# Script Name: SSH Block by log # This script reads a specified log buffer (logBuffer) At each log entry read, # any IP exceeding the number below (failthreshold) is added to the address list below (blacklist) # The log buffer is then cleared, so only new entries are read each time this script gets executed. #/system logging action add memory-lines=1000 memory-stop-on-full=no name=failedauth target=memory #/system logging add action=failedauth disabled=no prefix="" topics=critical,system,error # Set this to a "memory" action log buffer. Example commands above. :local logBuffer "failedauth" :local failthreshold 5 :local blacklist "ssh_blacklist" # ----------------------------------- :local attackiparray {0} :local attackcountarray {0} :local logEntryTopics :local logEntryTime :local logEntryMessage :local clearedbuf :local lines :set clearedbuf 0 :local i 0 :foreach rule in=[/log print as-value where buffer=($logBuffer)] do={ # Now all data is collected in memory.. # Clear log buffer right away so new entries come in :if ($clearedbuf = 0) do={ /system logging action { :set lines [get ($logBuffer) memory-lines] set ($logBuffer) memory-lines 1 set ($logBuffer) memory-lines $lines } :set clearedbuf 1 } # End clear log buffer :set logEntryTime "" :set logEntryTopics "" :set logEntryMessage "" :set logEntryTime ($rule->"time") :set logEntryTopics ($rule->"topics") :set logEntryMessage ($rule->"message") :if ($logEntryMessage~"login failure") do={ :local attackip [:pick $logEntryMessage ([:find $logEntryMessage "from "]+5) ([:find $logEntryMessage " via"])] :local x 0 :foreach ip in=$attackiparray do={ :if ($ip = $attackip) do={ :set ($attackcountarray->$x) (($attackcountarray->$x)+1) } else={ :set ($attackiparray->$i) $attackip :set ($attackcountarray->$i) 1 } :set x ($x+1) } } :set i ($i+1) # end foreach rule } :local z 0 :foreach ip in=$attackiparray do={ :if ($attackcountarray->$z > $failthreshold) do={ :set ($attackcountarray->$z) 0 /ip firewall address-list add address=($attackiparray->$z) list=$blacklist } :set ($attackcountarray->$z) 0 :set z ($z+1) }