Address list importing with other name

RouterOS General
1

Hello Dear MikroTIKers!

I would like to do this: i see that, a lot of ppl try to get in, when watching the logs, with ports for SMB and SSH and stuff like that, like port scanners.
I implemented a port scanner, what a mikrotik teacher put online, but when i tested with a portsscan.exe and from kali linux nmap, it worked like a charm, but in real life its not getting anything and i see a lot of packets get stuck at my sbl spamhaus,sbl-malicious drop list. This made me think theese port scanners are 1.) really slow and my config doesnt gives a fuck about it or 2.)something totally else and i dont know about it yet.

So because the portscanner works in LABS,but not real life, i put in sbl blocklist,sblspamhaus,sbl malicious,etc in a scheduled thingy and import it and i have firewall rules with
input adresslist:sbl-spamhaus action:drop (and i have this for all the lists)

So, this are a lot of rules and i have two questions:

first is: how to achieve, that when importing theese files, the ADDRESS LIST names become the same (lets say i import sbl spamhaus it gets imported with an address list name BADIP, and than sbl malicious gets imported, smae name, BADIP), so i dont have to make a lot of fokin rules, for every address list name an input drop rule seems to be too much for me.

second question: i do drop input for theese bad guys, the reason i’d like to have ONE name for the bad ip-s, is that, i’d like to make rules for FORWARD CHAIN like this:

forward action:allow in-interface:myLANinterface src-address:mysubnet dst-addresslist: !BADIP

so with this rule i could stop all the clients to reach thoose bad guys server and stuff on it, but all the forums i see, there is only INPUT rules, when blocking things like,spamhaus etc, would it be a good idea to tell the clients fw rule,not to go to the bad guys house?


thank you in advance!

2

https://wiki.mikrotik.com/wiki/Drop_port_scanners

i found it, this is it, now i know,i saw this and wanted to use it, but i was really beginner, and i didnt understood, whats going on,so i didnt used it.
But now i see, this is totally the same…what a shame…
And if i do a scan with “port scan and stuff” and a downloaded kali linux, and use NMAP with all kind of parameter, it works and ill get blocked via L3.
But in reality, this is not so, its not worth ANYTING, maybe against beginner hackers. If you go to pentest-tools.com and you do a scan , a free one, which scans only the common ports, nothing gets blocked.

Anyone knows a working one script/rule, to block port scanners?
Or i think now, it would be much better, if i could import multiple addresses to address list with the same address list name, if someone knows how it is possible.

3

Blocking portscanners is a nice hobby project to gain experience in the different technologies of the MikroTik router, but after you are done with it and see how it works, you should simply remove it.
It serves no useful purpose, and it can cause nasty side-effects that you can easily oversee.

4

No changes can be made during import. So you have to do them before, using an external text editor because Mikrotik scripting cannot parse files, or after, using Mikrotik scripting on the already imported address lists.

If there are no duplicate entries between those lists, the command is simple:
ip firewall address-list set [find list~“oldname”] list=newname

However, the process stops on first duplicate address encountered. And I leave aside prefixes (1.1.1.0/24 in the target list and 1.1.1.1 in the source list or vice versa). So merging the lists with possible duplicities must be done algorithmically and it will be quite a resource-consuming task.

5

I was asking the same myself, if i just leave ICMP (or filtered icmp options) enabled from outside to WAN interface and setup INPUT only from my internal client or subnet,etc should be good, cuz its just taking unnecessary amount of resources to drop bad guys via a lot of rules instead of “chain:input action:drop” (sure, only after i granted myself access).

Its basically the same, they land on “drop inpu” basically. So thank m8 for you answer! Do u use address lists to block bad guys or u simply dont grant any access from the outside in chain:input?

6

so basically this is a no-go, and i have to make for all names that i have in address list (which are fetched via the scheduler) a “drop input addresslist:nameofthelist” rule, right?

and if yes, should i do that for my clients too? like they should go to thoose ip-s, or is it common/good to “only” block it from input?

thank you!

7

chain=input handles connection attempts to your Tik itself. chain=forward handles transit traffic (between two interfaces of the router).

And yes, “block everything but few exceptions” is the best firewall concept in my opinion. Only allow access to services which are secure by themselves (VPNs but definitely not the PPTP one, https, ssh), and restrict even that to only a handful of source addresses if you can. If you cannot, you have to rely on the security of those services alone, so never trust it completely. It always depends on the value of the data or resources for the attacker how much effort he spends on breaking into your network.

Of course if you need to run a http server accessible from the whole world behind your firewall, you have no option but to leave the access to it open, but you should then jail the server itself and not allow it to actively connect anywhere.

And last point, devices in your LAN may get infected too and attack your Tik, cross-platform malware does exist. So telnet and http should be forbidden even from LAN.

8

thank you Sindy, again! i disable all services in mikrotik, expect winbox and i only portforward one port, the VPN-s! And sure, its not PPTP :slight_smile:
basically, all the effort ive put in the fw it seems, that only allowing from internal subnet/singel IP address in chain INPUT and ICMP from outside and block everything else will be the winner at the end :smiley:

Thank you for your efforts and have a nice weekend!

9

and i make neighboor discovery and mac telnet server and mac winbox server only available for the interface list “all-expect-wan” (i made that, and like the name states,there are all interfaces in,expect the one facing the internet aka WAN). I checked, the best thing is to change MAC of WAN, bc NMAP and other software like that knows instantly that you are using a routerboard and even if you block the access from WAN to WINBOX (8291) it shows up as FILTERED and “everyone” knows, that 8291 is winbox, so even if i block it, they see that im using a mikrotik and can try specific attacks against me,so changing the default WINBOX port AND firewalling it and chaning WAN MAC is what i think should be done too, because of thoose bad guys.

And again Sindy, thx!!!

10

It is important that you do not make your management ports (like 8291) available on untrusted interfaces like the internet, your open wifi network, etc.
These should only be available from a trusted interface. When you cannot trust your LAN, make a separate management network and use only that.
There is little difference between using unencrypted modes like telnet/http and encrypted modes like ssh/https/winbox(secure). The commonly known
attacks work with or without encryption. Encryption can only save you from sniffing of the password between your system and the router, but this
usually is not an issue on a LAN. And as I already wrote, you should not enable management ports on internet.

When you need to manage from internet, at least use a VPN as an extra layer of security (you connect to your router using VPN and then you open
the winbox or ssh or telnet or whatever). With an encrypted VPN it again does not matter if you use telnet or ssh.

Auto-blocking of portscanners is nice as an experiment and to see it in operation, but it does not offer any additional protection.