Rextended has a script you put in scheduler to run every 5 mins that puts them in a bruteforce_blacklist which you drop on raw filter. Limits the annoyance in logs. That is about all you can do.
Code:
# Created Jotne && rextended 2022 v1.5## This script add ip of user who with "IPSEC negotiation failed", "SPI* not registered" and "Invalid exchange" to a block list for 1 day# Schedule the script to run every 5 min# It should run on all routerOS version# 1.3 added "Invalid exchange"# 1.4 added dot behind "negotiation failed" to get only lines with IP# 1.4 made all inn to one loop, based on idea by rextended# 1.5 Fixed typo:local logMessage "":local logIp ""/log:foreach i in=[find where message~"phase1 negotiation failed\\." or message~"SPI.*not regist" or message~"Invalid exchange"] do={ :set logMessage [get $i message] :if ($logMessage~"phase1 negotiation failed\\.") do={ :set logIp [:toip [:pick $logMessage -1 [:find $logMessage " "]]] :if ([:len [/ip fire addr find where list=bruteforce_blacklist address=$logIp]] < 1) do={ /ip fire addr add address=$logIp list=bruteforce_blacklist timeout=1d :log info message="script=IPSEC_failed src_ip=$logIp why=negotiation_failed" } } :if ($logMessage~"SPI .* not registered for") do={ :set logIp [:toip [:pick $logMessage ([:find $logMessage "for "]+4) [:find $logMessage "["]]] :if ([:len [/ip fire addr find where list=bruteforce_blacklist address=$logIp]] < 1) do={ /ip fire addr add address=$logIp list=bruteforce_blacklist timeout=7d:log info message="script=IPSEC_failed src_ip=$logIp why=SPI_not_registered" } } :if ($logMessage~"Invalid exchange") do={ :set logIp [:toip [:pick $logMessage ([:find $logMessage "from "]+5) [:find $logMessage "["]]] :if ([:len [/ip fire addr find where list=bruteforce_blacklist address=$logIp]] < 1) do={ /ip fire addr add address=$logIp list=bruteforce_blacklist timeout=7d:log info message="script=IPSEC_failed src_ip=$logIp why=Invalid_exchange" } }}Statistics: Posted by LdB — Sat Dec 30, 2023 3:55 pm