Recent Improvements

Server-side list modification

In place of any of the particular lists below, you can merge lists as well as modify other commands such as address list name, timeout etc. To use this copy and paste the following to a browser, play with the attributes to get the lists you want then include your customized URL as the fetch URL.

http://joshaven.com/genlist.php?lists=spamhaus,dshield,voip-bl&prefix=add%20list=blacklist%20timeout=1d%20address=

Example Script using genlist

Modify the text in the box below to meet your needs and copy it then paste in your router's terminal.

/system scheduler add comment="Apply genlist List" interval=1d name=Update_genlist on-event=\ Replace_genlist policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=jan/01/1970 start-time=19:55:10 /system script add dont-require-permissions=no name=Replace_genlist owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/t\ ool fetch url=\"http://joshaven.com/genlist.php\?lists=spamhaus,dshield,bru\ teforce&prefix=add%20list=blacklist%20timeout=1d%20comment=autoaddresslist%\ 20address=\" mode=http dst-path=genlist.rsc;\ \n:log info \"Downloaded autoaddresslist from Joshaven.com using genlist\";\ \r\ \n/ip firewall address-list remove [find where comment=\"autoaddresslist\"]\ \n/import file-name=genlist.rsc;\ \n:log info \"Removed old autoaddresslist records and imported new list\";\ \n"

MikroTik Automatically Updated Address List

A Problem

When you offer public access to a service it can be rather difficult to separate the bad connections from the good.

A Solution

MikroTik to the rescue with address lists… simply put the bad addresses in a list and block anything in the list. Sounds like fun right… or maybe not so much? Of course you can (and should) manually create rules to detect abuse and dynamically create the lists… However there is more that you can do, you can subscribe to lists that are maintained by others like Spamhaus, dshield,

Example of a parsed list

# Generated by Joshaven Potter on Mon Nov 16 06:25:01 EST 2015
/ip firewall address-list
add list=blacklist address=1.4.0.0/17 comment=SpamHaus
add list=blacklist address=1.10.16.0/20 comment=SpamHaus
add list=blacklist address=1.116.0.0/14 comment=SpamHaus
...

Implementation

The implementation is simple... paste the following code into the terminal of any MikroTik and your router will grab the newest copy of my script file and run it regular basis.

The following will not block anything, it only adds IP’s to your address list. You will still have to create a firewall rule which will match src-address-list=blacklist and drop the traffic in your input and/or forward chains.

In order to use any of the following lists you will want to add a rule to your input or forward chains like the following:

add chain=input action=drop comment="Drop new connections from blacklisted IP's to this router" \
connection-state=new src-address-list=blacklist in-interface=ether1-Internet

SpamHaus

“Spamhaus Don’t Route Or Peer List (DROP)""

The DROP list will not include any IP address space under the control of any legitimate network – even if being used by “the spammers from hell”. DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.”

# Script which will download the drop list as a text file /system script add name="DownloadSpamhaus" source={ /tool fetch url="http://joshaven.com/spamhaus.rsc" mode=http; :log info "Downloaded spamhaus.rsc from Joshaven.com"; } # Script which will Remove old Spamhaus list and add new one /system script add name="ReplaceSpamhaus" source={ /ip firewall address-list remove [find where comment="SpamHaus"] /import file-name=spamhaus.rsc; :log info "Removed old Spamhaus records and imported new list"; } # Schedule the download and application of the spamhaus list /system scheduler add comment="Download spamnaus list" interval=3d \ name="DownloadSpamhausList" on-event=DownloadSpamhaus \ start-date=jan/01/1970 start-time=20:16:14 /system scheduler add comment="Apply spamnaus List" interval=3d \ name="InstallSpamhausList" on-event=ReplaceSpamhaus \ start-date=jan/01/1970 start-time=20:21:14

dshield

“This list summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of ‘attacks’ indicates the number of targets reporting scans from this subnet.”

# Script which will download the drop list as a text file /system script add name="Download_dshield" source={ /tool fetch url="http://joshaven.com/dshield.rsc" mode=http; :log info "Downloaded dshield.rsc from Joshaven.com"; } # Script which will Remove old dshield list and add new one /system script add name="Replace_dshield" source={ /ip firewall address-list remove [find where comment="DShield"] /import file-name=dshield.rsc; :log info "Removed old dshield records and imported new list"; } # Schedule the download and application of the dshield list /system scheduler add comment="Download dshield list" interval=3d \ name="DownloadDShieldList" on-event=Download_dshield \ start-date=jan/01/1970 start-time=20:26:14 /system scheduler add comment="Apply dshield List" interval=3d \ name="InstallDShieldList" on-event=Replace_dshield \ start-date=jan/01/1970 start-time=20:31:14

VoIP Blacklist

"Protect your business and PBX's against VoIP Fraud Minimize the risks of attacks on your Telephony Server Save bandwidth by using Geolocation filtering."

