.245 phase1 negotiation failed.
aug/09 17:34:03 ipsec,error 121.82.172.245 phase1 negotiation failed.
aug/11 10:06:33 ipsec,error 216.218.206.70 phase1 negotiation failed.
aug/14 08:22:09 ipsec,error 216.218.206.102 phase1 negotiation fail
aug/15 08:54:31 ipsec,error 216.218.206.94 phase1 negotiation failed.
可以看到一直有人在嘗試。
我們可以參考論壇上的文章
Black list for failed login to IPSec VPN
https://forum.mikrotik.com/viewtopic.php?t=148397
System -> Scripts -> Scripts 頁籤 -> 按下 +
Name: 填入 IPSEC_failed
Source: 填入下面這一段 後按下 OK
代碼: |
# Created Jotne 2019 v1.2
#
# This script add ip of user who with "IPSEC negotiation failed" and "SPI* not registered" to a block list for 24hour
# Schedule the script to run every 5 min
# It should run on all routerOS version
# Find all "negotiation failed" error last 30 min
:local loglistN [:toarray [/log find time>([/system clock get time] - 30m) message~"negotiation failed"]]
# for all error do
:foreach i in=$loglistN do={
# find message
:local logMessageN [/log get $i message]
# find ip
:local ipN [:pick $logMessageN 0 [:find $logMessageN " "]]
# Add ip to accesslist
/ip firewall address-list add address=$ipN list=IPSEC_failed timeout=245d
# Send a message to the log
:log info message="script=IPSEC_failed src_ip=$ipN why=negotiation_failed"
}
# Find all "SPI* not registered"" error last 30 min
:local loglistS [:toarray [/log find time>([/system clock get time] - 30m) message~"SPI.*not regist"]]
# for all error do
:foreach j in=$loglistS do={
# find message
:local logMessageS [/log get $j message]
# find ip
:local ipS [:pick $logMessageS ([:find $logMessageS "for "]+4) [:find $logMessageS "["]]
# Add ip to accesslist
/ip firewall address-list add address=$ipS list=IPSEC_failed timeout=245d
# Send a message to the log
:log info message="script=IPSEC_failed src_ip=$ipS why=SPI_not_registered"
}
|
他會收集 30 分鐘內的 log 有包含字串 negotiation failed 的 ip, 加入到 IPSEC_failed 這個 address-list 並保存 245天
然後我們要設定排程30分撈一次 log
System -> Scheduler -> 按下 +
Name: 填入 IPSEC_failed
Start Time: 填入 00:00:00
Interval: 填入 00:30:00
On Event: 填入 /system script run IPSEC_failed
每30分執行一次如果有符合條件的名單,在 log 裡會這樣顯示
script=IPSEC_failed src_ip=216.218.206.78 why=negotiation_failed
在 IP -> Firewall -> Filter Rules 頁籤 -> 按下 +
General 頁籤 | Advanced 頁籤 | Action 頁籤 |
Chain: 選擇 input | Src. Address List: 選擇 IPSEC_failed | Action: 選擇 drop |
按下 OK
將規則移到前面就完成囉~
目前遇到的問題
如果是連入然後密碼錯誤的話log會是
181.209.165.10 parsing packet failed, possible cause: wrong password
重複
181.209.165.10 parsing packet failed, possible cause: wrong password
最後
phase1 negotiation failed due to time up xx.xx.xx.xx[4500]<=>181.209.165.10[4500]
script 跑下去log會是
script=IPSEC_failed src_ip=phase1 why=negotiation failed
沒有封鎖到~對於 Address Lists 中 Address 填的是非IP區段沒有什麼問題,但是要封鎖這類型請加入
代碼: |
# Find all "negotiation failed due to time up" error last 30 min
:local loglistTimeout [:toarray [/log find time>([/system clock get time] - 30m) message~"phase1 negotiation failed due to time up"]]
# for all error do
:foreach k in=$loglistTimeout do={
# find message
:local logMessageTimeout [/log get $k message]
# find ip
:local ip1 [:pick $logMessageTimeout [:find $logMessageTimeout ">"] [:len $logMessageTimeout]]
:local ipTimeout [:pick $ip1 1 [:find $ip1 "["] ]
# Add ip to accesslist
/ip firewall address-list add address=$ipTimeout list=IPSEC_failed timeout=245d
# Send a message to the log
:log info message="script=IPSEC_failed src_ip=$ipTimeout why=negotiation_failed due to time up"
}
|
2019/08/29
之前設定一小時有時候會 lost 掉,設定斷點檢查發現是跑了第一條但是後續都沒有跑~所以改成30分鐘觀察看看。
2019/08/30
下斷點觀察後 2019/08/30 00:00:00 的時間點會是空值
對照組

之後不管怎改該 script 都只在第一個就死掉了~
一組修改組與一組對照組都在早上 08:00 執行那一次之後恢復正常
修改組還出現了不應該有的 log

這應該是因為時間的關係~先記錄在找時間修正
2019/08/31
改成 00:01:00 開始每 30 分鐘執行一次
如果 00:01:00 執行時前一天沒有 negotiation_failed 事件發生,那 script 可以正常執行。
但是 00:01:00 執行時前一天有 negotiation_failed 事件發生,那 script 要到 08:01:00 之後才能正常執行。
目前先拿掉 info message why=negotiation_failed 的訊息拿掉再觀察看看
本帖由dc最後編輯於2019-08-31 11:06
Your mind to my mind,
your thought to my thought |
發表時間:2019-08-15 14:18 |
|
所有時間均為GMT+8, 現在是2025-02-18 23:46 |
|