Joshaven Potter

WISP Consulting, Software Integrations, and Network Security

Recent Improvements

Now Faster

These address lists are now automatically being served from many locations around the world.

Now Easier

The scripts on this page are editable in case you need to adjust something like the pre-defined schedule. The copy button below each list will copy the on page script into your clipboard for easier implementation without the need of opening a text editor.

MikroTik Automatically Updated Address List

A Problem

When you offer public access to a service it can be rather difficult to separate the bad connections from the good.

A Solution

MikroTik to the rescue with address lists… simply put the bad addresses in a list and block anything in the list. Sounds like fun right… or maybe not so much? Of course you can (and should) manually create rules to detect abuse and dynamically create the lists… However there is more that you can do, you can subscribe to lists that are maintained by others like OpenBL.org, Spamhaus dshield. and malc0de

Example of a parsed list

# Generated by Joshaven Potter on Mon Nov 16 06:25:01 EST 2015
/ip firewall address-list
add list=blacklist address=1.4.0.0/17 comment=SpamHaus
add list=blacklist address=1.10.16.0/20 comment=SpamHaus
add list=blacklist address=1.116.0.0/14 comment=SpamHaus
...

Implementation

The implementation is simple... paste the following code into the terminal of any MikroTik and your router will grab the newest copy of my script file and run it regular basis.

The following will not block anything, it only adds IP’s to your address list. You will still have to create a firewall rule which will match src-address-list=blacklist and drop the traffic in your input and/or forward chains.

In order to use any of the following lists you will want to add a rule to your input or forward chains like the following:

add chain=input action=drop comment="Drop new connections from blacklisted IP's to this router" \
    connection-state=new src-address-list=blacklist in-interface=ether1-Internet

OpenBL

“The OpenBL.org project (formerly known as the SSH blacklist) is about detecting, logging and reporting various types of internet abuse. Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.”

SpamHaus

“Spamhaus Don’t Route Or Peer List (DROP)""

The DROP list will not include any IP address space under the control of any legitimate network – even if being used by “the spammers from hell”. DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.”

dshield

“This list summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of ‘attacks’ indicates the number of targets reporting scans from this subnet.”

malc0de

"The files below will be updated daily with domains that have been indentified distributing malware during the past 30 days"

OPTIONAL: FYI The code that generates the list

I recommend using my domain for updates unless you are serious about running a highly available server. I take care of my servers so that you may freely benefit from this service. Furthermore I am using global caching services to help distribute the load. You however are welcome to use the script below on your own.

Note: Please only use the following update scripts sparingly because the source sites don’t need a bunch of unnecessary traffic. Anyway, the following script will run on a Linux server (requires gawk & wget). I placed it in a file with 755 permissions in my /etc/cron.daily/ folder to be run daily.

#!/bin/sh
saveTo=/var/www
now=$(date);
echo "# Generated by Joshaven Potter on $now" > $saveTo/dshield.rsc
echo "/ip firewall address-list" >> $saveTo/dshield.rsc
wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "add list=blacklist address=" $1 "/24 comment=DShield";}' >> $saveTo/dshield.rsc

echo "# Generated by Joshaven Potter on $now" > $saveTo/spamhaus.rsc
echo "/ip firewall address-list" >> $saveTo/spamhaus.rsc
wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blacklist address=" $1 " comment=SpamHaus";}' >> $saveTo/spamhaus.rsc

echo "# Generated by Joshaven Potter on $now" > $saveTo/openbl.rsc
echo "/ip firewall address-list" >> $saveTo/openbl.rsc
wget -q -O - http://www.openbl.org/lists/base_30days.txt.gz | gunzip | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=OpenBL";}' >> $saveTo/openbl.rsc

echo "# Generated by Joshaven Potter on $now" > $saveTo/malc0de.rsc
echo "/ip firewall address-list" >> $saveTo/malc0de.rsc
wget -q -O - http://malc0de.com/bl/IP_Blacklist.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=malc0de";}' >> $saveTo/malc0de.rsc