MikroTik Script: Failed login attempt notification

Useful MikroTik script is to receive an email notification or Telegram message when a login failure for user message appears in the MikroTik device log (“login failure for user …“). Allows you to find out about attempts to brute-force a password, will report the IP or MAC address of the device attempting to log in, as well as the login with which they are trying to log in to the device.

Sample email - notification of login failure to MikroTik device

Content

  1. Script Description
  2. Create script
  3. Script code
  4. Add script to scheduler

Article in other languages:
?? – MikroTik Script: Notificación de intento de iniciar sesión fallido
?? – MikroTik Скрипт: Уведомление о ошибке входа в систему
?? – Script MikroTik: Notification de tentative de connexion échouée
?? – MikroTik-Script: Benachrichtigung über Anmeldefehler
?? – MikroTik-script: Melding van mislukte inlogpoging

Script Description

The script analyzes the device log to search for login failure for user events, sends an email or a Telegram message when events are found.

Parses events since the last start time (ParseLogLoginEndArrayID variable).

The following functions are used to send notifications:

The script calls functions with the names: EMailSendMessageFunction, TGBotSendMessageFunction. If your functions have a different name, change this in the script.

Sample Telegram message - notification of login failure to MikroTik device

✏️ If you detect frequent login attempts using your current login, perhaps the login has become known to attackers, the best option would be to change the login.

Create script

The following permissions are required to run the script: read, write, test, policy.

[System] -> [Scripts] -> [+] -> [Name: ParseLogLoginFailure] -> [Policy: read, write, test, policy]
MikroTik Script - Failed login attempt Notification into the MikroTik router

Script code

# Name: ParseLogLoginFailure v1.1
# Description: Device login failed notification
# Author: Yun Sergey [MHelp.pro] © 2021
# License: GPL-3.0 License
# Description, purpose and questions: https://mhelp.pro/mikrotik-script-failed-login-attempt-notification/
# More scripts Mikrotik: https://mhelp.pro/tag/mikrotik-scripts/
# Verified: RouterBOARD 952Ui-5ac2nD, RouterOS 6.48 (stable).

:local DeviceName [/system identity get name];
:local Time [/system clock get time];
:local Date [/system clock get date];
:local EmailMessageText;
:local TelegramMessageText;

:global ParseLogLoginEndArrayID;

:local IDsEvents [/log find where topics~"critical" message~"login failure"];

:local LenArrayIDs [:len $IDsEvents];
:local StartArrayID [:find $IDsEvents $ParseLogLoginEndArrayID];
:local EndArrayID ($IDsEvents -> ($LenArrayIDs-1));

#:log info "Script ParseLogLoginFailure: running.";

:if ($EndArrayID != $ParseLogLoginEndArrayID and [:tobool $ParseLogLoginEndArrayID] ) do={

    #:log info "Script ParseLogLoginFailure: new events found.";

    :for KeyArray from=($StartArrayID+1) to=($LenArrayIDs-1) do={
        :local IDMessage ($IDsEvents ->$KeyArray );
        :set EmailMessageText "$EmailMessageText \n\r  $[/log get number=$IDMessage time] - $[/log get number=$IDMessage message];";
        :set TelegramMessageText "$TelegramMessageText %0D%0A  $[/log get number=$IDMessage time] - $[/log get number=$IDMessage message];";
        }

    :set ParseLogLoginEndArrayID $EndArrayID;

    #:log info "Script ParseLogLoginFailure: events processed. Sending notifications.";

    # START SEND EMAIL
    :local SendTo "notify@mhelp.pro";
    :local Subject "\E2\9B\94 AUTH: $DeviceName [$Date $Time]";
    :local MessageText "$EmailMessageText";
    :local FileName "";
    :local SendEmail [:parse [/system script get EMailSendMessageFunction source]];
    $SendEmail SendTo=$SendTo TextMail=$MessageText Subject=$Subject FileName=$FileName;
    # END SEND EMAIL

    # START SEND TELEGRAM
    :local MessageText "\E2\9B\94 <b>$DeviceName: AUTH</b> $TelegramMessageText";
    :local SendTelegramMessage [:parse [/system script get TGBotSendMessageFunction source]];
    $SendTelegramMessage MessageText=$MessageText;
    # END SEND TELEGRAM
} else={
#:log info "Script ParseLogLoginFailure: no new messages found.";
};

#:log info "Script ParseLogLoginFailure: script completed successfully.";
:set ParseLogLoginEndArrayID $EndArrayID;

Add script to scheduler

The following permissions are required to run the script: read, write, test, policy.

[System] -> [Schedule] -> [+] -> [Name: ParseLogLoginFailure] —>  [Interval: 00:05:00] -> [Policy: read, write, policy, test]

Or run in terminal:

/system scheduler add name=ParseLogLoginFailure policy=read,write,policy,test on-event="/system script run ParseLogLoginFailure" interval=5m comment="Parse device log and sending failed login events"
MHelp.pro: Adding a script to MikroTik Task Scheduler

? You can configure Firewall rules to block brute-force attacks – MikroTik Protection (basic device security setting).

? How to create a script – failed login attempt notification into the MikroTik router, was discussed in this article. I hope that now you can improve control over MikroTik devices by receiving messages about failed login attempts, tracking device IP addresses and used logins, detecting the actions of an intruder in time. However, if you run into any problems while configuring the script, feel free to write in the comments. I will try to help.

✅ The script is checked: RouterBOARD 952Ui-5ac2nD, RouterOS 6.48 (stable).

5 thoughts on “MikroTik Script: Failed login attempt notification”

  1. Hello, awesome script. Do you know why does it show only time in the message body and not date? The “time” field in log contains both date & time, so there is no date field; but after calling this “$[/log get number=$IDMessage time]” , there is just time in the mail body. thanks

    Reply
  2. Hello
    You have a mistake in “Add script scheduler” call name of script ParseLogAccountEvents but not ParseLogLoginFailure

    Reply
    • Hello. Thank you very much for finding the error, the name of the script remains from the previous version of the script.

      Reply

Leave a Comment