WARNING: Use carefully! This is a huge list which can quickly cause performance issues.

# Script which will download the voip-bl list as a text file /system script add name="Download_voip-bl" source={ /tool fetch url="http://joshaven.com/voip-bl.rsc" mode=http; :log info "Downloaded voip-bl.rsc from Joshaven.com"; } # Script which will Remove old voip-bl list and add new one /system script add name="Replace_voip-bl" source={ /ip firewall address-list remove [find where comment="VoIP BL"] /import file-name=voip-bl.rsc; :log info "Removed old voip-bl records and imported new list"; } # Schedule the download and application of the voip-bl list /system scheduler add comment="Download voip-bl list" interval=3d \ name="Refresh_voip-bl" on-event=Download_voip-bl \ start-date=jan/01/1970 start-time=20:26:14 /system scheduler add comment="Apply voip-bl List" interval=3d \ name="Update_voip-bl" on-event=Replace_voip-bl \ start-date=jan/01/1970 start-time=20:31:14

Bruteforce IP's

"BruteForceBlocker v1.2.6

BruteForceBlocker is a perl script, that works along with pf - OpenBSD's firewall (which is also available on FreeBSD and NetBSD) and its main purpose is to block SSH bruteforce attacks via firewall.

When this script is running, it checks sshd logs from syslog and looks for failed login attempts - mostly some annoying script attacks, and counts number of such attempts.

When given IP reaches configured limit of fails, script puts this IP to the pf's table and blocks any further traffic from the given IP.

Furthermore, the blocked IP is reported to the project site which enables users to share a list of abusive IPs. The list is publicly available at http://danger.rulez.sk/projects/bruteforceblocker/blist.php

If you are bored of those automated auth tries, you will be happy with this script. BruteForceBlocker is easy to use, simple, and effective.

For installation instructions see INSTALL file.

WWW: http://danger.rulez.sk/index.php/bruteforceblocker/"

# Script which will download the bruteforce list as a text file /system script add name="Download_bruteforce" source={ /tool fetch url="http://joshaven.com/bruteforce.rsc" mode=http; :log info "Downloaded bruteforce.rsc from Joshaven.com"; } # Script which will Remove old bruteforce list and add new one /system script add name="Replace_bruteforce" source={ /ip firewall address-list remove [find where comment="bruteforce"] /import file-name=bruteforce.rsc; :log info "Removed old bruteforce records and imported new list"; } # Schedule the download and application of the bruteforce list /system scheduler add comment="Download bruteforce list" interval=3d \ name="Refresh_bruteforce" on-event=Download_bruteforce \ start-date=jan/01/1970 start-time=20:26:14 /system scheduler add comment="Apply bruteforce List" interval=3d \ name="Update_bruteforce" on-event=Replace_bruteforce \ start-date=jan/01/1970 start-time=20:31:14

OPTIONAL: FYI The code that generates the list

I recommend using my domain for updates unless you are serious about running a highly available server. I take care of my servers so that you may freely benefit from this service. Furthermore I am using global caching services to help distribute the load. You however are welcome to use the script below on your own.

Note: Please only use the following update scripts sparingly because the source sites don’t need a bunch of unnecessary traffic. Anyway, the following script will run on a Linux server (requires gawk & wget). I placed it in a file with 755 permissions in my /etc/cron.daily/ folder to be run daily.

#!/bin/sh
saveTo=/var/www
now=$(date);
echo "# Generated by Joshaven Potter on $now" > $saveTo/dshield.rsc
echo "/ip firewall address-list" >> $saveTo/dshield.rsc
wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "add list=blacklist address=" $1 "/24 comment=DShield";}' >> $saveTo/dshield.rsc

echo "# Generated by Joshaven Potter on $now" > $saveTo/spamhaus.rsc
echo "/ip firewall address-list" >> $saveTo/spamhaus.rsc
wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blacklist address=" $1 " comment=SpamHaus";}' >> $saveTo/spamhaus.rsc

Joshaven Potter

WISP Consulting, Software Integrations, and Network Security