Script is no longer functioning, no updates since last night.
Dave,
Have you considered using external to your network honeypots as source of offending IPs?
I use as the first frontier such RAW drop rules and all the time there are some IPs on the list of attackers.
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=127m chain=prerouting comment=RAW2ADD in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=37m chain=prerouting comment=RAW1ADD dst-port=8291,21,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=37m chain=prerouting comment=RAW1ADD dst-port=8291,21,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=udp
add action=drop chain=prerouting disable=yes comment=RAW1 in-interface-list=WAN_LIST log-prefix="RAW1: " src-address-list=RAWATTACK
I’m not quite sure I follow what you are saying. I’m always open to more sources. The new system is very modular. So importing another source is as simple as coding an import module for it.
It’s running right now.
As stated above, it’s still very pre-alpha, so I can’t promise that it stays running while I’m making large code changes.
dave, maybe make a google forums entry where users (who plan to pay once you go live, which i realize may be a good while away) can submit their email address to you, easily and securely (easy for you to create/keep i mean).
This way when you launch, you can send an email to all those who submitted, and you will have a decent amount of funding coming in at start (vs ppl forgetting about it or loosing track of this thread).
just an idea. tks
Could it be possible to send to you lists of attacking IPs from my routers?
IntrusDave thx for u service
please prompt how to change a timeout of blacklist lifetime. for example for 7 days
The lists are set for a max timeout of 24 hours. This is required so that false positives are not blocked for too long. The system is designed to be update every 1~6 hours.
Once the system goes public, each user will be able to configure the timeout for each router.
Yes, I am working on that too. My plan is that the routers will add IP’s to a dedicated address-list, and then a script will submit that list to the server, just as the honeypots do.
Here is a form to fill out for those that want to be notified
https://goo.gl/forms/UQMYqKJ54E0iV35l2
thanks for explanation, Dave
Just put the script on my home CCR1009 and am sooooo stoked to be using your service again. Just the piece of mind will be huge for me. Will move it into production on my work Tiks after testing a few days at home. EDIT: Also Dave can you educate us on the Priority Levels 1,2,3 that are part of the service, what determines what IP address makes it in to which priority, how are they prioritized?
Dave do you have an email address or a way to touch bases off line? I am not sure why I can no longer send private messages on the forum anymore…
currently, the priorities are pretty basic.
#1 is a short list of about 2000, consisting of just the most common botnet attacks. If I end up offering a free tier, this will be it.
#2 is a longer list of 30,000 to 40,000 IP’s and subnets that includes #1, also adds most of the more common crap out there.
#3 is the largest list of 120,000 to 150,000+ IP’s and subnets, includes #1 and #2, includes all “known” spammers, as well as unassigned subnets, proxies, etc.
Thanks for the info. I have been running priority 3 on my 1009 for a couple days now. First time I have used RAW rules as well. Working like a champ!!! Your list is catching everything before anything hits my “blacklist” that I have built over time from things my router has personally seen. Super awesome. Keep up the good work! Once again THANK YOU Dave.
If anyone wants to help out more, I need more routers to report some stats to the server. This is part of the health monitoring and alerting system. If you paste the code into a terminal window, it will setup the script and start reporting.
/system scheduler
add interval=1m name=reportStatus on-event="/system script run reportStatus" policy=read,write,policy,test start-time=startup
/system script
add name=reportStatus owner=djoyce policy=read,test source=":local pa\
\_\"\"; :local pb \"\"; :local pc \"\"; :local pd \"\"; :local pe \"\"; :local pf \"\"; :local postdata \"\";\r\
\n:set pa [:tostr [ /system routerboard get ]]; :set pb [:tostr [ /system license get ]];\r\
\n:set pc [:tostr [ /system resource get ]]; :set pd [:tostr [ /system health get ]];\r\
\n:set pe [:tostr [/system identity get ]]; :set postdata [:toarray \"\$pa;\$pb;\$pc;\$pd;\$pe\"];\r\
\n/tool fetch mode=https url=\"https://bl.mikrotikfilters.com/hwstats.php\" http-method=post http-data=\"data=\$postdata\
\" output=file dst-path=hwdata.txt;"
Here is a sample from my personal firewall on what it reports:
board-name=RB1100AHx4 Dude Edition;
current-firmware=6.43rc51;
factory-firmware=3.36.3;
firmware-type=al2;
model=RouterBOARD 1100Dx4;
routerboard=true;
serial-number=735B073F0D77;
upgrade-firmware=6.43rc51;
features=;
nlevel=6;
software-id=NYLS-9KPC;
architecture-name=arm;
board-name=RB1100AHx4 Dude Edition;
build-time=Aug\/01\/2018 09:43:29;
cpu=ARMv7;
cpu-count=4;
cpu-frequency=1400;
cpu-load=0;
factory-software=6.38.4;
free-hdd-space=98365440;
free-memory=1012338688;
platform=MikroTik;
total-hdd-space=134479872;
total-memory=1073741824;
uptime=10:00:11;
version=6.43rc51 (testing);
current=488;
power-consumption=115;
psu1-voltage=243;
psu2-voltage=242;
temperature=53;
voltage=236;
name=Home_Firewall;
Just put this onto my CHR home router. Had to fiddle the script a little bit to make it work though which I expected I may need to;
Note, disk1 is not present and I had to add in a “?” after the “fetch.php”
/tool fetch mode=https dst-path=/blacklist/filters.rsc url="https://bl.mikrotikfilters.com/fetch.php\?priority=3";
/import file-name=blacklist/filters.rsc
/file remove blacklist/filters.rsc
In the rsc file it has 4 filter rules at the bottom which didn’t apply, I take it you need to add these in manually? Oddly doing a copy & paste didn’t add them in so I made these;
/ip firewall raw
add action=drop chain=prerouting comment="DROP intrusBL" src-address-list=intrusBL
add action=drop chain=prerouting comment="DROP intrusBL" dst-address-list=intrusBL
Have stuck the fetch and remove commands into a script (intrus-bl-updater) and added into scheduler running once every 12 hours (a bit longer than suggested I know).
Added in the system reporter as well, it was set to report every minute though so have altered that slightly to 12H intervals
Amazing work Dave!
Hi Dave,
In first list first address is 255.255.255.255 . Is that right?
Thanks,
Geo
Running on my home router. Do you really want it reporting every minute?
The reporting and monitoring service is reported every minute. The client side can change that, depending on that type of response time they want.
Yes. Once the system is complete, you will be able to whitelist if needed. I filter 255.255.255.255 because I’m on a cable network and I see a crap-load of broadcast trash.
I see everybody here is amazed how great service it is, but has anybody think about security risks of such service?
Importing third-party script to your router without any validation?
I wonder why this list is not provided as plain list of IPs and let everybody implement custom script parsing and validating the input.